Risk scoring. On-site visits. Regular monitoring. The work that goes into managing relationships with suppliers is about to increase significantly, as regulators start forcing banks to keep closer tabs on the vendors they flag as being "critical" to their business.
In the context of recent cyberattacks and the massive credit-card data breach at Target during last year"s holiday shopping season, the extra oversight makes perfectly good sense. But many bank executives are left struggling with a basic question: How do I know if a vendor is critical? On this, the regulators have left much open to interpretation.
Guidance from the Office of the Comptroller of the Currency defines critical activities as significant bank functions or shared services, such as internal audit and information technology. Also in the "critical" category are activities that could cause a bank to face risk if the third party fails to meet expectations, that could adversely impact bank customers, or that could damage bank operations if the bank has to find another vendor (or bring the function in-house).
Some experts warn that critical third parties now might include any vendor with the potential to impact a bank"s brand reputation or even specific loans, along with an institution"s ability to comply with consumer laws or defend itself against cyberattacks, to name just a few examples of the possible exposures.
Others argue that the description of critical vendors is somewhat less encompassing than the Cassandras would suggest.
But there is little argument from anyone that the definition is expanding.
"If you had asked me in 19980... what do we mean by criticality, I would have said any computer system or technology that could cause disruption to your customer service beyond a reasonable recovery time objective, and anything that jeopardizes customer information or the security of that customer information," says Paul Reymann, who was involved in the rewriting of vendor management rules in the 1990s when he was a policy analyst at the Treasury Department and is now a partner with McGovern Smith Advisors, a payments industry lobbying and consulting firm in Washington. "Today, it"s a much broader focus."
Even regulators have not pinned down exactly what a critical vendor is, saying it depends on the bank and its business mission.
Instead, they have left it to bank executives and their boards to determine which vendors are critical no small exercise given that a bank, depending on its size, can work with dozens, hundreds or even thousands of third-party vendors.
"We have more than 22,000 active relationships," points out Felipe Prestamo, the head of U.S. compliance services at TD Bank and a presenter during a recent American Banker webcast on the topic of vendor management.
"Not all 22,000 are going to go to the board; not all 22,000 are going to receive the same level of attention from the risk control function. We need an intelligent process to stratify that population and focus on the ones that deserve that focus."
Complicating the efforts to prioritize is the uncomfortable realization that vulnerabilities can exist almost anywhere in the supply chain. The vendor that exposed Target"s point-of-sale network to a massive data breach last winter, for example, provided heating and air conditioning to the retailer, surely not an area that anyone would have labeled "critical" before (at least not in the context of financial services).
Trustwave, the payment card industry compliance provider that gave Target"s network a clean bill of health shortly before the breach, also could, in hindsight, be considered a critical vendor.
Yet before the breach and before the new rules, Trustwave, which also works with banks, would not have been subject to closer scrutiny and oversight, according to Reymann. "After the fact, people could be critical about that, but a prudent person hiring Trustwave would not have thought they have to go audit Trustwave," he says.
Banks may need to similarly update their thinking about firms that supply loan disclosure software.
"If they don"t do that right, they"ll be in court with some kind of UDAP violation or other enforcement action from the regulators or CFPB," Reymann says, referring to Unfair and Deceptive Acts and Practices laws.
"I would not have thought a while back that vendors that help with statements or disclosures would be critical, but they are."
Reymann also points to a number of "sleeper risks" of which banks need to be aware. One is consumer protection risk; some of the OCC"s consent orders have forced banks to pay fines for identity protection and debt collection programs that were mismanaged by third parties.
Other areas where he says banks need to closely monitor vendor relationships include legal and compliance, information security and offshoring.
"If you"re found lacking in certain controls and you"re doing offshore activity, your risk is multiplied," Reymann says. "If I"m seeing control weaknesses in your vendor management program and you"re doing offshore, I"m going to be looking closely at how you"re managing the offshore relationships as a result."
Chip MacDonald, a partner at the law firm Jones Day in Atlanta, says he sees critical vendors as any service provider that could attract regulatory scrutiny or have an impact on the business, including the risk of loss in the event of a service disruption.
He says the industry should expect heightened regulatory interest in vendors" access to a bank"s electronic systems or networks, in the protection of sensitive data and in maintenance of anti-money-laundering and Bank Secrecy Act programs.
Penny Crosman is the technology editor for American Banker.