Assessing the risks of third party providers
Outsourcing is an increasingly popular and cost-effective practice among financial institutions. Third party vendors offer short-term access to specialty services that would otherwise be cost-prohibitive if done internally. They range from noncritical personnel like rug installers, plumbers and editorial consultants, to highly critical providers like network support staff, data processers and website developers. There’s also been a clear trend toward offshore servicing of technology providers for reasons of cost. Offering a clear financial advantage, outsourcing has grown substantially in recent years, even for the most critical tasks upon which the financial institution’s operation depends.
Yet the use of third-party vendors also opens up a vast number of potential risks for the financial institution, the most significant of which are legal, financial, compliance, operational and reputational. So while a financial institution can transfer a task to a third party, it can never, at any time, transfer responsibility or liability to that party.
Easy to understand, hard to achieve
All financial institutions understand these clear and unambiguous precepts. They know that outsourcing of critical tasks requires a concurrent focus on vendor management, including regular vetting, monitoring and tracking. Yet at some financial institutions, vendor management practices have not caught up with the reality of today’s outsourcing risks. Vendor tracking procedures are still rather elementary and lacking at some institutions. That’s probably because third party risks have evolved much faster (think of the recent spate of bank hacking episodes), than have the commensurate vendor risk management programs.
Thus, the challenge for financial institutions is to restructure their vendor management programs to meet the ever evolving risks facing both them and their third party vendors. Hackers and other corporate thieves are skilled at finding the vulnerabilities of commercial enterprises and have apparently recognized that third party vendors represent a weak spot for many organizations. For hackers, these vendors, which may be physically or electronically holding a financial institution’s sensitive data, represent a golden opportunity for thievery of all types.
Compliance poses a major risk
In addition to the growing sophistication of hackers, other trends support the need for more aggressive vendor management. One involves the new government regulations that increase requirements for customer data privacy and security. Regulators have made clear that they want financial institutions to engage in proactive and ongoing vendor management. The Federal Financial Institution Examination Council (FFIEC), The Gramm–Leach–Bliley Act of 1999 and the Federal Deposit Insurance Corporation (FDIC) each have significant requirements and penalties involving protection of consumer data. As a consequence, government examiners can be expected to ask more aggressive questions in the future, making third party regulatory compliance all the more critical
What is a critical vendor?
Financial institutions typically have many third party vendors. But which of these are critical vendors? Not all vendors need to be managed for compliance or legal risks. The vendor that maintains the water coolers doesn’t carry the same risk to the financial institution as does its network support provider. Yet when facing a database of many vendors, many financial institutions struggle to identify which of them are critical to their operation, and thus need to be risk-rated and risk-managed more effectively.
A customary practice in some organizations is to actively manage IT vendors, but not the low tech ones (e.g., the coffee service), who may be perceived as offering no risk to the organization. This is true in some cases, but not in others. Some low tech vendors carry as much risk to the financial institution as do its high tech vendors. Paper shredding and disposal services, for example, may be low tech, but when the shredding vendor doesn’t follow procedure and allows shredded product development diagrams to blow away in the wind, then you have a critical vendor whose practices need monitoring.
So rather than focusing on the high or low tech issue, the better questions to ask are: which vendor is material to the financial institution’s operation? Could the financial institution do its everyday business without it? Keep in mind that a vendor is considered anyone who is not an employee; this means that consultants are included, whether they work within or outside of the company. Under these parameters, the universe of vendors needing risk management grows significantly.
Yet even within this subset of vendors, financial institutions may find that there are different levels of risk involved. The accidental loss of personnel papers by a copier, although potentially harmful, does not pose the same level of risk as the financial institution’s website going down due to errors by its internet hosting provider. Therefore, critical vendors need to be rated by type and level of risk so that they can be appropriately managed and monitored.
The financial institution should ask whether the vendor:
- Has access to sensitive, non-public customer information?
- Has such a significant impact on operations that the financial institution’s business would be interrupted without it?
- Provides a core service upon which the financial institution runs?
- Controls or could strongly affect the financial institution’s ability to generate revenues?
- Performs a service that has no backup or alternative provider?
FDIC criteria for vendor evaluation
The FDIC recommends that vendors be analyzed in terms of the following evaluation criteria:
- Financial condition
- Business reputation
- Strategies and goals
- Complaints, regulatory actions or litigation
- Ability to perform using current systems
- Us of subcontractors
- Scope of controls, privacy protections and audit coverage
- Business continuity plans
- Knowledge of consumer protection laws and regulations
- Management information systems
- Insurance coverage
The Seven Deadly Risks
A helpful guide is Third-Party Risk: Guidance for Managing Third-Party Risk (FDIC FIL 44–2008) which identifies seven types of risk associated with third-party vendors and other helpful guidance. Briefly, here are excerpts from this document about each risk:
- Strategic risk. The use of a third party to perform banking functions or to offer products or services that do not help the financial institution achieve corporate strategic goals and provide an adequate return on investment exposes the financial institution to strategic risk.
- Reputation risk. Third-party relationships that result in dissatisfied customers, interactions not consistent with institution policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information, and violations of law and regulation are all examples that could harm the reputation and standing of the financial institution in the community it serves.
- Operational risk. Third-party relationships often integrate the internal processes of other organizations with the bank’s processes and can increase the overall operational complexity.
- Transaction risk. A third party's failure to perform as expected by customers or the financial institution due to reasons such as inadequate capacity, technological failure, human error, or fraud, exposes the institution to transaction risk.
- Credit risk. Credit risk is the risk that a third party, or any other creditor necessary to the third-party relationship, is unable to meet the terms of the contractual arrangements with the financial institution or to otherwise financially perform as agreed. The basic form of credit risk involves the financial condition of the third party itself.
- Compliance risk. Compliance risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies or ethical standards. For example, some third parties may engage in product marketing practices that are deceptive in violation of Section 5 of the Federal Trade Commission Act, or lending practices that are discriminatory in violation of the Equal Credit Opportunity Act and the Federal Reserve Board's Regulation B.
- Other risks. In addition to the risks described above, third-party relationships may also subject the financial institution to liquidity, interest rate, price, foreign currency translation and country risks.
Planning a vendor management program
Planning is the first step on the road to effective supervision of vendors. According to FDIC FIL-44-2008, there are four elements to managing third party risk:
- Risk assessment
- Due diligence
- Contract structuring
The goal of planning is to develop a strategy to manage each vendor according to its risk rating. Planning requires gathering, organizing and analyzing current information about the vendor. Once information is in hand, the vendor’s current and potential risks should be assessed. Special attention should be given to the vendor’s financial condition and management quality. Most important of all is the establishment of an ongoing review process. All high-risk vendors should be subject to an annual due diligence review. Periodic risk reviews also should be done throughout the year; how many reviews and in what depth of detail will depend on its risk rating.
In October 2012, the FFIEC released an update of the Implementation of Interagency Programs for the Supervision of Technology Service Providers, its administrative guidelines for examinations. The FFIEC has also issued a revised Information Technology Examination Booklet on the Supervision of Technology Service Providers which addresses the supervision of third-party servicers that enter into contracts with financial institutions.
The National Credit Union Administration does not have independent regulatory authority over third party service providers. The use of such providers by credit unions is regulated through the FFIEC.
For more information
For more information or assistance with this topic, please contact Loras Even, principal, McGladrey LLP, at 319.274.8541, or at Loras.Even@McGladreyus.com, or Carla Brinker, manager, McGladrey LLP, at 319.274.8540 or at Carla.Brinker@McGladreyus.com.