BID Daily Newsletter
October 28, 2015

BID Daily Newsletter

October 28, 2015

Mutualism In Vendors & Risk Management

According to Wikipedia, mutualism is the way two organisms of different species co-exist in a relationship in which each individual benefits from the activity of the other. There are many instances of this occurring in nature and one of the most obvious is the honeybee and the flower. Another example is the impala and the oxpecker birds that eat the flies and bugs that try to feast on it. Yet another is the relationship between yucca moths that pollinate yucca plants, while gaining a source of food for their larvae.
In banking, mutualism also exists, particularly when it comes to third-party vendors. Community banks by definition usually run fairly tight on staffing levels, so outsourcing is common. These days, it makes sense to explore such alternatives, particularly if the service needed isn't core to the business. After all, it makes more sense to have key staff focus on the customer vs. running reports. Focusing on the highest and best use of staff is more critical now than ever, so maybe it is time to look around and see what you can outsource (particularly if you never liked doing the thing to begin with).
So how do you begin such a process? Start by reviewing the regulatory guidance on vendor risk management. It outlines many things a bank should do when considering outsourcing things to vendors and gives you a good foundation.
Next, understand where the regulators are coming from around vendor risk management. To begin, regulators have no problem when banks outsource, particularly when expertise or staffing is lacking, but that does not transfer responsibility so you have to be smart about it. Regulators still want banks to identify, monitor, manage and control risk in these relationships so understand what areas of the bank they touch and whether or not that is necessary. Start with BSA and customer privacy pieces and strip them out of the outsourced process entirely if you can.
A third thing to do here is to take a close look at the vendor. Banker buddies may have used someone for years and that is good, but you should still do a thorough assessment of the vendor's capability and financial backing before jumping in. One easy way to do this from 80,000 feet is to ask your lending team to look at the vendor's financials and answer the question--would you make a loan to them? If not, you probably already have your answer and should move on.
Another must-do is to clearly inform the Board what you are doing when using vendors. Here the FDIC even states that the "board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution." While outsourcing benefits definitely outweigh the risks in most instances, clear reporting all the way to the top is needed.
Finally, once you have a comprehensive list of your vendor relationships compiled, go into the conference room with your management team at least 1x per year and discuss it in detail. Decide which ones are helping you the most, which ones may not be financially viable and which carry the greatest risk for your bank. Then assign someone to work on tightening up the number of third-parties you work with and reducing your exposures.
Community banks rarely have the internal resources to dedicate someone solely to managing multiple vendors, so identifying the riskiest ones first and updating your due diligence package can move you well down the road.
Not every vendor will treat mutualism the same way as your bank wants to be treated, so finding the right fit is critical to your success. After all, the closer you can get to a perfect match, the better off your bank will be.