Third-party relationship management: Beyond the regulations
Financial institutions often consider third-party relationship management nothing more than a compliance requirement, a box to check because “we know our vendors.” But technological change and market forces mean financial institutions are no long just managing well-known, long-term local suppliers. They are now interacting with more third-party vendors for products, software and hardware and are often outsourcing or co-sourcing critical functions due to lack of available local staffing or expertise.
So what do the regulators say? According to the Federal Financial Institutions Examination Council’s information technology examination handbook:
“Financial institutions should establish and maintain effective vendor and third-party management programs because of the increasing reliance on nonbank providers. Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.”
FFIEC IT Examination Handbook
Beyond the regulatory requirement, it’s simply good business. Third-party relationship management (TPRM) truly protects the institution and its customers. The goal of TPRM is to confirm:
- The vendor is financially stable and capable of fulfilling the business need
- The vendor has appropriate safety, security and controls to protect the institution and its customers
- Risk is manageable and appropriate to the financial institution’s risk appetite
- Service levels and expenses are appropriate and in line with expectations
For TPRM to be effective, it must be more than a checklist. The rationale for the program and why it matters need to be understood by those that select and manage vendors for the institution. Beyond the risk element, cost savings are often achieved by increasing accountability, consolidating vendors and increasing visibility to issues early in a relationship.
How do you start?
Assign an owner for the TPRM program. This person will confirm that the program meets the institution’s policy that all vendors are included and rated, and that necessary information concerning each vendor is maintained.
Start by understanding the scope of the program. Inventory current vendors, identify relationship owners and gather information about all vendors, including contracts, services performed and financial information.
With that information gathered, determine how the program will look going forward. Questions to consider include:
- From a people perspective, who should own the relationship and should the process be centralized?
- From a technology perspective, do you need a software solution to manage TPRM? Will it streamline the current process? Create automation? Increase visibility and accountability?
- From a process perspective, how are vendors selected? How are payments approved? What factors determine risk level and ensure proper controls are in place? Where are there handoffs in the process? How frequently do they need to be reviewed?
TPRM should be a cycle that continually evolves but there are five steps that are typical and should be considered when selecting and managing a third-party vendor.
Building a successful relationship with a third-party requires trust on both sides. Trust begins by clearly defining and understanding your internal requirements and risks prior to involving a third party. When selecting a third-party vendor, product or service:
- Determine the owner of the project, product or service
- Involve all stakeholders or subject matter expects that will be affected by the vendor
- Build selection requirements including a weight assignment
- Develop a list of third-party providers to which the specifications will be presented
- Develop and issue a request for information or proposal
- Present requirements to the third-party providers
Understanding your needs and requirements in advance is an important first step.
Due diligence determines how bids and qualifications are evaluated and how third-parties are selected. An important step in this process is to understand the types of risk each third party presents to the financial institution. Risks to consider include:
- Transactional and operational
- Regulatory compliance
Following identification of the possible risks, the financial institution must prioritize those risks and determine how each risk should be mitigated
The latest FFIEC and Office of the Comptroller of the Currency (OCC) guidance highlights the importance of understanding risks in in the context of both the third party itself and the goods or services that party delivers. If your relationship with a third party goes badly, how will it affect your financial institution’s business strategy, operations and reputation? The FFIEC has provided a third-party due diligence checklist that can be utilized as a guide to develop the appropriate questions.
Due diligence is not a one-and-done activity. Tracking financial viability, performance and risk factors for third parties should be an ongoing process. The frequency and intensity of ongoing due diligence efforts should be driven by the type and level of risk each third party presents. Finally, be sure to conduct a full due diligence review before contracts are renewed based on the level of risk assigned to the third party.
Contracts formalize the relationship, protect the financial institution, set a common understanding and confirm that needs will be met for the life of the agreement. The contract outlines and defines how the financial institution will interact with the vendor. It should include service level agreements, which will be important as part of the monitoring stage.
As part of your TPRM program:
- Develop a procedure based on dollar size (both of the contract and the vendor aggregate relationship) that outlines who can submit a contract and outlines the subsequent approval process.
- Develop triggers to remind approvers of deadlines for review of contract and escalation should an approver not be available.
- Establish workflow to confirm new vendors and contracts are added to the system.
Ensuring that third parties conform to your contracts is also vital to your TPRM effort. Following are some common reasons why TPRM programs often fall short in preventing or detecting contract compliance:
- Contracts are not centrally located and tracked
- Employees may not have the underlying contract or all corresponding amendments
- Intimate knowledge of third-party existence and activities are limited to comparatively few employees
- Nuances between similar agreements with other third-parties are not understood
- Clear ownership for monitoring activities does not exist and the monitoring activities are ad hoc and manual
- Lack of formal process to assess changes in the third-parties financial institution
- Notifications of non-compliance are not identified as the issues arise
If all steps are performed above and the TPRM program clearly outlines the review process, then much of the risk should be mitigated.
If there are ongoing issues that can’t be resolved, termination may be inevitable. Termination may happen due to the natural completion of the reason the third party is retained, a breach in contract terms, a merger or acquisition, assignment or if the third-party goes out of business.
Termination of a third-party relationship raises its own risk issues, including:
- Treatment of confidential data that the third party maintains, or to which it has access
- Reputational risk
- Disruption of operations
- Monetary considerations
Effective TPRM plans help to offset these risks. Clearly define termination parameters and responsibilities in the contracting phase and have an effective transition plan to help guard against termination risks.
TPRM is an ongoing cycle that continues throughout the life of your vendor relationships. It should extend beyond just meeting regulatory requirements. TPRM should:
- Clearly define your needs
- Establish due diligence to evaluate and qualify vendors
- Include contracting procedures that protect your financial institution
- Provide for ongoing monitoring of third-party relationships
- Define termination procedures to mitigate end-of-relationship risks
Taking these steps will reduce risks for your financial institution and customers.