In 2008, regulators introduced a concept banks know as third party or vendor risk (vendor risk). This concept came from lessons learned during the credit crisis and has come to encompass not only mortgage foreclosure activity conducted by third parties, but also consumer compliance, cyber risk and today includes all products, processes, systems and services supported by a vendor relationship.
These vendor relationships include outsourcing, using subcontractors, independent consultants, networking arrangements, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements in which the bank has an ongoing relationship or may have responsibility for the associated records and others.
If your community bank has not yet seen pressure from regulators to get a handle on vendor risk, count yourself lucky, but get prepared because it is likely coming soon.
To get started: 1) compile a full inventory of your vendor relationships, separately identifying those that involve critical activities, have any subcontractors with foreign affiliation or provide services storing bank data and 2) rank each vendor relationship by risk level (low, medium, high or critical).
It is particularly crucial to take your vendor due diligence to a much deeper level to avoid regulatory issues. Doing so not only helps protect your bank's reputational risk, but also serves to better control operational, compliance, strategic and business continuity risks.
Expanding or refocusing your efforts around vendor due diligence to meet increased regulatory expectations involves specific requirements. Some may be more obvious than others and include: detailing how your bank selects, assesses and oversees third parties; being sure to conduct proper due diligence in selecting a vendor; doing ongoing monitoring of the vendor's activities and their performance; having a contingency plan for terminating the relationship in an effective manner if needed, and independently reviewing vendor relationships to ensure your bank's risks are well managed. This is not a complete list, but should give an idea of the areas regulators are reviewing.
All of this should help your bank, but we are often asked about personal risk. This area is commonly assessed by regulators to see if bank staff "failed to perform adequate due diligence and ongoing monitoring of third-party relationships." Although this is a broad statement, it shows there is regulatory focus at a more personal level, so be aware and take action as needed.
To set yourself and your bank up for success, you can separate stronger vendors from weaker ones by asking them such questions as: have regulators issued any orders barring you or others at your firm from working in banking; have you or anyone at your firm had any licenses or registration suspended by any regulatory organization; have you or anyone at your firm been levied civil money penalties; and others. Then, ask yourself: does the firm offer this product or service to its own clients, and if so, how difficult would it be for them to offer it directly to my target customers; would my credit team extend a loan to this company or not? These answers should provide you with a good overall assessment of each vendor.
Of course, essential to any vendor vetting is a strong background check. It can include screenings for: a criminal record; verifying past employment; verifying education, credentials or a license; OFAC checking and other things.
The key to remember is that vendor risk is both your bank's responsibility and your responsibility individually, so be sure to take extra time to do it right. Follow all laws and regulations, hire an attorney or other expert as needed, and you are well on your way towards building a solid foundation.
