If you manage a financial institution, you’re all too familiar with regulation. Following the financial crisis and subsequent Great Recession, a number of government agencies – including the Office of the Comptroller of the Currency (OCC), the new Consumer Financial Protection Bureau (CFPB) and the Federal Deposit Insurance Corporation (FDIC) – have increased regulatory scrutiny for outsourced services, so-called third-party relationships in this industry. The OCC broadly defines a third-party relationship as “any business arrangement between a bank and another entity, by contract or otherwise.”
Regulators expect financial institutions to adopt risk management processes that are in line with the level of risk and the complexity of its third-party relationships. They further expect that institutions will have comprehensive risk management and oversight of third-party relationships involving critical activities. It is important that institutions correctly identify those relationships that involve critical activities and ensure that appropriate practices are in place to assess, monitor, and manage the risks.
Critical activities are those that impact significant functions (e.g., payments, clearing, settlements) or significant shared services (e.g., information technology and core processing), or other activities that could cause significant risk if the third-party fails to provide services as expected.
To effectively implement third-party vendor risk management, it’s important to understand:
- Which services are defined as third-party vendors
- Which third-party vendors support critical activities
- The categories of third-party vendor risk
- How to determine which relationships have high risk
- How to streamline risk management for low-risk relationships
What is the definition of third-party vendor?
As outlined by the OCC, third-party vendor relationships relate to outsourced products and services.
Example vendors include:
- Independent consultants
- Merchant payment processing services
- Joint ventures
- Affiliates and subsidiaries who provide services for the financial institution
- Networking arrangements
While this definition can have a broad scope, financial institutions should assume that any out-of-house business arrangement where the vendor has access to the financial institution’s records and data should be included in the vendor risk management and oversight process.
It’s not one-size-fits-all
Financial institutions often take the same approach to risk management with all of their third-party vendors. This is problematic because: it doesn’t take into account the varied levels of risk each vendor poses, it costs more to perform in-depth risk management on low-risk vendors, and it fails to provide an accurate overview of the financial institution’s risk profile.
In the financial services industry, risk always has to be framed through the lens of data. How much client data can the vendor access? How much control does the vendor have over software and hardware? By identifying those third-party vendors that support critical activities and categorizing them based on risk – low, medium and high – you’ll be able to more effectively and efficiently invest the appropriate amount of time and resources when managing them.
- Low-risk vendors
Low-risk vendors have little to no access or control over client data. One example is the landscaping company a bank uses on weekends. This company in no way interacts with client data, so the risk is considered insignificant.
- Medium-risk vendors
Medium-risk vendors have a moderate level of access or influence over sensitive materials. These vendors can also have direct control over client data, but can only access a small amount of information, and have a sterling performance history. Vendors with a poor performance history or a recent data breach can still be classified as medium risk if they have limited access to sensitive information. An assessment is required to adequately determine each vendor’s risk level.
- High-risk vendors
High-risk vendors pose the biggest threat to financial institutions, and require the most in-depth risk management. As defined by the OCC, high-risk third-party vendors have a relationship involving a financial institution’s critical controls, such as payments, settlements or information technology. Third-party vendors with custody over clients’ funds are also high risk.
Be aware of vendors with:
- Access to sensitive data
- Broad scope of control or access
- Past history of data breaches
- Poor performance history
- Potential negative impact to customers
Working with high-risk vendors is a necessary and smart operational strategy, but proper management of them is vital, and not just to safeguard your bank’s financial performance. When engaging these vendors, your financial institution’s future growth, reputation, operations, credit, and compliance standing are on the line.
Right-size your risk management efforts
Applying the same risk management techniques to high-risk vendors and low-risk vendors is wasteful and expensive. Instead, financial institutions should prioritize their efforts. Once a hierarchy of vendors is established based on risk, the financial institution can right-size the application of resources, while ensuring compliance and maintaining effective risk management.
For instance, due diligence over low-risk, third-party vendors, could include vendor self-assessments and proof of adequate fidelity bond coverage and insurance. But to properly manage high-risk, third-party vendors, due diligence would include assessing the financial condition, including audited financial statements, evaluating the legal and regulatory compliance program and, if available, a review of Service Organization Control (SOC) reports, prepared in accordance with the AICPA Statement on Standards for Attestation Engagements No. 16 (SSAE 16) .
Prioritizing and right-sizing isn’t as straightforward as it seems, but there are assessment tools that can make this easier. Clark Schaefer Hackett has a skilled risk management team with extensive experience in this industry. Contact us today to learn more about the vendor risk management process.