Best Practices in Banking Vendor Management

By Scott Sargent

For the past several years, federal regulators have targeted vendor management risk as one of their top regulatory priorities. The growing reliance on third-party service providers is only increasing the need and demand for effective vendor management programs.  On April 2, the FDIC reminded the banks under its supervision that it expects them to comply with the guidance previously issued.[1]

State regulators have also joined in the movement for increasing oversight of bank third-party service providers. For instance, in 2018, the Alabama Legislature passed a law that endows the Alabama State Banking Superintendent with specific authority to examine bank service providers. The act states the Legislature “finds and declares that the connections between banks and service providers create risks to the financial system, as banks are increasingly reliant on third parties to provide or enable key banking functions and other services.” Many other states already have this authority, and have also intensified their efforts following perceived failures of third-party service providers to ensure safe and sound bank operations and performance.

While the regulatory framework for vendor management has been in place for years, detailed expectations and requirements of any given banking operation are left to that institution to decide and implement. Some organizations have created or adopted a vendor management program only to find upon closer inspection that it lacks clarity, effectiveness or oversight.

The board of directors and senior management are responsible for managing risks posed to an institution through its third-party service providers. While regulators recognize the need to outsource certain functions and operations, the risks inherent in outsourcing always remain with the bank.  Therefore, it is imperative that banks evaluate their vendor management programs to determine if the outsourcing risks are appropriately identified, mitigated and aligned with their business plans. 

Some best practices that can help keep banks safe and compliant include:

1) Risk assessment

Before anything is outsourced, the bank should first determine whether the outsourcing is consistent with its strategic direction and then conduct a cost/benefit assessment. This assessment should include all risks of the outsourcing, starting with: whether there are qualified and experienced vendors to perform the service on an ongoing basis; if the bank will be able to provide the appropriate oversight and monitoring of the vendor going forward;  and what resources are required and what safeguards are in place for disruptive events.

Once these preliminary issues are addressed, additional key risks from outsourcing functions to external vendors should be considered:

  • Operational/transactional risk

The ability of the service provider to perform the expected function should be one of the first risks considered. When evaluating this risk, consider the vendor’s infrastructure, resources, training program, employee onboarding, expertise, equipment, facilities, employees and corporate governance. Make sure the vendor can perform the tasks expected without subjecting the bank to undue risks.

  • Reputational risk

The  adage “birds of a feather flock together” is not only good advice for people (and birds) but also for a bank choosing its associates. Be mindful that the choice of vendors can reflect directly on how the public and the regulators view the bank. Evaluate how the vendor runs its operations and how those operations could (not will) impact customers. Assess the vendor’s legal and compliance history and its overall reputation. By choosing any given vendor, its reputation becomes part of the bank’s reputation.

  • Compliance risk     

Very few people outside the banking industry understand the length, breadth and complexity of the regulatory structure that banks must follow. With any outsourcing, the bank must evaluate the compliance risk in the relationship. In some cases, a vendor may have a direct impact on a bank’s ability to comply with legal and regulatory requirements. For instance, outsourcings involving consumer privacy, consumer protection, information security, record retention, and/or Bank Secrecy Act and Office of Foreign Assets Control should be thoroughly vetted. 

However, in some relationships, the regulatory implications may not be so obvious. Always consider the indirect effect that a relationship could have on compliance. For example, a vendor may not have a direct impact on regulatory compliance (like a vendor that provides disclosures); however,  the vendor may be responsible for providing tools that enable a bank to meet its regulatory obligations. 

  • Concentration risk

One noted frequent weakness in vendor management is an over-reliance by some banks on a single vendor for too many operational functions. Without appropriate risk identification and mitigation, certain operations, and possibly even the bank itself, could be jeopardized or impaired by over-reliance on a single service provider, a limited number of service providers or those concentrated in the same geographic location. Always consider what would happen if that vendor or the vendor’s geographic location suffered a catastrophe and how that would affect the bank.

