Vendor Risk Management
Financial institutions are increasingly relying on third-party vendors to perform vital functions. While beneficial in many ways, outsourcing presents various risks. This article discusses these risks and best practices to mitigate them. The article first reviews the types of services and arrangements a financial institution can obtain from a vendor and the risks presented, while the balance of the article discusses best practices for managing outsourcing arrangements.
VENDOR ARRANGEMENTS AND THE ASSOCIATED RISKS
Financial institutions frequently use third-party vendors to reduce costs, enhance performance, and obtain access to specific expertise.1 Examples include outsourcing audits, compliance reviews, disclosure preparation, data processing, and website development. Financial institutions also use third-party vendors to offer products directly to customers. It is important to emphasize, however, that while day-to-day management of a product or service can be transferred to a third party, ultimate responsibility for all compliance requirements cannot be delegated and remains with the financial institution. Thus, institutions should recognize that using vendors involves significant compliance risk.
The use of third-party vendors presents several other risks, the most prominent of which are legal, operational, and reputational.2
Legal Risk: The primary legal risk is that a vendor's operation does not comply with consumer protection laws and regulations. Because of the number of complex laws and regulations, the risk of noncompliance has increased significantly. Consequently, financial institutions should be especially vigilant in identifying, assessing, monitoring, and mitigating this risk. For example, in 2010 a regulator filed separate enforcement actions against three banks, charging them with violating the Federal Trade Commission Act by engaging in deceptive practices in connection with credit card offers for the transfer and payment of charged-off consumer debt. The banks retained third-party vendors to help administer and market the balance transfer offer programs. The enforcement actions contained specific provisions requiring close oversight of third parties. Each bank was ordered to pay restitution and/or a civil money penalty, which collectively totaled over $4 million.
Another legal risk involves legally binding contracts of a fixed duration. If business needs change because of intervening events, “there is a risk that financial institutions may be locked into agreements that reflect outdated business realities. The contractual basis of outsourcing coupled with this intrinsic business uncertainty contributes to legal risk.”3
Reputational Risk: A vendor's noncompliance with consumer laws and regulations creates reputational risk for a financial institution, including the possibility of a public enforcement action by the institution's regulators, class action lawsuits, and negative publicity.
Operational Risk: This is the risk that a vendor's operational system does not perform properly and negatively affects customers. For example, if a financial institution retains a vendor to determine if the institution's loans secured by a building or a mobile home are located in a special flood hazard area for purposes of complying with the flood insurance requirements of Regulation H, and the vendor fails to regularly update its database of special flood hazard areas, the institution could be cited by its regulator and subject to civil money penalties if this results in violations of Regulation H.
RISK MITIGATION
Financial institutions that outsource a service or product must adopt appropriate controls, policies and procedures, and oversight to mitigate outsourcing risks effectively. Institutions should focus on five key areas for effective risk mitigation: vendor selection, vendor contract, vendor management and monitoring, human resource management, and contingency planning.4
Vendor Selection
Conducting proper due diligence in selecting a vendor is a critical aspect of vendor risk management. Important due diligence steps include:
- asking the vendor to provide references (particularly ones from other financial institutions) to determine satisfaction with the vendor's performance;
- asking questions about the vendor's data backup system, continuity and contingency plans, and management information systems;
- researching the background, qualifications, and reputations of the vendor's principals;
- determining how long the vendor has been providing the service;
- assessing the vendor's reputation, including lawsuits filed against it; and
- obtaining audited financial statements to check the vendor's financial health.
Some financial institutions prefer to use other financial institutions for outsourcing because they are already familiar with the business. Regardless, financial institutions should ensure that qualified vendors are chosen after the appropriate level of due diligence is conducted.
Vendor Contract
The contract between the financial institution and the vendor is another key factor in mitigating risk because it dictates legally binding terms and conditions. Financial institutions should engage experienced counsel to ensure that its interests are protected and potential contingencies are considered, such as the potential effect of regulatory changes on the vendor's obligations and performance. The contract should also articulate the mutual expectations of both parties. Articulating expectations in the contract is important because if expectations are not adequately communicated and problems arise, each side will typically blame the other.
