The Sleeper Risk of 2012

Regulators are making third-party compliance a priority. And believe it or not, community banks are liable for the damage caused by improper vendor actions.

“Consumers are at a real disadvantage, because they do not get to choose the service providers they deal with — the financial institution does,” said Consumer Financial Protection Bureau Director Richard Cordray in the bureau’s press release on the guidance issued earlier this year. “Consumers must not be hurt by unfair, deceptive or abusive practices of service providers. Banks and nonbanks must manage these relationships carefully and can be held accountable if they break the law.”

Yet with the increase in outsourcing activities and the added regulatory attention, community banks have not identified vendor management as a priority. ATTUS and CSI recently surveyed hundreds of financial institutions for their insight on banking priorities for the current year. Few, if any, respondents recognized vendor management as a priority for 2012.

To effectively manage a bank’s vendors, institutions should focus on four key areas.

Vendor Selection

Conducting proper due diligence in selecting a vendor is a critical aspect of vendor risk management. Important due diligence steps include:

• Asking the vendor to provide references (particularly ones from other financial institutions) to determine satisfaction with the vendor’s performance.
• Asking questions about the vendor’s data backup system, continuity and contingency plans, and management information systems.
• Researching the background, qualifications and reputations of the vendor’s principals.
• Determining how long the vendor has been providing the service.
• Assessing the vendor’s reputation, including lawsuits filed against it.
• Obtaining audited financial statements to check the vendor’s financial health.

Vendor Contract

The contract between the financial institution and the vendor is another key factor in mitigating risk, because it dictates legally binding terms and conditions. Financial institutions should rely on experienced counsel to ensure that its interests are protected and potential contingencies are considered. The contract should also articulate the mutual expectations of both parties.

Vendor Management and Monitoring

After the vendor has been selected and the contract signed, it is important to manage and monitor the relationship. Performance monitoring controls should include:

• Grouping vendors into criticality categories (i.e., high, medium and low).
• Ensuring that the vendor is complying with consumer protection laws and regulations.
• Periodically analyzing the vendor’s financial condition and performing on-site quality assurance reviews.
• Regularly reviewing metrics for the vendor’s performance relative to service level agreements.
• Reviewing customer complaints for services or products handled by the vendor and conducting anonymous testing if applicable (mystery shopper).
• Assessing whether contract terms are being met.
• Testing the vendor’s business contingency planning.
• Evaluating the vendor’s information security practices, ensuring the protection of sensitive customer information.
• Evaluating adequacy of the vendor’s training to its employees.
• Periodically meeting with the vendor to review contract performance and operational issues.

Contingency Planning

While outsourcing can be beneficial, it creates the risk that a vendor’s operations can be disrupted and might affect the bank for the services the vendor provides. To mitigate this risk, financial institutions must ensure that the vendor has a prudent business recovery plan in place.

Paul Reymann is chief risk officer of Charlotte, N.C.-based ATTUS Technologies Inc., a wholly owned subsidiary of Computer Services Inc. For more information, visit www.attustech.com.

Copyright (c) November 2012 by BankNews Media