  • Strategic risk

Before embarking on any outsourcing, senior management should determine how that outsourcing fits into the bank’s long-term and/or short-term strategy. Once that analysis is done, the outsourcing should be specifically tailored to meet the bank’s business plans. For instance, if the outsourcing is a short-term fix to an immediate problem, the risk inherent could be considerably higher than a long-term relationship with an established partner. A vendor with a limited duration is less likely to be as engaged and as responsive and may be  more willing to compromise on the things that are essential to regulatory compliance and effective vendor management.

  • Legal risk

Once perhaps the most overlooked risk in an outsourcing relationship, legal risks have now been recognized as significant by banks who engage third-party service providers. Through numerous examples over the past few years, banks have learned that vendors can do things or fail to do things that get banks in legal trouble. In addition to analyzing legal risks, banks must also consider regulatory implications like data security, Reg E and Reg Z, as well as the rules of payment systems that can result in hefty fines, chargebacks and penalties when vendors fail to meet their obligations. For example, a business that uses recurring debits to a bank account, but is not appropriately capturing, storing or cancelling customer authorizations, can quickly cause a bank to incur substantial fines from NACHA (previously National Automated Clearing House Association) and chargeback demands from other financial institutions.

  • Financial risk

Two aspects of financial risk should be considered:

First, evaluate the financial condition of the vendor and whether it will financially be able to perform as agreed. Balance sheets, profit and loss statements, audited financials and public filings are all tools banks can use to evaluate a vendor’s financial health.

Second, consider the financial risk of the outsourcing. How much should the bank be willing to pay and how should payments be structured? For instance, if the bank were to pay 100 percent at contract signing, the bank incurs a much greater risk that paying a vendor after performance.

  • Country risk

Many banks will assume that a “country risk” analysis does not apply to them because they do not contract with vendors outside the United States. That may be true, but how many of their vendors have subcontractors located outside the U.S. that are providing part of the services or products to the bank? Many vendors that provide services and products to the banking industry have some components of their operations offshore either subcontracted to foreign companies, domestic companies with foreign operations, or foreign subsidiaries or affiliates. 

Country risk may very well be the most overlooked risk category that the regulators specifically identify. A bank should not only determine if the services or products provided involve offshore operations, affiliates, subsidiaries or contractors but also if any of the vendor’s operations are offshored in any manner. If so, then it is necessary to consider exposure to economic, social and political conditions and events in the foreign country — if those conditions could adversely affect the ability of the vendor to meet the level of service required — and any harm to the bank that may result. 

Of course, this is after a determination is made that the foreign country is not on the list of countries that are prohibited to U.S. banks. If so, then analysis ends, and the vendor should not be used.[2] If the country is not “prohibited” but is under sanctions, careful and thorough legal analysis is required before a contractual relationship is established.

  • Credit risk

Finally, one of the most obvious and important risks that a bank should consider is credit risk. This may not be a risk inherent in most vendor relationships, but when the bank is contracting with a third party to originate loans on the bank’s behalf, when the third party solicits or refers customers, engages in or conducts underwriting analysis, or implements product programs for the bank, the credit risks have to be identified and mitigated. It is imperative in those situations that the bank understands the underwriting and credit standards the vendor is applying to those potential bank customers and that those meet the bank’s risk appetite.

At the end of the risk assessment, the bank should be in a position to determine the risk “value” of the outsourcing. The valuation is not just a fiscal or convenience determination but an incorporation of all aspects of the outsourcing risk and mitigation tools. If the value of the risk posed by the outsourcing is within the bank’s established risk profile, the outsourcing can proceed. 

Further, the risk assessment should be revisited and updated as appropriate. Needs change, circumstances change, operations change and as a result a vendor that was  categorized as low risk can suddenly pose a significant risk to the bank.

2) Due diligence

After the risks of the outsourcing to the bank are evaluated, the bank must necessarily turn its focus to the potential vendor and perform due diligence. The amount of due diligence required is directly related to the level of risk and complexity of the vendor’s service. Critical vendors, those with access to confidential data, particularly customer data, and those that pose high risk to the bank will require the most extensive due diligence.

Banks too often rely on their prior experience with the vendor or recommendations from other banks as a proxy for due diligence and do not conduct a thorough vetting of the vendor. That is a recipe for major problems because a vendor’s condition can change and the expectations and requirements of a vendor may vary widely from one bank to another. 

