7 Best Practices for Vendor Management for Banks
Vendors play an important role in businesses today, especially in the financial services industry. Banks rely heavily on third-party service providers to offer specialized consulting expertise, process transactions, improve quality, reduce costs, implement controls, and sharpen management’s focus on core business functions and objectives. In order to perform these services, vendors often have access to sensitive information, including customers’ personally identifiable information.
In recent years, cybercriminals have started to target and exploit vulnerabilities in third-party service providers instead of directly attacking their targets (i.e., financial institutions or companies). Some of the major security breaches over the past couple of years that have been linked to the company’s third-party vendors include Target, Goodwill, Lowe’s, and AutoNation.
Therefore, it’s important for all businesses, including banks, to strengthen their vendor management programs to safeguard the confidentiality, integrity, and availability of the data, and minimize the impact if a data breach occurs.
Why is vendor management important for banks?
For most large companies, and especially financial institutions, avoiding third-party service providers may not be an option. Service providers perform many key functions that can be critical to an organization. A vendor management program can help a bank mitigate the risks inherent in these relationships.
The risks associated with third-party relationships include: operational risk, transaction risk, reputation risk, credit risk, interest rate risk, compliance risk, liquidity risk, and strategic risk. If proper vendor management controls are not in place or are not operating effectively, banks can potentially be exposed to loss of funds, loss of competitive advantage, reputational damage, improper disclosure of information, and regulatory action.
Considerations for a vendor management program
Banks should consider adopting a risk management program for all vendors (IT and non-IT) proportionate with the level of risk of the vendors in order to identify and to be able to take the steps necessary to manage those relationships.
Generally, a vendor management program should include the following components:
- Risk assessment: A strong vendor management program starts by listing all vendors that conduct businesses with the bank and rank each vendor according to its criticality/risk (access to critical data, operation activities, etc.).
- Due Diligence: After the risk assessment is completed, the bank should perform due diligence for critical/significant vendors identified during the assessment. Due diligence should include: reviewing and assessing the vendor’s financial condition and reputation, familiarity with banking regulations, background of company principals, information security controls in place, resilience, etc.
- Ongoing Monitoring: Financial institutions should continually monitor relationships with vendors by performing activities such as reviewing service level agreements and comparing them with actual performance; assigning staff with the necessary expertise to oversee and monitor vendors; reviewing the general controls environment of the vendor through onsite visits to the vendor’s facilities and reviewing audit reports such as SSAE16/SOC; and engaging a qualified, independent third-party to regularly test the bank’s controls to manage risks from vendors.
- Proper documentation and reporting: Banks should retain proper documentation to facilitate the accountability and monitoring of the vendor management program. That documentation may include: current inventory of vendors (IT and non IT), due diligence results, contracts, risk management reports, reports to the board of directors, and independent review reports.
- Contracts: For data security reasons, banks should store a copy of vendor contracts off-site. Based on OCC Bulletin 2013-29, contracts should generally address the following: nature and scope of services, duration of the contract, the right to audit, cost, confidentiality and integrity, and contingency plans.
- Procedures for terminating relationship: Banks should also have processes in place regarding the transition or discontinuation of vendor activities when a relationship with a vendor ends.
- Nondisclosure/Confidentiality agreements: Lastly, it’s important to have written nondisclosure/confidentiality agreement with vendors, especially if the vendor has access to the bank’s critical data in any form (written, verbal, or electronic). Vendors who fall into this category may include security guards, cleaning services and contractors who have unsupervised access to the bank’s facilities where critical data can be obtained.
How can we help?
Banks can engage qualified accounting and consulting firms such as Kaufman Rossin to obtain the expertise needed to manage the risk of engaging with vendors. Kaufman Rossin can help banks with the following:
- Assisting the bank in enhancing its compliance program to manage regulatory compliance risks
- Assisting in the application of a consistent risk assessment across the bank
- Identifying significant vendors from a risk management perspective
- Developing and testing the operating effectiveness of key controls related to third party vendor management such as remote access, physical access, etc.
- Assisting in the development of corrective actions to remediate controls issues and gaps
- Reviewing SSAE16 reports from vendors
If not managed properly, relationships with vendors can lead to negative consequences such as financial penalties, loss of credibility, and regulatory enforcement actions; however, these relationships can also be important to a bank’s success. Developing, implementing, and maintaining a strong and sound risk management program can help financial institutions to mitigate the risks related to engaging with third-party service providers.