Changing technology combined with increased regulatory and financial reporting demands have led to banks placing more reliance than ever on outside vendors for various services. While outsourcing certain functions to third parties has brought efficiency and innovation to service delivery, the practice reduces the bank’s control over those functions. Management has the same responsibility to oversee the services as if the bank were performing the activity itself, opening banks up to operational, compliance, and strategic risks that must be managed.
In response to this increased focus on vendor management practices the Federal Reserve Board, the FDIC, and the OCC (collectively, the Agencies) came together in May 2024 to issue Third Party Risk Management: A Guide for Community Banks (the Guide). The Guide is a resource that assists banks in developing and implementing third-party risk management practices in accordance with the Interagency Guidance on Third Party Relationships: Risk Management, that was issued by the Agencies last year.
The Guide offers various practical examples that can be used when designing third-party risk management policies. Resources that banks may find valuable include a list of questions and concepts to consider at each stage of the vendor management process and examples of documents and information to obtain from vendors during the process.
The Guide focuses on five key elements of sound vendor management: planning, due diligence, contract negotiation, ongoing monitoring, and termination of the vendor relationship.
Planning
As part of the planning stage a bank evaluates how to manage risks before entering into a third party relationship. Considerations include an awareness of the bank and third party’s respective roles in the activities, legal and compliance requirements, financial implications, information security, and how the third-party technology will integrate with the bank’s existing applications.
Due Diligence
During the due diligence process management obtains information from the vendor to assess their ability to perform the desired activity, adhere to bank policies, comply with laws and regulations, and conduct the activity in a safe and sound manner with the goal of selecting capable and reliable vendors.
Contract Negotiation
Vendor contracts should facilitate effective risk management and oversight and clearly specify the expectations and obligations of both parties. At this point in the process it is crucial to understand any limitations on the bank that may result in risk exposure if there is limited negotiating power.
Ongoing Monitoring
Monitoring throughout the contract term allows management to evaluate a third party’s ability to perform as required under the agreement. Information gathered during the monitoring process can be valuable in adjusting the bank’s risk management practices. Examples of vendor issues that may indicate an increased risk to a bank’s operations or data include control deficiencies, repeat audit findings, security breaches, data loss, and service interruptions.
Termination
Vendor relationships may be terminated for a variety of reasons, such as failure to perform under the contract, cost reduction efforts, a decision to bring the activity in-house, or simply expiration of the contract term. Regardless of the reason for termination it is important to minimize the impact on the bank’s critical activities. Understanding the impact termination will have on the bank’s operations, compliance, customer experience, and access to systems and data will help to efficiently manage the transition.
For additional details on developing and implementing third-party risk management practices consult the Agencies’ Guide, Third Party Risk Management: A Guide for Community Banks.
Suttle & Stalnaker, PLLC is ready to help. If you would like more information on how this applies to you, contact Kelly Shafer, CPA at kshafer@suttlecpas.com or 304.343.4126.