To establish an effective due-diligence component of the vendor management program, the bank may need to investigate the following:

  • Strategies

Consider the effect of the vendor’s business plans and focus on the outsourcing. If  its business focus is moving away from the services the bank needs, that should be a red light for the bank. Similarly, if it is contracting, acquiring or partnering with businesses that are competitive to the bank, certain contractual and operational controls may be necessary. Also, if the vendor is associating itself with businesses that may reflect negatively on the bank in the eyes of the public or the regulators, that is another factor to consider.

  • Legal and regulatory compliance

The vendor’s potential to impact the bank from a compliance standpoint has to be quantified and, when appropriate, the bank should evaluate the vendor’s legal and regulatory compliance programs to ensure that not only does the vendor have the appropriate licenses to provide the services but also to ensure that it has the necessary internal controls and programs to provide the services in compliance with applicable laws and regulations. Also, the bank should investigate whether the vendor has any enforcement actions against it, or regulatory related civil actions that could materially affect its ability to perform as expected.

  • Financial condition

The bank should review the vendor’s  financial statements, to make a reasoned judgment as to whether the vendor will be financially able to perform the outsourcing. Audited financial statements are the best because the auditors state whether they believe the vendor will be in business one year later.

  • Reputation

Determine how the vendor is viewed by existing customers, its industry and the public in general.  Review marketing materials to make sure the vendor accurately represents it business, deliverables and capabilities.

  • Operational capability

Fundamental to any outsourcing is the ability of the vendor to perform.  Whatever the relationship is, the bank should determine if the vendor can provide the services and products the bank needs. This may take the form of reviewing the vendor’s existing products and services, the vendor’s resources, its proposed staffing and its experience.

  • Fee structure

The proposed fee structure of the service must be analyzed to determine if it creates inappropriate risks such as high upfront fees or fees that could incentivize inappropriate behavior.

  • Background checks

One of the reasons that banks are so heavily regulated is that their business is considered vital to the U.S. (and global) economy, and perhaps  national security, as well. To that end (not to mention some federal legal requirements), a bank must be sure that its vendors (and their subcontractors) are not hiring employees with criminal records.

  • Security

Because of the critical nature of the information that banks possess and the financial implications of transactional relationships, banks must consider a vendor’s access to confidential customer information, money or accounts. When such access is part of an outsourcing, the bank must scrutinize the vendor’s information security and physical security programs and policies, internal controls and infrastructure.

  • Human resource management

The bank should review the vendor’s programs to train employees on policies and procedures and its process for dealing with violations and failure to pass screenings. Depending on the services provided, the bank may need to consider the vendor’s succession plan for key personnel and its ability to continue to retain or attract skilled employees to perform the services.

Appraise  how the vendor’s employment practices could bear on the relationship or reflect on the bank. For example, diversity programs are part of the business landscape, and a vendor without a diverse employee base may have potential social or legal issues in its future or may even  damage the bank’s reputation. 

  • Subcontracting

It is imperative that the bank assess any potential vendor’s use of, and reliance on, subcontractors and its ability to monitor and manage them. If the services provided by the subcontractor have the potential to impact the bank or if they involve customer information, due diligence may be required on the subcontractor. 

  • Insurance

Assess the vendor’s insurance coverage to ensure that appropriate types and levels of coverage exist. Of course, the coverage requirements will vary depending on the size of the vendor and the nature of the outsourced function. 

Be wary of the terms of coverage and other contractual terms. For example, a high deductible or co-insurance requirement in conjunction with a limit of liability may render the insurance coverage ineffective.

  • Business background and strategy

Recent innovations in products and services, and the resulting boom of new banking vendors, might seem to shift the due-diligence focus away from vendor backgrounds. In many cases, the vendors are providing something brand new. However, even in cases where the service, product or the vendor is new to the market, consider how the vendor got into its business and its roadmap.

  • Risk management

Examine the effectiveness of the vendor’s risk management program and internal controls. Include a review of the vendor’s internal audit department and its effectiveness, as well as a review of Service Organizational Control reports and any external certifications.