Some of the issues to be addressed in the contract include: 5
- scope of outsourced services;
- terms of the agreement;
- written procedures;
- minimum service levels, including any ancillary services to be provided;
- payment schedules;
- incentives to align interests of the service provider and financial institution;
- right to retain other third parties;
- approval required for vendor's use of subcontractors;
- right to conduct audits and/or accept third-party reviews of their operations;
- retained ownership and confidentiality of data shared with service provider;
- warranties, liability, and disclaimers;
- dispute resolution mechanisms, including service levels to be provided during the dispute, escalation procedures, and arbitration;
- human resource issues (e.g., whether vendor will hire staff whose function is being outsourced);
- contingency and business recovery plans;
- insurance coverage;
- default and termination — identifying what constitutes default, cure, remedies, and termination;
- customer complaints and who is responsible for responding to them; and
- force majeure, or “act of God” events.
Given their significance and length, outsourcing contracts must be drafted carefully. “[E]rrors or poor execution can have major implications by locking an institution into a contractual relationship that does not meet [its] needs.”6
Vendor Management and Monitoring
After the vendor has been selected and the contract signed, it is important to manage and monitor the relationship. Senior management should be involved in approving policies and procedures to monitor the vendor's performance and activities. Performance monitoring controls include:
- ensuring that the vendor is complying with consumer protection laws and regulations;
- analyzing the vendor's financial condition and performing on-site quality assurance reviews periodically;
- reviewing metrics regularly for the vendor's performance relative to service level agreements;
- reviewing customer complaints for services or products handled by the vendor and conducting anonymous testing if applicable (mystery shopper);
- assessing whether contract terms are being complied with;
- testing the vendor's business contingency planning;
- evaluating adequacy of the vendor's training to its employees; and
- meeting with the vendor periodically to review contract performance and operational issues.
Human Resources Management
A financial institution's decision to outsource certain functions can create operational risk because of the effect of the announcement on the institution's staff whose job functions will be affected: “These concerns impact staff in both the affected and unaffected business units and are, at the very least, a distraction that may result in errors and productivity losses. More seriously, they can wound employee morale and lead to loss of desirable or key employees. In extreme cases, institutions fear misconduct or retaliatory behavior.”7
To mitigate this risk, the Human Resources Department should be consulted early in the process to ensure that appropriate outreach is made to affected employees. In addition, the vendor contract should specifically address whether the vendor is required to hire staff whose job functions are being outsourced and if so their compensation and term of employment. Timely communications are very important so that staff are kept apprised and their concerns addressed. In addition, if the financial institution does not want to transfer staff, it has to adopt contingency plans in the event its staff members are recruited by the third-party vendor.
Contingency Planning
While outsourcing can be beneficial, it creates the risk that a vendor's operations can be disrupted and might affect the financial institution for the services the vendor provides. To mitigate this risk, financial institutions must ensure that the vendor has a prudent business recovery plan in place that is reviewed on an ongoing basis.
A contingency plan must be established to address the risk that the vendor may not perform satisfactorily: “In the face of unsatisfactory responsiveness, an institution's options include changing service providers, returning the activity to the institution, or sometimes even exiting the business.”8 These options are costly and problematic and are usually taken only as a last measure after the institution has first made reasonable efforts to resolve the issues with the vendor.
Another mitigant against the risk of unsatisfactory performance is to start the vendor with a small contract to test its performance before outsourcing the entire function. If the vendor performs satisfactorily during the test period, the contract can be expanded to outsource the entire function.
CONCLUSION
When an institution outsources a function subject to consumer compliance requirements, the ultimate responsibility for compliance cannot be delegated and remains with the institution. While vendor arrangements can provide valuable benefits to a financial institution, they require an active role to manage risk and achieve success. It starts with selecting a good vendor whose skills and competencies match up well with the bank's needs. Financial institutions must exercise due diligence throughout the vendor-selection process. Signing a contract with a vendor is not the end of the process but the point at which risk mitigation begins. Specific issues and questions about consumer compliance matters should be raised with the appropriate contact at your Reserve Bank or with your primary regulator.
- 1 Outsourcing Financial Services Activities: Industry Practices to Mitigate Risks, Federal Reserve Bank of New York, October 1999, p. 5, available online..
- 2 Federal Reserve Bank of New York (1999), p. 6. See also Federal Reserve SR Letter 95-51 for a discussion of risk management, which is available online.
- 3 See Federal Reserve Bank of New York (1999), p. 6.
- 4 See Federal Reserve Bank of New York (1999), p. 7.
- 5 See Federal Reserve Bank of New York (1999), p. 15.
- 6 See Federal Reserve Bank of New York (1999), p. 15.
- 7 See Federal Reserve Bank of New York (1999), p. 16.
- 8 See Federal Reserve Bank of New York (1999), p. 18.