Seven Steps to Strengthen Your Vendor Management Process


vendor-management-10-30-15.pngWhat’s one of the scariest things that keeps a bank CEO up at night? Two words: data breach.

The Federal Financial Institutions Examinations Council document on board and senior management responsibilities says:

“The responsibility for properly overseeing outsourced relationships lies with the institution’s board of directors and senior management. Although the technology needed to support business objectives is often a critical factor in deciding to outsource, managing such relationships is more than just a technology issue; it is an enterprise-wide corporate management issue.”

Target corporation had 40 million credit card numbers exposed and eventually settled with Visa for $67 million. In 2014, we saw bigger companies in the headlines such as Home Depot and Sony fall victim to the same fate.

Target’s breach came through an HVAC vendor that had access to the retailer’s internal network. That means the bad guys only had to figure out how to sneak by the HVAC company’s security, not Target’s. This was a perfect example of how more robust vendor management practices could have prevented unauthorized access.

Think about all the people who need access to your building, systems, network, hardware, telephone lines, lighting, security, and so forth. How diligent are those other businesses about security?

If it’s time to ask your vendors for their annual SOC reports, reports that deal with organizational controls related to security and process integrity, insurance documents and financials, and you’re just checking boxes to satisfy an audit requirement, then you are doing it wrong.

Follow these seven steps to reinvent and strengthen your vendor management process.

Step 1: Obtain Executive Sponsorship
Vendor management should start at the top. You will need someone leading the charge and who has access to your bank’s board leaders.

Step 2: Create a Vendor Management Committee
These people should be from different departments and have different backgrounds, such as IT, legal, compliance, finance and senior leadership. Diversity here is crucial; everyone sees threat differently.

Step 3: Create a Centralized Vendor Management program
No single person can possibly be responsible for the entire program. It’s imperative that it becomes a collaborative effort.

Step 4: Gain Buy-In
Involving the staff creates a sense of ownership. It’s no longer just IT’s problem; it’s everyone’s responsibility.

Step 5: Create a Vendor Inventory
Make sure you know who your vendors are. Do you have multiple vendors doing the same function? Work with accounts payable to determine active vendors. The normal time span is 12 to 24 months.

Step 6: Categorize All Vendors
Does this vendor have access to customer data? Do they have facilities access? What is our risk if this vendor is compromised? This is where you identify critical and high-risk vendors.

Step 7: Remove the Silo
Save the documents to a shared resource. Everyone involved should have access.

How Would These Steps Prevent the Target Scenario?
Step six says to categorize all vendors and identify the risk. The HVAC vendor seems like it would be a low risk vendor, but when you dive into the level of access it had, you would quickly discover the HVAC should be a high risk vendor. The HVAC vendor was allowed access to the internal network which gave the hackers a way in. Although the HVAC didn’t have access to the customer data, they did have the keys to open the door.

Avoiding Pitfalls in Your Bank’s Data Processing Agreement


vendor-management-9-23-15.pngA bank’s core processing agreement is often, by far, its most significant vendor agreement. These lengthy and complex agreements are commonly weighted heavily in favor of the vendor and can be rife with traps, such as steep change-in-control and early termination penalties. Nonetheless, many banks enter into core processing agreements without prior review by counsel, or even reading the agreement themselves. In the current regulatory environment, which stresses and scrutinizes vendor risk management and diligence, a bank’s failure to review and negotiate its core processing agreement could easily result in regulatory criticism, as well as unanticipated costs and potential liability.

In the past few years, the bank regulatory agencies have issued new or updated guidance related to vendor diligence and risk management. In those issuances, the regulators express concern that banks’ vendor risk management practices may be inadequate, citing instances in which management has failed to properly assess and understand the risks and costs of their vendor relationships. Regulators are concerned that banks may enter into agreements that are detrimental to the bank’s employees, customers or other stakeholders. Banks are expected to have risk management processes that correspond with the level of risk and complexity of their vendor relationships. Those processes include due diligence, careful vendor selection, contract negotiation, proper termination mechanisms and ensuring proper oversight. Regulators further expect banks to have more comprehensive and rigorous oversight of management of third-party relationships that involve critical activities, which may include significant bank functions, such as payments, clearing, settlements and custody, or significant shared services, such as information technology.

Regulators conducting bank examinations expect to see adequate risk management policies and procedures in place. Proper due diligence, negotiation, and oversight for data processing contracts should be integral to those procedures. Contrary to what many may think, the terms of data processing agreements are negotiable. Some of the most unfavorable terms may be eliminated simply by emphasizing the regulatory or business necessity for those changes during negotiations. Key terms to address in the negotiation process include termination provisions, regulatory provisions, audit rights and performance standards, among others.