  • Management of information systems

Understand  the vendor’s technology systems, processes, maintenance and compatibility. The bank should also understand how the metrics expected from the service will apply to the vendor systems and schedules for upgrades and/or enhancements.

  • Disaster recovery

There is concern among the regulators that banks are not paying enough attention to their vendor’s business continuity plans as evidenced by the FDIC’s guidance recently issued. Evaluate the vendor’s ability to deal with service disruptions from external and internal events and determine how those disruptions and recovery plans will impact its operations. Ensure the vendor is appropriately testing those procedures and confirming they remain effective and up to date.

  • Incident reporting

The bank should determine if the vendor has a satisfactory and sufficient process to identify, report, escalate and resolve incidents, including but not limited to, data security incidents, employee-related incidents, operational disruptions, compliance violations and legal claims. The vendor must be able and willing to report anything that could impact the bank, the bank’s customers or the vendor’s ability to perform.

Although no amount of diligence can eliminate all risk, the bank’s due-diligence policies and procedures should reasonably assure the board of directors, senior management and regulatory authorities that the appropriate investigation into potential third-party vendors was conducted.

3) Contracting

The contracting aspect of an effective vendor management program is not just signing a document or turning it over to the lawyers for drafting. Contracting in the context of vendor management requires a disciplined approach by the bank. Since the contract between the bank and the vendor will be the final authority and the point of reference for all expectations from both parties, the process of contracting must be established internally.  In developing this process the bank should consider:

  • Who manages the bank’s contracts?
  • How are the bank’s contracts managed? Is it a centralized, decentralized or hybrid process?
  • Who is responsible for negotiating terms?
  • Can financial incentives impact the vendor’s negotiations?
  • Can operational incentives or issues impact the vendor’s  negotiations?
  • Are there market incentives or issues that could impact the vendor’s judgment?
  • Are there strategic incentives or issues that could impact the vendor’s  judgment?
  • Who manages amendment and renewals?
  • Who is monitoring changes in the environment (technological, market, legal, regulatory, customer base)?
  • What approvals or notifications are necessary for contracts? Are there different tiers for varying costs and impact?
  • Board approval is required for a contract that involves critical activities.
  • Regulatory notification is required for contracts involving check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices and similar items, or any other clerical, bookkeeping, accounting, statistical or similar functions performed for a depository institution. This requirement has been very broadly interpreted by the regulators to include notification of contracts involving any technology-related services.
  • Who is authorized to execute the contracts?
  • Banks should be wary of the risk inherent in a decentralized system, a system that broadly grants contracting authority or practices that give apparent authority to employees and an agent.

Of course, the documentation itself is very important to the contracting process. The final contract should represent the business terms both parties expect, mitigation of the risks identified in the risk assessment, and tools to maintain due diligence and monitor ongoing performance. The key provisions that should be considered in any contractual relationship are:

  • Nature and scope of arrangement

A thorough and complete description of the services to be provided is the core of any services agreement. Regulators recommend that the description also include ancillary services such as software or other technology support and maintenance, employee training and customer service. 

  • Performance measures

Service levels, metrics, deliverables or benchmarks are a second essential element to an outsourcing agreement. Regulators caution that performance measures should not incentivize undesirable performance, such as sacrificing accuracy for speed or compliance requirements, to the detriment of customers. 

  • Cost and compensation

The contract must establish payment terms, but banks should ensure the contracts do not include burdensome upfront fees or incentives that could result in inappropriate risk taking by the bank or the vendor. The contract should specify the conditions under which the cost structure may be changed, including limits on any cost increases and any penalties for any failures to meet service levels, controls and audit requirements, or late payments.

  • Audit rights

The regulatory authorities have broadly applied the legal authority they are granted in the Bank Service Company Act to include rights to directly examine bank vendors.  Banks are presumed to include contractual language that will give them and regulators access to the vendor’s operations, records and employees to conduct examinations and audits when appropriate.

