Vendor Management
Vendor Matchmaking 1. Determining the banks needs and wants. 2. Searching for a vendor to fill that need or want. 3. Request for Proposals 4. Selecting Vendor 5. Contract Negotiations 6. Implementation 7. Monitor performance 8. Review Relationship 9. Renew/Terminate
Lifecycle https://www.occ.gov/news-issuances/bulletins/2013/bulletin- 2013-29.html
Vendor Management Starts at the beginning, when you are determining your needs and wants. Compliance needs to be involved from the get go Due diligence begins with a clear understanding of what you need, what you want, and the compliance risk associated with those endeavors.
Control Whenever you engage in a third party to service your clients, your bank loses some control of the client relationship. Third party providers may introduce new risks or increase existing risks. It is critical that you ensure all third parties comply with all applicable compliance laws and regulations.
Risky Business Overreliance on vendor Lack of understanding on what vendor does Failure to monitor Unclear expectations
Operational Risks Third party relationships increase operational risks because the bank may not have direct control of the activity being performed by the third party. Third party relationships that result in concentrations can increase operational risk.
Compliance Risks Compliance risk arises when third party systems, products or services are not consistent with laws, regulations, or bank policies and procedures. These risks increase if the bank s oversight program does not include audit or control features.
Reputation Risk Reputation risk arises when third party systems do not meet the expectations of the bank s customers. These risks increase when the bank is offering products and services actually originated by third parties as its own.
Strategic Risks Strategic risk arises if the bank uses third parties to conduct banking functions or offer products and services that are not compatible with the bank s strategic goals, can t be properly monitored or managed by the bank, or do not provide adequate return on investment. Strategic risk can also arise when the bank does not use a third party when it is prudent to do so.
Credit Risk Credit risk may arise when third parties market or originate certain types of loans on the bank s behalf that were not appropriately monitored by the bank resulting in lowquality receivable and loans. Credit risk may also arise from poor customer service, account management, or collection activities.
Risk Assessment Large/Complex Vendors vs. Small/Lesser Used Vendors Prioritizing Vendor Management Examples: Level 1 Risk: Critical to the bank s operations. Have access to confidential customer information i.e., your core processor, remote deposit capture vendor, internet banking vendor Level 2 Risk: Access to confidential or critical use-only data i.e., outsourced audit functions Level 3 Risk: Not critical to operations, do not have authorized access to confidential information i.e., cleaning people, shred company
Needs and Wants What do you need vs what you want or like to have? What are the risks associated with this particular activity? Compliance risks Financial risks Reputational risks Operational risks Do we have anyone who fully understands this type of activity? Can we do this in house? What are the costs of implementation and monitoring the activity? What are the benefits?
Who can help us Identifying vendors Do they understand your business? What is their reputation? Are they financial sound? Lawsuits and disputes Are they accessible and responsive. How long have they been around? Are they going to be there long term?
Due Diligence and Selection Strategies and Goals Legal and Regulatory Compliance Financial Condition Business Experience and Reputation Fee Structure and Incentives Qualifications, Backgrounds, and Reputations of Principals Risk Management Information Security Management of Information Systems Resilience Incident Reporting and Management Programs Physical Security Human Resource Management Reliance on Subcontractors Insurance Coverage Conflicting Contractual Arrangements with Other Parties
Choosing a Partner What are the most important factors? Price Reputation Quality Scope Compliance Familiarity Experience Security
Quantify it Vendor #1 Vendor #2 Vendor #3 Factor Weight Score Score Score Price 50 30 50 24 Information Security 10 10 5 10 Technical Ability 8.5 8.5 6 6 Compliance 7.5 8 5 5 Support 3 3 1 2 Risk Management 4 4 2.5 3 Resiliance 5 5 3 4 Incident Response 5 4 5 4 Inusrance Coverage 3 3 1 2 Financial Condition 4 4 1 3 Best Score 100 79.5 79.5 63
MoPac-alypse Now!
Bidding Process Bid #1 $198 million, done in 910 days Bid #2 - $204 million, done in 910 days Bid #3 - $137 million, done in 882 days (use tunnels instead of overpass) Before bid Austin estimated the cost at $170 million. By law, must use price as 70% of selection criteria.
What could go wrong? Rock was too hard to tunnel an unforeseen circumstance Re-route 42 inch sewer pipe Too much rain Cost of labor too high Finger pointing
End Result Contractor claims they spend $357 million on the project January 2017 (over 2 years after they were supposed to finish) they subcontract the rest of the work out. Contractor sues for $100 million Final cost ends up being $159 million for the City Still not finished.
Contract Negotiation Scope Term Liability and Indemnification Parties involved Compliance Monitoring (audits and reports) Service Level Agreements Security and Safeguards Disaster recovery Licensing Termination Board approval for critical vendors
Other Considerations Is it one sided? Does it address regulatory requirements? Do you have other contracts and do those contracts terminate at the same time? Software updates What to do with obsolete systems. Disaster recovery. Ambiguity Don t ignore definitions
Review the contract Paragraph by paragraph, line by line. If you don t understand what a paragraph means, clarify it means either rewriting it or amending it. Are all the terms acceptable and are you willing to perform What are your red lines? What is negotiable? Involve your attorney.
Service Level Agreements How much downtime is acceptable to the bank? What is the required response time? When will it be delivered? When possible, quantify these standards don t leave it to the good faith or reasonable standard.
Indemnity Clauses When is it triggered? When an allegation is made against the bank When a claim is made against the bank When a judgement is issued
Monitoring Ongoing monitoring is essential to risk management of your third party relationship. Monitoring should be commensurate with the risk presented by the third party.
Ongoing Monitoring Assess existing relationship periodically Assign responsibility to capable staff Cover due diligence activities Adapt monitoring to changing risk profiles Escalate significant issues Test controls used to manage third-party risks
Monitoring https://www.occ.gov/static/enforcement-actions/ea2017-063.pdf
Review Relationship
Renew or Terminate? The need to terminate a third-party relationship may arise for many reasons. Ensure the relationship is terminated in an efficient manner and a plan is in place.
Termination What will you do next? Plan. What is the time frame for the transaction? What impacts may arise? Are there data retention or destruction issues to manage? Is there joint intellectual property? Are there reputation risks that may arise from terminating the relationship? Do you want to contract with another third party or bring the activity inhouse?
Regulatory Oversight Examiners will evaluate: Whether the Bank is selective in choosing service providers Whether the Bank ensures that the service provider meets licensing or registration requirements Whether the Bank performed initial due diligence concerning the service providers prior regulatory compliance history before entering into an agreement Whether the Bank takes steps to ensure service providers compliance with the company s privacy policy when dealing with company data Whether the Bank review the internal and external audit reports covering service providers activities and whether the Bank responds appropriately to identified concerns.
Regulatory Oversight Examiners will review risk management practices to see: The quality of oversight and management of relationships Management s ability to highlight and discuss material risks and deficiencies Oversight of those activities considered critical Deficiencies in vendor management practices could be deemed unsafe and unsound banking practices as well as demonstrate the strength of your compliance risk management program.
Questions? If you have any additional questions, contact Compliance Alliance at hotline@compliancealliance.com or 888-353-3933.