BankThink

Business lines must own their third-party risk management

Managing vendor relationships effectively is both a business necessity and a regulatory imperative whether a financial services company has hundreds or thousands of vendors. Companies pay a steep price when vendors make mistakes that harm customers. Vendor arrangements that result in failure to secure data, improper marketing and debt collection, or otherwise breaching customer trust can result in enforcement actions, hefty fines and loss of business.

The stakes have risen in recent years as regulators have elevated their expectations. Enforcement actions have included seven-figure restitution and fines rendered for third-party involvement in add-on products in the credit card space.

The message to banks is loud and clear: A vendor’s mistake is your mistake. You can outsource a function, but not the responsibility for any mishaps. Regulators expect bankers to clearly define roles for the first, second and third lines of defense when managing third-party relationships. This oversight now shows up in virtually all supervisory exams regardless of the line of business, and, along with MRAs (matters requiring attention), is costly to administer and remediate.

Regulators have also been clear that accountability for vendor mishaps — like all risks — cannot fall just on a bank’s compliance, risk management and internal audit groups. Business department heads must form the first line of defense, with compliance and auditing teams serving as the second and third lines.

But the problem is that most business line managers are not trained to identify such risks. First-line employees who excel in commercial lending, mortgage underwriting, retail banking or other parts of the business may have little background in negotiating complex contracts with vendors or in monitoring ongoing relationships.

They are often required to learn ins and outs of vendor management as they go. At a time when the regulators’ tolerance for error is waning, that makes line-of-business and department heads vulnerable. Large mistakes stemming from poor oversight of a third-party provider can yield unwanted headlines. This can lead to reputational risk to the institution and ultimately jeopardizes careers of those bankers deemed responsible.

Here are some steps that business or department heads at community and midtier banks can take to improve their third-party vendor oversight and reduce their heightened supervisory risk.

Organize contracts

Contracts with a vendor used by a bank for a long time have a way of falling through the cracks, often because the people who negotiated them are in a different role or have departed financial institution. It should be a priority for their successor, in the first 90 days, to get a handle on all contracts with vendors under that person’s area of responsibility. The department head should make sure that he or she understands the service-level agreements, terms, fee and compensation arrangements, and renewal and cancellation provisions. You cannot manage contracts that you cannot see. Every financial services firm should have a central repository for contracts.

Don’t be an island in managing vendor relationships

Business line managers should not be a lone ranger when it comes to third-party oversight. They should involve the bank’s risk management, compliance, legal and audit teams when selecting vendors, conducting due diligence and negotiating contracts.

In other words, make colleagues part of the party planning, not the cleanup crew. Nothing will frustrate them more than learning you have signed a contract to deliver a new service and have begun implementing it, without communicating news of the relationship to those other departments that have valuable perspective about the process.

Kick the tires

Regular on-site visits to vendors that provide critical services are highly advisable. Examiners are pressing banks to document how they monitor vendors, as well as what questions they ask and what checklists they use to conduct a visit.

Be disciplined about the use of time on site, and have a clear agenda for the visit that you communicate to the vendor beforehand. Consider rotating through a course of topics during the calendar year. Developing a site-visit questionnaire and sharing it with your examiners is a great way of validating that you are asking the right questions.

Acknowledge different viewpoints within a bank

Business and department heads think about third-party relationships differently than their colleagues in compliance and audit. First-line managers are preoccupied with business plans and goals, and tend to see risk as one piece of a bigger picture. In contrast, compliance and audit concentrate on risk and governance; it is their job to be detached from the business plans and goals that preoccupy first-line managers. Recognizing that different perspectives exist can facilitate honest communication.

There is no doubt that managing third-party relationships and the risks that come with them is a tall order for those focused on the institution’s business lines. But with focus, planning and support from top management, this “first line of defense” can provide the oversight needed to ensure that vendor practices are aligned with regulatory expectations.

For reprint and licensing requests for this article, click here.
Risk management Enforcement actions Vendor management Compliance
MORE FROM AMERICAN BANKER