  • Confidentiality and integrity

Contracts must require confidentiality of any customer information provided or even potentially available to the vendor. Vendors must protect that information according to regulatory standards and applicable law. The contract should specify when and how the vendor will disclose information about security breaches, and whether the breach resulted in unauthorized intrusions or access that may materially affect the bank or its customers. The contract should address the power of each party to change security and risk management procedures and requirements, and to resolve any confidentiality and integrity issues arising out of shared use of facilities owned by the third party.

  • Ownership and license

In a world where it is becoming common for banks and vendors to jointly develop or create products and services,  the contract must address ownership rights of jointly developed property as well as ownership rights of property contributing to or utilized in that development. Also, the bank should require the vendor to warrant that any third-party intellectual property used is (1) licensed for the services provided, (2) that such use, and the property or tools the vendor is contributing, will not infringe upon someone else’s intellectual property, and (3) in the case of software and/or hardware, the property will not transmit any unwanted or harmful programs to the bank’s systems.

  • Indemnification

Many times this is a point of contention or confusion. However, it is important that the bank ensure that any indemnities it provides to the vendor make sense from a risk management perspective and that any indemnities it receives from the vendor appropriately assess the risks inherent in the relationship. 

  • Default and termination

Banks should always ensure the contract provides them the right to terminate if the vendor fails to meet its obligations. However, regulators have identified three other points to consider in the default/termination clause:

  1. The bank should determine whether it includes a provision that enables the bank to terminate the contract, upon reasonable notice and without penalty, in the event that, among other circumstances, a regulator formally directs the bank to terminate the relationship. 
  2. The services agreement should permit the bank to terminate the relationship in a timely matter without prohibitive expense. 
  3. The services agreement should include termination and notification requirements with time frames to allow for the orderly conversion to another vendor.
  • Dispute resolution

Most contracts should provide for some form of dispute resolution, either an informal process of meetings between management or a formal plan involving arbitration or mediation.

  • Liability caps

Large risks banks face come from limits of liability. A vendor that a bank pays $50,000 per year could expose the bank to a class action that costs $25,000,000. If the bank has agreed to a limit of liability on the amount of fees paid to the vendor in a year, this outsourcing poses a significant risk. 

To address this risk, the bank also should determine whether any liability caps are in proportion to the amount of loss the bank might experience. Banks should reject the all-too-common “annual fees paid” formulation unless that amount is an accurate reflection of the bank’s risk.

  • Insurance

The contract should stipulate that the third party is required to maintain adequate and appropriate insurance coverage, to notify the bank of material changes to coverage, and to periodically provide evidence of coverage or upon demand.  

  • Customer complaints

When a vendor could receive complaints from customers, the contract should specify whether the bank or vendor is responsible for responding to customer complaints and outline specific standards for when a response is given and instruct the vendor which bank officer should receive the complaint. In those situations, the contract must also address retention guidelines and escalation procedures for customer complaints.

  • Business resumption and contingency plans

Given the increased regulatory attention to disaster recovery, banks would be wise to require the vendor to provide the bank with disaster recovery plans, testing schedules, the ability to participate in the tests and the sharing of the results of those tests.

  • Foreign-based third parties

Contracts with foreign-based third parties should include choice-of-law and jurisdictional provisions that provide for adjudication of all disputes under the laws of a specified jurisdiction. Regulators do not require that the jurisdiction or applicable law be the United States or a political subdivision thereof, bu when a U.S. bank submits to the laws and jurisdiction of a foreign country, there should be a plan in place to protect its rights in that jurisdiction and an articulable reason for accepting the foreign jurisdiction.

  • Subcontracting

The contract should specify: (1) any specific activities that cannot be subcontracted; (2) whether the bank prohibits the vendor from subcontracting activities to certain locations or to specific subcontractors; (3) a notification to the bank before a subcontractor is engaged (with an opportunity to perform due diligence on the proposed subcontractor) or when an existing subcontractor is terminated; and (4) ability to perform an audit and get due diligence on subcontractor. 

The bank should also reserve the right to terminate the services agreement without penalty if the vendor’s subcontracting arrangements do not comply with the contract or if the bank does not approve a proposed subcontractor.