A less obvious concern with core processing agreements arises in the context of a bank merger or acquisition. Steep termination fees in a data processing contract can change the economics of a bank acquisition transaction, making the selling bank a less attractive target and negatively impacting shareholder returns on the sale. It is typical for the initial proposal of a data processing agreement to include contract termination fees equal to roughly 80 percent of the remaining fees payable during the term of the contract. In most cases, these termination fees are negotiable, and data processing providers may be receptive to a graduated termination fee schedule, such that termination fees are less severe later in the term of the contract. In addition, termination fee calculations in core processing agreements are often complex. As such, it will be important for bank management to understand the practical implications of those calculations. Data processing providers will often attempt to recoup any past credits or rebates through the termination fee formula. Understanding and negotiating these termination provisions on the front end can save millions of dollars for the acquiring bank, and ultimately increase returns for the bank’s shareholders.

If your bank is considering a new data processing vendor, or reaching the expiration of your current term and considering renewing with your old vendor, you should work through your regulatory vendor risk management and due diligence checklists before entering into a new contract. We further encourage you to identify a dedicated team, with access to bank counsel, to review and negotiate any proposed agreement. If your institution is considering a future sale or other business combination transaction, then negotiating your data processing contract is of paramount concern. Ultimately, an ignored termination provision in your core processing agreement has the potential to undermine a potential merger or materially impair shareholder returns.

Look Before You Leap: A Checklist for Successful Vendor Relationship Management


vendor-management-6-9-15.pngBanks of all sizes increasingly are finding that it can be tough to go it alone. Instead, they are forging relationships and hiring external vendors to manage routine operations. These relationships can deliver substantial expertise and provide efficiency while also creating additional responsibility and risk. To uphold quality customer service, protect an institution’s reputation and maximize satisfaction with a vendor’s performance, banks must thoughtfully establish a framework for overseeing service providers.

Look at the Big Picture
Before addressing the day-to-day management of vendors, banks first should examine their enterprise-wide process for engaging service providers. Large banks often have an entire department committed to this endeavor. Smaller banks, which might lack the resources to dedicate employees to the effort exclusively, should establish a policy to govern their use of vendors. This approach creates a clearly communicated process for all employees to follow, avoids unnecessary duplication of work and keeps critical considerations top-of-mind when new relationships are being solidified.

As part of any vendor management policy, banks should make certain that vendors are:

  • Financially sound
  • Capable of providing services that meet a bank’s specific needs
  • Bound by a contract negotiated with proper protection of the bank
  • Prepared to undergo regular performance reviews

Setting Up Relationships for Success
Vendors are hired to handle a wide variety of responsibilities—from software systems and customer communications oversight to regular account maintenance; however, the best practices for managing vendor relationships typically do not vary. Following are steps to create successful relationships with service providers.

  1. Establish accountability. It is important to assign ownership of each vendor relationship, asking the manager most actively involved with a vendor to oversee its work. Without a primary point of contact accountable for a vendor’s activities, the quality of service could slip and potentially tarnish the bank’s reputation or cause financial harm.
  2. Share objectives from the start. Before beginning to work with a vendor, banks should make their objectives clear. Some of this information is contractual, but what about expectations that are not spelled out in writing? A relationship with a vendor can be defined by levels of service, such as the exact timing of when reports will be received or how quickly emails will be returned. Failure to identify such expectations upfront could result in dissatisfaction with a vendor’s performance as well as wasted time and resources.
  3. Create a performance scorecard. Relationship managers should assess the performance and costs associated with a vendor on a consistent basis. Regularly scheduled conversations or reviews are a good way to keep vendors on track toward meeting objectives. These discussions, which could be held as infrequently as twice a year or as regularly as weekly for critical service providers, are opportunities to talk about concerns and share any changes at the bank that could affect the vendor.
  4. Measure and manage risk on an ongoing basis. Vendors should be monitored regularly to assess their stability. Organizational developments at a service provider, such as a vendor filing for bankruptcy or making major changes to its service offerings, could have substantial consequences for a bank. Banks should work to remain up to date on any information that would necessitate switching to a more reliable provider.
  5. Evaluate alternatives. The best time to consider switching service providers is long before a vendor’s contract matures. If a manager believes a bank could receive better service or could find a more cost-effective vendor, then it is a good idea to explore alternatives early.

Redefined Regulatory Rules
In addition to helping banks better serve customers and operate more efficiently, managing vendors effectively is important for another reason: Bank regulators have increased their focus on vendor oversight and view it as essential to banks’ risk and performance management. Banks that fail to follow through in this area could face heightened regulatory scrutiny or penalties.

Overall, banks likely will find that forging a successful alliance with a vendor is similar to building any other healthy relationship—it will take time and commitment to make the relationship work for the long term. Given recent trends, banks should make sure they—and their customers—are getting the best possible value from their service providers.