Reduce liability for losses on commercial accounts by adhering to four requirements.
The Sleeper Risk of 2012
Regulators are making third-party compliance a priority. And believe it or not, community banks are liable for the damage caused by improper vendor actions.
ďConsumers are at a real disadvantage, because they do not get to choose the service providers they deal with ó the financial institution does,Ē said Consumer Financial Protection Bureau Director Richard Cordray in the bureauís press release on the guidance issued earlier this year. ďConsumers must not be hurt by unfair, deceptive or abusive practices of service providers. Banks and nonbanks must manage these relationships carefully and can be held accountable if they break the law.Ē
Yet with the increase in outsourcing activities and the added regulatory attention, community banks have not identified vendor management as a priority. ATTUS and CSI recently surveyed hundreds of financial institutions for their insight on banking priorities for the current year. Few, if any, respondents recognized vendor management as a priority for 2012.
To effectively manage a bankís vendors, institutions should focus on four key areas.
Conducting proper due diligence in selecting a vendor is a critical aspect of vendor risk management. Important due diligence steps include:
- Asking the vendor to provide references (particularly ones from other financial institutions) to determine satisfaction with the vendorís performance.
- Asking questions about the vendorís data backup system, continuity and contingency plans, and management information systems.
- Researching the background, qualifications and reputations of the vendorís principals.
- Determining how long the vendor has been providing the service.
- Assessing the vendorís reputation, including lawsuits filed against it.
- Obtaining audited financial statements to check the vendorís financial health.
The contract between the financial institution and the vendor is another key factor in mitigating risk, because it dictates legally binding terms and conditions. Financial institutions should rely on experienced counsel to ensure that its interests are protected and potential contingencies are considered. The contract should also articulate the mutual expectations of both parties.
Vendor Management and Monitoring
After the vendor has been selected and the contract signed, it is important to manage and monitor the relationship. Performance monitoring controls should include:
- Grouping vendors into criticality categories (i.e., high, medium and low).
- Ensuring that the vendor is complying with consumer protection laws and regulations.
- Periodically analyzing the vendorís financial condition and performing on-site quality assurance reviews.
- Regularly reviewing metrics for the vendorís performance relative to service level agreements.
- Reviewing customer complaints for services or products handled by the vendor and conducting anonymous testing if applicable (mystery shopper).
- Assessing whether contract terms are being met.
- Testing the vendorís business contingency planning.
- Evaluating the vendorís information security practices, ensuring the protection of sensitive customer information.
- Evaluating adequacy of the vendorís training to its employees.
- Periodically meeting with the vendor to review contract performance and operational issues.
While outsourcing can be beneficial, it creates the risk that a vendorís operations can be disrupted and might affect the bank for the services the vendor provides. To mitigate this risk, financial institutions must ensure that the vendor has a prudent business recovery plan in place.
Paul Reymann is chief risk officer of Charlotte, N.C.-based ATTUS Technologies Inc., a wholly owned subsidiary of Computer Services Inc. For more information, visit www.attustech.com.
Copyright (c) November 2012 by BankNews Media