  • Responsibilities for providing, receiving and retaining information

As part of establishing and reporting performance metrics, the contract should require the vendor to provide and retain timely, accurate and comprehensive information that allows the bank to monitor performance, service levels and risks. Additionally, regulators have recommended other reports that many vendors are not eager to accept but actually are very important to maintaining an effective vendor management program.  Specifically:

  • Prompt notification of financial difficulty, catastrophic events and significant incidents such as information breaches, data loss, service or system interruptions, compliance lapses, enforcement actions or other regulatory actions.  
  • Personnel changes, or implementation of new or revised policies, processes and information technology.
  • Notification to the bank of significant strategic business changes, such as mergers, acquisitions, joint ventures, divestitures or other business activities that could affect the activities involved.
  • Responsibility for compliance with applicable laws and regulations

The contract should require compliance with laws, regulations, guidance and best-practices standards applicable to the bank. Some vendors will try to avoid this by saying the regulations that govern banks do not apply to them. However, the bank is still responsible for compliance with its laws and regulations, and a vendor that is not meeting those requirements when performing services for the bank is putting the bank at significant risk. Bank vendors must be informed of the requirements, and they must agree to follow and implement relevant rules, regulations and laws that apply to banks.

The bank must always weigh the nature of the services, the risk posed by the outsourcing, and the relationship of the parties to construct contractual provisions that meet the bank’s needs, vendor-management program and legal/regulatory requirements.

4) Monitoring

A vendor management program without appropriate monitoring is like driving in dark at 90 mph without headlights.

Deliverables, metrics or service agreements, risks and due diligence must be tracked, monitored and updated. Mandatory monitoring should include:

  • Business strategy (including acquisitions, divestitures, joint ventures) and reputation (including litigation) that may pose conflicting interests and impact the vendor’s ability to meet contractual obligations and the service-level agreement;
  • Compliance with legal and regulatory requirements: Have enforcement actions or material litigation been filed against them?
  • Financial condition: What fiscal changes have they experienced and why?
  • Insurance coverage: Maintained, updated with appropriate limits and deductibles;
  • Key personnel and ability to retain essential knowledge in support of activities;
  • Ability to effectively manage risk by identifying and addressing issues before they are cited in audit reports;
  • Process for adjusting policies, procedures and controls in response to changing threats, new vulnerabilities, material breaches, or other serious incidents;
  • Information technology used and the management of information systems;
  • Business continuity plans: Testing and reporting of test;
  • Subcontractors: Location of subcontractors, and the ongoing monitoring and control testing of subcontractors;
  • Agreements with other entities that may pose a conflict of interest or introduce reputation, operational or other risks to the bank;
  • Ability to maintain the confidentiality and integrity of the bank’s information and systems;
  • Volume, nature, and trends of consumer complaints, in particular those that indicate compliance or risk-management problems;
  • Ability to appropriately address customer complaints;
  • Cybersecurity; and
  • Contract milestones including notification dates, renewals and terminations.

The monitoring aspect of a vendor management program is the result of the risk assessment, due diligence and contracting with the vendor. However, it is also represents the future of the vendor relationship. The bank’s monitoring activities should be tailored to develop the vendor relationship and provide visibility into the vendor’s operations and activities on numerous levels by adopting a multi-layered approach to monitoring,  gathering information from various people or areas of the vendor. This alone provides additional controls and verification on the information provided.

Of course, to achieve an appropriate level of monitoring, the bank has to devote appropriate, experienced resources to monitoring and provide the tools necessary to deliver the expected results.

5) Documentation

The best vendor management program is not worth much during regulatory exams if you cannot demonstrate your compliance and capabilities. That is why documentation is key.

Documentation is the evidence of complying with the requirements of the bank’s policies and procedures, regulatory/legal requirements and contractual obligations.   

Effective documentation should maintain:

  • Each vendor’s risk report, due diligence and monitoring reports (ideally, a copy of the vendor contract would be contained in this file);
  • All contracts in a centralized and organized filing system;
  • All reports to the board;
  • All internal vendor management audits;
  • Vendor-related customer complaints;
  • Regulatory notifications;
  • Control testing results: The bank should routinely test all vendor management controls and requirements and document the results;
  • Updated risk assessments and due diligence to the vendor files; and
  • Deviations from policy or procedures with appropriate explanations.

