Skip to Main Content
PCBB Banc Investment Daily March 10, 2016
Banc Investment Daily
March 10, 2016

Holes To Fill In Vendor Risk Management

Swiss is the holiest of cheeses, but few people outside of cheese inspectors really know how the gaps get there in the first place. It certainly isn't from hungry mice, so put that one to rest. No, it is caused instead by carbon dioxide given off by bacteria in the cheese's milk. More specifically, Swiss scientists have now decided that tiny bits of hay were causing the holes.
We were thinking of holes as we contemplated community banker reaction to the various directives from regulators about managing vendor risks. Regulators have all updated their guidance on third-party risks in the last 3Ys and as examiners hit the ground and observe banks' procedures, things are getting tougher. This makes sense when you consider one key driver has been data breaches at vendors and other non-regulated third parties that have led to increased exposures for regulated banks.
For its part, the OCC for example, has said "A third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise." If any of those entities have flaws in their own systems bankers must be ready but unfortunately that's a lot of holes to keep track of.
To begin, bankers should conduct a risk assessment of each vendor. It should take a look at what sort of risk they pose for the bank and any potential impact.
Next, it is critical to take a close look at and document the vendor's capabilities and financial standing. One of the easiest ways to evaluate a vendor is to determine whether your loan team would offer them a loan. Conduct a thorough financial analysis and have the lending team answer under what terms and conditions would they lend this company money. The thornier this gets the more the bank will need to be protected and the less risky the vendor's tasks should be (including even eliminating the relationship if needed).
Third, take a close look at the contracts and be prepared to make changes to them. Your bank needs to minimize its risk when a vendor does not perform and you should have a detailed explanation of what you do and do not get under each contract. Taking the time to clearly spell out terms and conditions, along with rights and remedies is critical.
Fourth, you are never truly done when it comes to vendor management as it is an ongoing process. Understand contract maturity dates and at least annually update the financial condition of key vendors to make sure you are dealing with solid counterparties not just at origination but on an ongoing basis.
Another key area to monitor closely relates to consumer or other sensitive information. Here, take the approach of the CIA and the military and determine who needs to know the information and only give it to those individuals. Take additional steps to highly protect such information and make sure your contracts require vendors to notify you and destroy such information if and when it is received by error.
Finally, you will need to track all of this. Many community banks use Excel and that is fine for the most part, but be sure the information collected and tracked on all key vendors does what it is supposed to do and is updated as needed.
Know that regulatory guidance makes clear that risk assessment is an ongoing task, not a one-time-only occurrence. A robust vendor-management process should help properly assess the risk of any vendor of any size and do so throughout the relationship lifecycle.
You don't have to get crazy when doing vendor management, but the regulations do require you to make sure the process isn't full of holes, so be sure to inspect it now and again.