PCBB
BID Daily Newsletter
July 16, 2019

BID Daily Newsletter

July 16, 2019

Vendor Risk Management Refresher

Summary: The FDIC noted in April that it's seeing gaps in banks' vendor contracts. We provide you with some important reminders to stay compliant.
Sleep experts will tell you the best way to get a good night's rest is to keep the thermostat temperature between 60 and 67 degrees. That will avoid sweating and sleep disruption that occurs as your body heats up.
In another area heating up, in the banking industry, the FDIC noted in April that it's seeing gaps in banks' vendor contracts. These include but are not limited to agreements with IT vendors.
Banks use vendors for a variety of reasons that include insourcing on-demand specialized talent, reducing operating costs, and increasing product offerings. For these reasons and more, it seems that vendors are becoming increasingly important to community banks. This means vendor management is even more critical, as the number of vendors each bank must handle and manage continues to grow.
The mere fact of using vendors to handle things for your institution means you will need to also manage any risks that surface as a result. In fact, regulators indicate vendor management comprises all of the processes required to manage third-party vendors that deliver services and products to financial institutions. They indicate it is just fine to use vendors and in some cases can be quite helpful. However, community banks should have a highly effective third-party vendor risk management program in place when doing so.
When you are considering vendors for a given process, one quick thing you might ask is whether you would make a loan to that company. If their financials do not hold up, you might want to keep searching - particularly if the function in question is critical in nature, in any way.
To begin, the outsourcing process should ensure the board of directors and senior management agree that the outsourcing of a particular function is consistent with the institution's strategic plans. It is also important to evaluate vendor proposals against specific bank criteria.
Management must also establish and approve appropriate risk assessments and risk-based policies for all third-party vendor or outsourcing processes. These risk assessments should be updated at proper intervals, consistent with the bank's vendor risk management program.
It is important to note that the degree of oversight and review of outsourced activities your team needs to do on each vendor is dependent on the criticality of the products and services or access to customer information by the vendor. It should also include any vendor-specific risks.
Vendor management is an ongoing process, of course. So, even after the vendor is selected and set up, there needs to be reliable, ongoing monitoring throughout the relationship.
Like many projects, vendor management benefits from a lot of consideration on the front end. Is the vendor a single, local person or many people spread between multiple offices? Does the vendor have its own compliance-management processes? These and many more questions should be asked from the start.
While this may all be straightforward and obvious, with the increasing number of vendors that banks are relying on, it is more critical than ever to review. Hopefully, this refresher helps you to sleep well at night.