By Charles Cheatham
Today, bankers have more technology and more technology vendors providing services and support to their banks than ever before. Using third-party vendors can allow banks to reduce risk, control costs and focus more efficiently on achieving strategic goals.
Regulators, in many cases, encourage outsourcing, particularly when a bank can obtain more comprehensive services than it can provide on its own. Comptroller of the Currency Thomas Curry has been especially vocal about information security risks facing the banking industry. He has stated, “Third-party service providers are important to all financial institutions, but they can be especially important to community banks.” At the same time, he warns that regulators expect bankers to maintain proper supervision of vendors that they select.
Ample regulatory guidance has been issued concerning vendor due diligence, and most banks are familiar with covering basic due diligence such as financial statement review, checking references and analyzing pricing. Before your bank hires a technology vendor, however, you should also analyze the vendor’s operations carefully and ask a few additional questions. Doing so can uncover important issues not revealed by a tidy-looking vendor due diligence file.
Following are some suggestions:
Make a Site Visit to the Vendor’s Facility
Are the vendor’s business operations neat and orderly? Is there a sense of processes and procedures being in place? Although you may not be a technical expert, observing the vendor’s attention to detail (or a lack of attention) on things as simple as floors being clean or cabling being orderly in a data center can give you indicators of how the vendor may handle your bank’s information.
Who Owns the Equipment and Is It Up-to-Date?
Ask prospective vendors (and your current vendors) who owns the equipment they use to provide support to your bank and how frequently equipment is updated or replaced. A thinly capitalized company may lease equipment or try to get along with less-reliable, older equipment. Vendors utilizing equipment that they do not own, or hosting your data on old equipment, can expose your bank to additional risk.
Who Owns and Controls the Facilities and Data Center the IT Vendor Uses?
The single most expensive investment for an IT vendor is a secure data center. Many IT vendors can’t afford to build and operate their own data centers. Instead, they rent “rack space” for your data inside a third-party’s data center. Any time a vendor does not own its own facilities — and has no ability to impose end-to-end control on important “variables” — your bank may be exposed to unexpected and unnecessary risks.
Many common items such as an electric bill that someone fails to pay, a backup generator not being maintained and tested, a leaky roof or unpaid taxes can put your bank’s data at risk. In a “data center for hire,” other companies can be renting rack space right next to your bank’s data, with their personnel having access as well. Maybe the IT vendor performs background checks on its employees. But who does the same for the employees of the data center and the many other companies that are renting rack space in the same space with your bank’s data?
Does the Vendor Outsource Any of Its Support Services?
Ask if the vendor outsources (either to other companies in the United States or offshore). Vendors that outsource create more due diligence work for the bank (regulators require you to perform due diligence on your vendors’ vendors) and increases because the bank has no direct control over these other third parties.
What Industries Does the Vendor Support?
A vendor dedicated to serving only the banking industry is going to have more knowledge of your bank’s needs and the regulations you have to comply with, compared to a vendor providing services to other industries and only services banks as a sideline..
Is the Vendor Reliant on Only One or a Handful of CLIENTS for the Majority of Its Revenue?
Vendors that rely on only one or a few clients for a majority of their revenue may not have the capability to support your bank in the event that they lose a couple of key clients. Your bank’s risk is reduced when a vendor’s client base is broad enough that no one client provides a substantial amount of the firm’s revenue.
What Staffing Does the Vendor Have?
The vendor should not only have an adequate number of personnel to support your bank’s needs but also the right people. Individuals who have experience in the banking industry and bank regulatory areas can benefit your bank, in contrast to firms that don’t have such staffing. You’d prefer for your vendors to come to you with ideas and suggestions on how they can address the most recent regulatory release, instead of you having to explain to them what the new regulation means and what they need to do to make their service fit your needs.
Is the Vendor Regulated by Federal Banking Regulators?
A vendor designated as a Technology Service Provider receives regular examinations from federal banking regulators. As a result, you can expect these vendors to have internal controls in place similar to or stronger than the controls your bank would have in place if you were performing the activity on your own. You can obtain your vendor’s TSP exam report from your bank’s primary federal regulator, providing you additional documentation that appropriate security controls are being followed.
A successful banker is always strongly motivated to focus more time outwardly — meeting customers’ needs, achieving strategic objectives and growing the bank. When hiring a vendor, the bank wants to gain capabilities without the burden of devoting the resources required to create and maintain these capabilities on its own. Outsourcing can reduce the bank’s need to focus inwardly on areas that are not revenue generators and that are merely support functions helping the bank to fulfill its objectives. Choosing the right vendor can reduce risk, control costs and provide the bank more time to focus outwardly on its customers.
Charles Cheatham is senior vice president and general counsel at BankOnIT (www.bankonitusa.com). He has more than 30 years of experience providing legal services and advice to bankers. Prior to joining BankOnIT, he served as vice president and general counsel of the Oklahoma Bankers Association and was previously a partner at McAfee & Taft, the largest law firm in Oklahoma. Cheatham is a graduate of Harvard Law School.