In the uncertain economy resulting from the COVID-19 pandemic, community banks continue to streamline operations, improve efficiency and eliminate waste so that they can survive — and thrive. To help in this process, they’re increasingly turning to outside vendors to provide specialized services beyond the bank’s usual offerings. If your bank uses third-party vendors, though, you need to be aware of the ins and outs.
Outsourcing to a third party doesn’t relieve a bank from responsibility and legal liability for compliance or consumer protection issues. And as banks and vendors increasingly rely on evolving technologies to deliver products and services, their exposure to ever-changing cybersecurity risks demands constant vigilance.
Even if you have a solid vendor risk management program in place, you’ll need to review it periodically. Banking regulators expect your program to be “risk-based” — that is, the level of oversight and controls should be commensurate with the level of risk an outsourcing activity entails. But here’s an important caveat: That risk can change over time. Some vendors, such as appraisal and loan collection companies, have traditionally been viewed as relatively low risk. But in today’s increasingly cloud-based world, any vendor with access to your IT network or sensitive nonpublic customer data poses a substantial risk.
Here are some ways to review your vendor risk management program:
Conduct a risk assessment. Determine whether outsourcing a particular activity is consistent with your strategic plan. Evaluate the benefits and risks of outsourcing that activity as well as the service provider risk. This assessment should be updated periodically.
Generally, examiners expect a bank’s vendor management policies to be appropriate in light of the institution’s size and complexity. They also expect more rigorous oversight of critical activities, such as payments, clearing, settlements, custody, IT or other activities that could have a significant impact on customers — or could cause significant harm to the bank if the vendor fails to perform.
Thoroughly vet your service providers. Review each provider’s business background, reputation and strategy, financial performance operations, and internal controls. The depth and formality of due diligence depends on the risks associated with the outsourcing relationship and your familiarity with the vendor. If your agreement allows the provider to outsource some or all of its services to subcontractors, be sure that the provider has properly vetted each subcontractor. The same contractual provisions must apply to subcontractors and the provider should be contractually accountable for the subcontractor’s services.
Diversify vendors. Using a single vendor may provide cost savings and simplify the oversight process, but diversification of vendors can significantly reduce your outsourcing risks, particularly if a vendor has an especially long disaster recovery timeframe.
Ensure contracts clearly define the parties’ rights and responsibilities. In addition to costs, deliverables, service levels, termination, dispute resolution and other terms of the outsourcing relationship, key provisions include compliance with applicable laws, regulations and regulatory guidance; information security; cybersecurity; ability to subcontract services; right to audit; establishment and monitoring of performance standards; confidentiality (in the case of access to sensitive information); ownership of intellectual property; insurance, indemnification and business continuity; and disaster recovery.
Review vendors’ disaster recovery and business continuity plans. Be sure that these plans align with your own and are reviewed at least annually, and that vendors have the ability to implement their plans if necessary.
Monitor vendor performance. Monitor vendors to ensure they’re delivering the expected quality and quantity of services and to assess their financial strength and security controls. It’s particularly important to closely monitor and control external network connections, given the potential cybersecurity risks.
Conduct independent reviews. Banking regulators recommend periodic independent reviews of your risk management processes to help you assess whether they align with the bank’s strategy and effectively manage risks posed by third-party relationships. The frequency of these reviews depends on the vendor’s risk-level assessment, and they may be conducted by the bank’s internal auditor or an independent third party. The results should be reported to the board of directors.
Having a robust vendor risk management program in place at your bank is the key to benefiting from vendors’ specialized skills and abilities while avoiding legal and regulatory problems. We can help you stay on top of the latest regulations and rules pertaining to third-party vendor use.