1. Do I have to evaluate ALL of my vendors? The short answer to this question is YES. Not only is understanding the risk each vendor poses to your operations, it's best a best practice even if you're not in a highly regulated industry. All vendors must be assessed, risk weighted and placed into the appropriate risk category. Only then can you determine the appropriate vendor management categories and associated procedures for managing vendor risk.
2. How do I evaluate the risk of each vendor? One of the best sources of information regarding vendor risk evaluation comes from the OCC (Office of the Comptroller of the Currency). The OCC guideline on Vendor Management states that vendors should be evaluated using the following risk categories:
Compliance risk exists when products, services, or systems associated with third-party relationships are not properly reviewed for compliance or when the third party’s operations are not consistent with laws, regulations, ethical standards, or the bank’s policies and procedures. Such risks also arise when a third party implements or manages a product or service in a manner that is unfair, deceptive, or abusive to the recipient of the product or service. Compliance risk may arise when a bank licenses or uses technology from a third party that violates a third party’s intellectual property rights. Compliance risk may also arise when the third party does not adequately monitor and report transactions for suspicious activities to the bank under the BSA or OFAC. The potential for serious or frequent violations or noncompliance exists when a bank’s oversight program does not include appropriate audit and control features, particularly when the third party is implementing new bank activities or expanding existing ones, when activities are further subcontracted, when activities are conducted in foreign countries, or when customer and employee data is transmitted to foreign countries.
Compliance risk increases when conflicts of interest between a bank and a third party are not appropriately managed, when transactions are not adequately monitored for compliance with all necessary laws and regulations, and when a bank or its third parties have not implemented appropriate controls to protect consumer privacy and customer and bank records. Compliance failures by the third party could result in litigation or loss of business to the bank and damage to the bank’s reputation.
Third-party relationships that do not meet the expectations of the bank’s customers expose the bank to reputation risk. Poor service, frequent or prolonged service disruptions, significant or repetitive security lapses, inappropriate sales recommendations, and violations of consumer law and other law can result in litigation, loss of business to the bank, or negative perceptions in the marketplace. Publicity about adverse events surrounding the third parties also may increase the bank’s reputation risk. In addition, many of the products and services involved in franchising arrangements expose banks to higher reputation risks. Franchising the bank’s attributes often includes direct or subtle reference to the bank’s name. Thus, the bank is permitting its attributes to be used in connection with the products and services of a third party. In some cases, however, it is not until something goes wrong with the third party’s products, services, or client relationships, that it becomes apparent to the third party’s clients that the bank is involved or plays a role in the transactions. When a bank is offering products and services actually originated by third parties as its own, the bank can be exposed to substantial financial loss and damage to its reputation if it fails to maintain adequate quality control over those products and services and adequate oversight over the third party’s activities.
A bank is exposed to strategic risk if it uses third parties to conduct banking functions or offer products and services that are not compatible with the bank’s strategic goals, cannot be effectively monitored and managed by the bank, or do not provide an adequate return on investment. Strategic risk exists in a bank that uses third parties in an effort to remain competitive, increase earnings, or control expense without fully performing due diligence reviews or implementing the appropriate risk management infrastructure to oversee the activity. Strategic risk also arises if management does not possess adequate expertise and experience to oversee properly the third-party relationship.
Conversely, strategic risk can arise if a bank does not use third parties when it is prudent to do so. For example, a bank may introduce strategic risk when it does not leverage third parties that possess greater expertise than the bank does internally, when the third party can more cost effectively supplement internal expertise, or when the third party is more efficient at providing a service with better risk management than the bank can provide internally.
Credit risk may arise when management has exercised ineffective due diligence and oversight of third parties that market or originate certain types of loans on the bank’s behalf, resulting in low-quality receivables and loans. Ineffective oversight of third parties can also result in poor account management, customer service, or collection activities. Likewise, where third parties solicit and refer customers, conduct underwriting analysis, or set up product programs on behalf of the bank, substantial credit risk may be transferred to the bank if the third party is unwilling or unable to fulfill its obligations.
Credit risk also may arise from country or sovereign exposure. To the extent that a bank engages a foreign-based third party, either directly or through subcontractors, the bank may expose itself to country risk.
3. What information should I collect during initial due diligence? Initial due diligence should be performed on each vendor. The information collected should coincide with the risk profile each vendor presents to the bank or credit union based on the functions they perform and the risk assessment of the individual vendors. More in depth due diligence should be performed when a credit union vendor performs critical activities. The credit union should collect information to support the vendor's adherence to the following:
Strategies and Goals
Review the vendor’s overall business strategy and goals to ensure they do not conflict with those of the credit union. Also consider reviewing the vendor's service philosophies, quality initiatives, efficiency improvements, and employment policies and practices.
Assess the vendor's financial condition, including reviews of the third party’s audited financial statements. Evaluate growth, earnings, pending litigation, unfunded liabilities, and other factors that may affect the third party’s overall financial stability. Depending on the significance of the relationship, the analysis may be as comprehensive as if extending credit to the third party.
Business Experience and Reputation
Assess the vendor's reputation, including history of customer complaints or litigation. Review their Web sites and other marketing materials to ensure that statements and assertions are in-line with the credit union's expectations and do not overstate or misrepresent activities and capabilities. Determine whether and how the vendor plans to use the bank’s name and reputation in marketing efforts.
4. What information should I monitor on an ongoing basis? Ongoing monitoring for the duration of the vendor relationship is an essential component of the credit union's risk management process. More comprehensive monitoring is necessary when the third-party relationship involves critical activities. Because both the level and types of risks may change over the lifetime of vendor relationships, a bank should ensure that its ongoing monitoring adapts accordingly. This monitoring may result in changes to the frequency and types of required reports from the third party, including service-level agreement performance reports, audit reports, and control testing results.