Vendor Management: What are the Regulators Thinking?

One consistent item has been on the minds of regulators for several years and especially with all the security breaches over the last several years.  That one consistent item is vendor oversight and management.  Focus is no longer just on the risk that vendors present to the well-being of a supervised financial institution.  The regulators and Accounting Standards professionals have increased the focus of all firms with certified financial statements on considering the impact of critical vendors on financial statements and operations through the publication of SSAE 18. It’s no longer a requirement to just make certain that critical vendors have satisfactory SOC 1 or 2 reports, but those reports now must include the vendor’s critical vendors. Yes, your vendors vendors!

This is all the result of a greater awareness of cybersecurity, and mainly how nearly every organization is dependent upon Internet-based communication and exchange of data. And, if that’s not getting your attention, every regulator is now more intensely focused on the interests of consumers and the risk a vendor might pose. Compliance with state and federal regulations in place for supervised banks and nonbank financial institutions now also includes meeting the Consumer Financial Protection Bureau’s (CFPB) vendor oversight requirements, which are designed to “protect the interest of consumers and avoid consumer harm.”

The consequences of nonconformity are no insignificant matter. The CFPB’s enforcement authority in this regard was established in 2012. Along with other state and federal regulators, the CFPB can and already have exercised their enforcement abilities, including mandating that a company augment or improve the vendor management program; levying financial penalties; and bringing formal enforcement actions or consent orders against institutions and/or vendors.

Since virtually every institution is required to provide certified and audited financials, the possible impact of vendors and how the vendors manage their vendors, can have a material effect on the institution’s financial statements.  Basically, it is imperative that institutions understand the risk that their vendors create and reasonably assure that vendors are essentially compliant. The very existence of your business may depend upon it.

More rules…

As noted above, the SSAE 18 rule, which went into effective May 1, 2017, sets many new standards for addressing counterparty vendor risk. Among those standards: SSAE 18 requires that controls be implemented at the service organization (a vendor) that monitors the effectiveness of controls at subservice organizations (a vendor’s critical vendors). Subservice organizations must now be monitored on an ongoing basis using the methods outlined in SSAE 18.

Institutions must concern themselves with managing their critical vendors, and make sure their vendors have management programs in place to monitor the third-parties that provide critical services so that the institution’s operational or financial statement risk are not subject to undue risk from unacceptable performance and that data security risk is minimized.

Many of the concepts reviewed in the following discussion of vendor risk assessment, due diligence, ongoing monitoring, and more, have applications for both critical vendors and a vendor’s critical vendors.

Assign an Owner to Your Vendor Risk Assessment is Vital

There are many vendor management checklists, software, and other tools that help institutions assess risk and follow required practices. Many of these are top-quality resources that provide excellent support, but you must consider that these current tools are not enough.

It is imperative to assign ownership of vendor management and risk assessment to a responsible compliance officer or another seasoned professional within your organization. Only an in-house owner of vendor management and oversight can ask and fully ascertain the answer to the ultimate question: What risks does this vendor pose to my company and my customers”  Cost should not be a consideration of to assign or not assign an owner.

Vendor Risk Matrix and Assessment

Since the risk potential is not the same for all types of vendors, an in-house owner (mentioned above) should perform a risk matrix assessing each vendor based on whether the service provided involves handling of client’s/member’s/customers’ non-public private information (NPI) or other highly confidential data and/or is considered a critical activity.  Additionally, if they are client’s/member’s/customers’ facing.

Each vendor should provide a risk profile using a three-tiered ranking system allows for an initial risk assessment upon which to determine the correct amount of oversight.

A common format is:

3 – High Risk. This segment encompasses vendors that provide critical services, have access to highly sensitive information, or provide a concentration of services.

2 – Moderate/Medium Risk. This segment includes vendors frequently used but not critical to continued functioning of the institution’s business. Vendors in this group may have access to NPI or other confidential information.

1– Low Risk. This includes non-critical vendors who do not pose a data or direct risk.

The reasons for determining each vendor’s risk tier must be documented. Once determinations are made a model of oversight is should be established.

How Important is Due diligence”

After assessing what the risks to the institution are then proper due diligence should be conducted as outlined in the institution’s internal policies and procedures. Among the other actions that need to be taken by the chosen owner are documenting and understanding the background of the vendor and its principal officers. The prior behavior and accomplishments of the vendor’s management are generally indicators of future and ethical management actions.

Owner should also obtain the suitable information and documents from the vendor. Verify evidence the vendor has all necessary licenses and adequate insurance coverage to conduct the activity. Consider a review of financial statements to ensure they have appropriate net worth and liquidity

Owner should evaluate critical vendor policies and procedures, along with the vendor’s internal controls. Policies and procedures should demonstrate that the vendor has a clear understanding of the rules and regulations governing the service(s) they are performing. Depending on the risk rating, a vendor should have policies and procedures that adequately address: information security, privacy, business continuity, resiliency, training of employees, and meeting performance standards and benchmarks. Much of the operational policies and procedures are tested in a SOC report.

Should also ensure that contracts for critical vendors ((High) and (Moderate) risk vendors clearly and thoroughly state the expectations for performance standards and compliance with applicable laws and regulations. Every institutions regulator has established a generally common set of guidelines for vendor contracts. These are particularly important for any high-risk relationship.

Monitoring Vendors

After assessments are considered the institution must establish controls and a procedure for monitoring vendors. To monitor vendor performance Some institutions have developed vendor request letters and even report cards to easily track performance. These report cards can reflect results of audits of actual performance to contractual or internal benchmarks and documentation of customer complaints regarding the vendor. Report cards can also be used to request updated documentation, such as insurance certificates, financial statements and licenses.

When working with clients it is encouraged that institutions to periodically conduct independent reviews of High risk vendors to make certain the vendor meets business continuity standards that includes disaster recovery and business continuity plans.  Owners should review whether the vendor conducted an annual documented test evidencing the vendor was successful in restoring their business operations. You may want to consider having a written succession plan in place to use in the event you must replace or supplement a mission critical vendor.

Handling Vendor Problems and Terminating Relationships”

You must act and be prepared to take immediate action when a vendor is out of compliance. In addition to the fact that the CFPB and state regulators expect prompt action as soon as any problems are identified, the reputational risk to your business can be very costly.

An institution should have procedures in place for addressing the concern with the vendor and requiring a written response to document their file. Documentation is key for all Federal and State regulators.  Some sort of remediation may also be necessary.  Many recent security breaches and cybersecurity data breaches have highlighted institutions underwent an incident and were totally unprepared with a common-sense approach to deal with consumers.

Bottom Line

Creating an effective vendor management program is not only about meeting regulatory requirements. If your critical vendors cannot meet service level agreements or do not operate in a compliant manner, they can create operational risk and reputational risk.