A bank should clearly understand how choosing a technology vendor will reduce the bank’s risks — for example, by strengthening information security, enhancing performance of the bank’s operating systems and improving regulatory compliance.
Many factors are relevant to a bank’s choice of vendors. With a technology vendor, significant issues include the vendor’s method of operations; its general reputation and references; specific provisions of the contract; and security controls that the vendor uses while carrying out its activities. Learning such information helps a bank to understand whether a vendor is competent, stable, trustworthy and operating in accordance with required guidelines.
Unfortunately, outsourcing to a vendor can sometimes increase a bank’s risks — usually in ways that a bank is not considering. A bank that gathers an abundance of information about a vendor before making a decision can have much greater assurance that the specific vendor relationship is a good fit and will actually reduce the bank’s risks.
A bank should also consider the following risk-related questions as it chooses a technology vendor:
1. What is not included in the vendor’s services?
A bank that is changing vendors may assume that a new vendor and the old one are about the same — except maybe for the price. Realistically, there will be other important differences. Each vendor may offer a somewhat different combination of services, and may provide those services in a different way. (This can be good, or bad or some of both.) Before signing the contract, a bank must know what services are included for a fixed price, what services result in an additional or by-the-hour cost, and what services or features are not available on any basis.
An important issue to discuss with any vendor: potential gaps. What services does it not provide at all, that regulators will require the bank to perform for itself or obtain elsewhere? If the bank does not know where the gaps are, and neither performs those tasks itself nor hires someone else to do them, the deficiencies will probably show up as security risks or criticisms on the next IT audit or exam.
2. Are there aspects of the vendor’s operations that enhance, or that may limit, its response time?
Gathering the following information may be relevant in predicting the vendor’s response time for important service calls:
Quick vendor response should be available for a bank’s critical issues, and a standard, acceptable response time should apply for ordinary maintenance issues. The vendor should recognize that even what looks like a minor issue can sometimes significantly disrupt the bank’s operations.
Use of secure remote management software can substantially shorten a vendor’s response time. With appropriate software, most technology problems can be resolved remotely. When an issue can be resolved by using a remote management agent, the driving time between vendor and bank simply disappears. Because remote maintenance usually also can be performed outside of business hours, this approach can avoid down time and irritation for employees and customers.
Also, ask what response time the vendor provides in an emergency. If the vendor manages or monitors services that require down time to be minimal (for example, the bank’s firewall or Internet connectivity), that vendor’s staffing levels should enable the vendor to provide an urgent response if an emergency arises. A frantic banker does not want to talk to an answering service or a voice recorder.
A vendor offering 24-hour live monitoring sometimes can resolve a critical incident before the banker is even aware that a problem exists. When the bank’s firewall goes down, or the bank loses its Internet connection, it is extremely helpful for a vendor performing live monitoring to be able to correct the issue before the bank opens for business — with minimal impact on systems or customer services.
3. Does the vendor communicate well, providing needed information that is also understandable?
A key technology vendor needs to communicate regularly to address the bank’s objectives, concerns and problems. The bank must supervise a key vendor’s activities, including making sure that the vendor is complying with appropriate policies, standards and security controls. To help the bank meet regulatory requirements, a major technology vendor must provide regular written reports concerning the activities it is conducting and the status of the bank’s systems. Due-diligence materials are just another way that the vendor should have good communication with the bank, both before a contract is entered into and annually thereafter.
A vendor that regularly works with banks will already know the required routine, and will furnish appropriate due-diligence materials, as well as written reports at regular intervals, in a format that is easy for bankers to review, understand and summarize for committee meetings and board presentations. If a vendor does not do this, the bank will have more risk unless it spends more time gathering and trying to understand the information that regulators require it to receive from a vendor.
Charles Cheatham is senior vice president and general counsel for BankOnIT in Oklahoma City. He was general counsel for the Oklahoma Bankers Association from 1997–2009.
Copyright (c) February 2013 by BankNews Media