For the fourth consecutive year, local police in Vancouver, British Columbia used Twitter to share some of their worst excuses encountered during traffic stops. The goal is to engage with the public in a lighthearted way, while simultaneously encouraging safer driving habits. One of this year's highlighted follies was the distracted driver who was caught red-handed so to speak. He was steering with his knees, while holding two cellphones, one in each hand. Another driver, who was clearly inebriated, asked to come back the next day when he would be sober, in order to retake his failed field sobriety test. Yet another motorist berated police for not stopping him earlier so he wouldn't have been driving so fast.
It seems there's no shortage of excuses when it comes to bad driving behaviors, but even braying like a goat (which one rogue driver tried) isn't enough to escape punishment. Likewise, financial regulators aren't likely to be forgiving of excuses when evaluating your bank's vendor management practices--an ongoing area of regulatory scrutiny.
In 2014 the OCC issued vendor management guidelines, followed by the FFIEC in 2015. As a result, the time has come for community banks to put their vendor management efforts to the test in regulatory audits. Here are some pointers to help you.
For starters, not all vendors are created equal. While you have to perform due diligence on all vendors, it's a sound practice to divvy them up into a few buckets to break them into groups based on the level of analysis required.
The first bucket should consist of critical vendors. These are vendors that could cause significant risk to the bank by failing to meet expectations. Critical vendors also could have substantial effects on customers or have a major impact on bank operations. This group requires the greatest level of analysis because the impact can be so large.
Next, once you separate critical vendors from the pack, identify those vendors who work with sensitive or confidential data. This group needs to have enough capital to remain a going concern, and have strong enough risk management practices and controls to make you comfortable. The level of regulatory scrutiny has increased here so if you don't know or haven't done this yet it is a good thing to do quickly and thoroughly to identify weak players.
The third bucket of vendors to group together are those that are more general in nature and don't fall into the other categories. These should have a lower risk profile overall, so analysis on this group can be much higher level and faster in most cases.
To start with your evaluation of vendors in the most critical buckets, it makes sense to create a basic evaluation checklist to be used. This list should consist of items including a business impact analysis, insurance verification, clear service level agreements and a signed contract. You'll also need to designate a bank employee to serve as the vendor relationship manager. For your general bucket of vendors, following the evaluation checklist will probably also be enough to satisfy regulators.
For vendors who work with sensitive or confidential data and those that are critical, you will need to go further. Here it can make sense to analyze whether they are maintaining proper E&O and cybersecurity insurance, proof of regular third-party audits, review of financial statements, inquiring into compliance history and establishing ongoing relationship monitoring.
Far too often banks don't have an up-to-date complete inventory of current contracts, meaning many don't have a good handle on contract terms and conditions. Getting these records in order is a must so you can be confident contracts meet current regulatory, accounting and business requirements.
Speeding through the process of vendor management is a sure-fire regulatory trap so avoid a ticket and take the time to do it right. That way you won't need to invent a cockamamie excuse when regulators pull you over.