Strong and compliant vendor management programs are becoming an increasingly essential part of doing business in today’s complex and highly regulated financial world.
Several high profile data breaches in recent years should be reason enough for concern. Target, for example, last year reached a $67 million settlement to reimburse financial institutions for a 2013 breach affecting millions of credit and debit card customers, with the information apparently stolen by hackers from a third-party vendor used by Target. Financial institutions also face the potential risk of hefty fines and penalties from the Consumer Financial Protection Bureau and other federal agencies for noncompliance by their vendors.
In addition to the obvious regulatory concerns, Mick Kless, president and CEO of Regulatory Information Security Compliance Associates and the Compliance Education Institute, lists 10 reasons why financial institutions need to have compliant vendor management programs.
Conducting due diligence on potential vendors before entering into contracts is vital to establishing a compliant vendor management program, Kless said. An institution should carefully review the vendor’s reputation to determine if a vendor has had a history of breaches, customer complaints or other problems. It’s also important to identify in advance the service the vendor will provide, the types of data or resources the vendor will have access to, and the controls it has in place to minimize potential risk.
“All too often, I see a contract has been signed prior to due diligence having been conducted,” Kless said. “Not conducting due diligence before entering a contract with a vendor is not a wise business decision.”
Structuring contracts is an important part of a compliant vendor management program. According to the Federal Financial Institutions Examination Council website, “The contract is the single most important control in the outsourcing process.” Kless said contracts should be clearly written and spell out specific responsibilities of both the institution and the vendor. The contract also should define contractual penalties, including cause for termination should a vendor not meet its contractual commitments. When entering into significant contracts, he said, it’s a good idea to have legal counsel involved early on. In fact, the FFIEC expects it.
Kless said business resilience is another reason to have a strong vendor management program, and FFIEC Appendix J released in February 2015 focuses on it. For the financial institution, business resilience means ensuring vendors have business continuity plans in place to minimize operational disruptions and financial loss in the event of cyberattacks, natural disasters or other unexpected scenarios. The vendor should have a feasible business continuity plan that identifies single points of failure, defines return to operational times and recovery point objective times, and defines various testing scenarios including those for cyberattacks.
Proper contract structuring ensures all costs associated with a vendor’s products and services are clearly defined and can help reduce unexpected expenses, Kless said. Sometimes, vendor fees can vary based on the volume of the transactions, or the vendor may charge one-time or professional fees that weren’t anticipated. Other costs such as who is responsible for computer hardware or software upgrades or who bears the cost of legal fees should also be detailed in the contract. Kless said proper contract structuring could potentially save thousands of dollars over the lifetime of a contract.
Contract management is an important component of budget control. A vendor management program helps an institution track critical dates, including contract cancellation deadlines for auto-renew contracts. Kless said he has talked to hundreds of financial institutions that have missed important deadlines to cancel contracts in cases where they no longer wanted to do business with specific vendors. As a result, Kless said an institution may have to pay penalties or legal fees to extricate itself from an unwanted contract. “You don’t want to miss a cancellation deadline and get stuck in a contract because you forgot to give notice,” he said.
A vendor management program helps financial institutions evaluate and manage all of the potential risks associated with different vendors. Kless said institutions typically deal with many vendors, each with a varying degree of risk. Kless explained that some vendors may fall into relatively low-risk categories, such as routine groundskeeping or maintenance, while others that provide banking technology, financial services or IT services may be a much greater risk. Having a compliant vendor management program in place helps an institution identify where it should put the bulk of attention to better manage vendor risk and also helps the institution better understand and explain potential risks to auditors and examiners, he said.
Another benefit of having a strong vendor management program is improved operational efficiencies. By having a detailed program in place, the institution’s staff knows exactly which tasks the vendors are supposed to perform during all phases of the vendor management lifecycle, which helps eliminate replication-of-effort inefficiencies. “It streamlines the process,” Kless said. “You get rid of activities that aren’t value-added.”
In addition to improved operational efficiency, a vendor management program can help eliminate redundant services where multiple vendors are providing the same service to different departments of the institution. Kless pointed to a case where one of his clients, a large community bank with multiple locations, had six vendors selling bottled water to the bank at different sites, which was costing about $300,000 a year. “By implementing a vendor management program, they were able to identify multiple services and consolidate to one vendor and save a lot of money,” he said. “Why have six contracts when you can have just one?”
Identifying the full scope of services offered by vendors can potentially provide institutions with a competitive advantage. “By conducting thorough due diligence and understanding the full scope of services they offer, you may be able to identify new value-creation opportunities, or leverage another service or product that the vendor offers to become more operationally cost efficient,” Kless said.
If there’s a security breach involving a vendor, or if there are a lot of customer complaints against a vendor, customers tend to blame the institution. Researching the history and reputation of vendors before entering into contracts and then monitoring the vendors on an ongoing basis, as FFIEC guidelines and Section 501 (b) of the Graham-Leach-Bliley Act require, can help protect the institution’s reputation.
“You don’t want your customers to lose trust. If they lose trust in you, they will find somebody else,” Kless said. “By understanding who you do business with, and whether their controls are adequate and reputations are sound, it will help protect your own reputation.”