March 2, 2017
Outsourcing business functions has become an accepted approach to improving revenue and creating new business opportunities for companies in all industries; banks are no exception. Banks and other businesses around the world use outsourcing for functions unrelated to their core business, including payroll processing, human resources, accounting, data hosting, compliance, customer support, security, building maintenance, IT management and even internal audit activities. Outsourcers can often do the work at a fraction of the cost of what an internal department would cost.
In the last 10 years, the regulatory environment and consumer expectations for a personalized, connected experience in an increasingly mobile and social world are new challenges being managed by an outsourcing business model. Third-party solutions are common as technology outsourcing has grown beyond server and data center hosting to include private and public cloud computing, application development, software and network management, user support, and more. Banks outsource the mortgage application process; insurance providers outsource claims management. While business growth and regulatory compliance are perhaps the two most critical business drivers behind a financial service firm's decision to outsource, the outsourcing solution itself creates a risk that must be managed and regulatory requirements that must be met.
Management of third-party service provider relationships has been a regulatory issue as far back as the FDIC's Bank Service Company Act. The Gramm-Leach-Bliley Act, a federal law enacted in 1999 to control the ways that financial institutions handle the private information of individuals, calls for banking institutions to exercise appropriate due diligence in selecting service providers, requires service providers to implement appropriate security measures and requires monitoring of service providers by established means (audits, test results) to confirm security obligations have been satisfied.
Recent well-publicized security breaches have brought vendor management to the forefront, and banking regulators continue to issue bulletins re-emphasizing best-practices.
Any third party, especially one that provides services that affect consumers, exposes a bank or other financial institution to additional regulatory risk. Controller of the Currency Thomas Curry has said that ensuring due diligence and ongoing risk assessments of all third parties must be a part of every banking institution's vendor management program. Just as a bank must ensure its own operations comply with the Office of the Comptroller of the Currency (OCC), the Consumer Financial Protection Bureau (CFPB) and other regulations, it now also must ensure its vendors meet these same standards.
Vendor management and vendor due diligence are the means for accomplishing this task. Vendor management is a general phrase used to describe the overall process but may also be applied to describing the activities for assessing existing third-party relationships. Vendor due diligence is generally the process of assessing new or prospective third parties.
The process for critically assessing the risks with third-party services begins with establishing a vendor management policy that is approved annually by the board of directors. This policy should include several key sections, specifically addressing the different types of sensitive information to be protected and where that information is stored.
The vendor management policy should define critical and non-critical vendors. All existing vendors should be assessed, including information technology and operational service providers. Running an accounts payable listing is one method often used to identify current service providers; however, it should be noted that the amount paid annually does not necessarily reflect the risk level presented by the vendor, particularly if sensitive data are involved. For example, a health insurance broker with access to personally identifiable information (PII) who is paid $10,000 annually would present a larger risk than a building security firm paid $100,000 annually. When evaluating risk, the focus must be on what information the service provider has access to versus the functional support provided by the third party. An information breach by even the smallest vendor may severely damage the bank's reputation and cause harm to its customers.
Documenting and Evaluating Vendors
A vendor management policy should provide direction on the frequency for re-evaluating existing third-party relationships, the responsible parties for approving internal vendor assessments and key individuals responsible for completing the documentation required for vendor assessments.
For both new and existing vendor relationships, management should obtain relevant financial information in the form of tax returns or financial statements, evidence of financial responsibility through insurance coverages and associated policies, and service organization control (SOC) reports. The responsibility for compiling the documentation and ensuring its appropriate completion should be assigned to a single individual; however, that individual may play a very small role in the actual completion of the required documents. For example, the controller may be responsible for compiling all of the information but may delegate responsibilities so that the review of vendor financial information is sent to the CFO. The review of vendor insurance coverages and policies often rests with the legal department, and the review of SOC reports may be passed on to someone in the accounting department or another individual with strong knowledge for the purpose, types and content of a SOC report.
Each of the respective vendor reviewers is responsible for documenting the risks identified with the vendor and the service to be provided. Knowing who will be responsible for document completion will dictate standardization of vendor assessment forms and documentation requirements to be developed by management. Generally, thorough documentation of the risks, mitigating controls in place (e.g.,. SOC reports, insurance policies) and risk to be accepted should all be documented in as much detail as possible prior to accepting a new vendor or continuing an existing relationship. The vendor assessment documentation should clearly address why the vendor is deemed to be a critical or non-critical vendor, who the primary third‐party contacts are, what sensitive information the vendor has or will have access to, the information technology systems involved and the results of the vendor's most recent SOC report.
Vendor management policies should also include information on insurance coverage. Vendors that have access to personal data should have cyber insurance policies that include cyber liability and data breach expenses. Third parties who are on site should have general liability coverage (at a minimum). Contracts should be reviewed periodically to ensure they include insurance requirements, indemnifications and "hold harmless" language.
Managing the Process
The process of documenting vendor assessments can quickly become flooded with supporting documentation and management's effort to write narratives regarding the acceptance or denial of a vendor relationship. Coordinating the process is a key element of a successful vendor management program and is best done by centralizing the monitoring and responsibility for the program by digitizing vendor documentation and internal assessment forms, including management approvals. Delegating responsibilities for assessing vendor financials, information technology systems and legal documentation to appropriate persons within the organization is crucial to the vendor management program and ensures a companywide approach to vendor acceptance. The amount of resources dedicated to monitoring activities should align with the relative risk the vendors pose to your organization. Once the materials are gathered, don't just file them away — they should be reviewed periodically throughout the lifetime of the contract.