6) Termination/transition plans

Banks should always prepare for the end and have a plan in place to bring the outsourced services in-house or to migrate to a new vendor. This plan should address data retention, the handling of intellectual property that was jointly developed by the parties, performance transition and training, and ongoing compliance with law. This plan should be memorialized in the vendor’s contract with the bank.

7) NDAs

Every vendor relationship starts with some kind of conversation that often leads to a request for additional information. Many times the requested information is confidential. That is why every vendor management program should require every vendor and potential vendor that has access to or receives confidential information to agree in writing to keep information confidential, either in a contract or a non-disclosure agreement.

These NDAs should be tracked and filed to demonstrate compliance with legal requirements.

8) Vendor tiers

Regulators recognize that every section/requirement of the vendor management guidelines will not apply to every vendor. Therefore, vendors should be categorized and managed by tiers that are assigned based on risk. Generally, vendors are categorized as critical, high risk, moderate risk or low risk. The vendor’s risk and tier categories should be fluid, shaped by graduated services or products provided, fluctuations in the regulatory environment, the evolving marketplace and changes in the bank’s needs, strategy or risk tolerance. 

Some influences for determining a  vendor’s tier for diligence, monitoring, contract requirements and documentation are:

  • What data does or will the vendor access?
  • How important is the vendor’s function to the bank?
  • How easily can the vendor be replaced?
  • How is the vendor performing financially, operationally and legally?
  • What is the vendor’s information security environment?
  • What is the vendor’s reputation?

9) RFPs and questionnaires

One of the best tools an effective vendor management program can deploy is a vendor request for proposal or questionnaire that requires responses  that sync with regulatory and policy requirements. These documents should be part of every vendor relationship and maintained and updated as necessary.

10) Policies and procedures

Finally, a bank must have strong policies and procedures in place. The policies provide a framework for vendor management while the procedures provide for implementation. The policies should reflect the commitment of the board of directors to establish a culture of compliance with regulatory guidance. Regular reporting to the board should provide oversight by demonstrating that the procedures are effectively implementing the board’s policies.

Vendor management, as with every aspect of a bank’s risk management program, is essential to a safe and sound financial institution. The vendor management program should be established with appropriate reporting structures so that the senior management and the board of directors have the appropriate information necessary to control and monitor risks to the bank.  

Vendor management programs require constant supervision and oversight to remain effective. Automation should be considered wherever practical to maintain compliance. Third-party reviews of the program can also provide assistance in identifying weaknesses or holes in compliance, processes or procedures.

11) Benefits of a strong vendor management program

An effective vendor management program represents a significant investment of time and resources. What are the benefits?

  • Regulatory compliance: Aside from avoiding supervisory guidance (matters requiring attention or matters requiring immediate attention), enforcement actions and fines, an effective vendor management program can help bolster and maintain the bank’s overall enterprise risk management processes;
  • Less Risk: The bank can identify and control risks from vendors and subcontractors before they become a problem;
  • Greater control: Not just over risk but over vendor performance, accountability, security and customer impact;
  • Better relationships: Communication with vendors is critical and results in less confusion, less conflict, earlier detection of issues and, generally, a better business partner that is genuinely concerned with doing a good job for the bank;
  • $$$$$: A good vendor management program reduces cost by increasing vendor efficiency, reducing  lawsuits, better vendor contracts, minimizing time spent dealing with vendor management regulatory actions and averts losses from reputational damage caused by reckless or ineffective vendors.

Scott Sargent is of counsel in Baker Donelson’s Birmingham, Ala., office. He advises community, regional and international banks on regulatory compliance and risk management. He can be reached at 

[1] FL-19-2019

[2] Department of the Treasury’s list of sanctioned programs and countries can be found at  OFAC also maintains a list of Specially Designated Nationals and Blocked Persons that U.S. companies and residents are prohibited from dealing with at:

  • Sign Up

  • Categories

  • Archive

Software: Kryptronic eCommerce, Copyright 1999-2019 Kryptronic, Inc. Exec Time: 0.065436 Seconds Memory Usage: 3.799858 Megabytes