Risk-Scoring Mandate Pushes Banks to Rethink Vendor Choices

One of the hardest-to-execute yet least-discussed elements of regulators' heightened scrutiny of banks' vendor relationships is the expectation that banks must now risk-score their vendors.

Banks have always had to be careful and prudent about choosing suppliers, and they've had business reasons to keep an eye on such partners to make sure they stay solvent and can meet their contractual obligations.

What regulators have been asking in their latest round of vendor management guidance is a far more detailed scrutiny of vendors: of their financial stability, debt, revenue, profitability, their cost structure, and product strategy, among other things.

In the past, a large, well-known vendor may have been a safe choice, but regulators are now saying it's no longer enough to choose a vendor because it's a market leader. They want to be presented with a scorecard that lets them review how banks evaluate their vendors in a consistent way.

"The regulators are forcing banks to sit down and say 'what if. if this vendor goes away, what are the risks to you?'" says Lawrence Kaplan, of counsel at the Washington, D.C., law firm Paul Hastings.

There's no formula for the risk score, and every bank is expected to approach it differently based on its business and the vendors with which it works. The regulators haven't even explicitly said banks must assign each vendor a numerical score, though they have implied it.

"Unfortunately a score for each vendor is an unstated expectation," says Paul Reymann, a partner at McGovern Smith Advisors in Washington.

The score could include controls a bank has put in place that limit its exposure to the vendor, and perhaps even a cyberinsurance policy that covers the bank for any problems with its tech vendors. The point is to come up with a system that's logical for regulators to follow.

"Examiners want to know how you went through that methodology," Reymann says. "How you measure that could be with numbers, 0 to 100, or red, yellow and green indicators."

The first and most obvious vendor risk metric is financial viability — will the vendor be in business throughout the life of the contract? The company's financial resources, capitalization and profitability go into this.

Company ownership is a factor, too, with private equity ownership presenting the highest risk. Changes in ownership and frequent changes in management are signs of instability.

"It takes strong ownership, money and strong leadership to be strong financially and have a strategic direction with products and services," says Walter Taylor, executive vice president at New York IT consulting company Genesis10.

Incentive pricing can have a huge impact on a vendor's ability to stay in business, he points out. (Taylor has come up with a list of 30 metrics banks should consider when risk-scoring their vendors.)

"Buyers have been pushing hard on these suppliers," Taylor says. "If you pound on a supplier hard enough, and if you're Bank of America, [Citigroup, JPMorgan Chase, or Wells Fargo], you'll get to a price point that you want. But you'll also get to a price point that is not sustainable for the supplier." The supplier loses money and eventually goes out of business, which is a huge risk for the bank.

A company's costs are not that easy to find out. "It takes a lot of research and talking to people," Taylor says. "You have to trust and have confidence in what they tell you."

One question that arises amid the intense scrutiny of vendors' financial viability is whether or not a startup with little financial history can make it in this environment?

"It's not that you can't use a startup, but the management of the bank will have to justify it to the board, which will have to justify to the regulators why they're using Larry's ATM Machines rather than Diebold," Kaplan says. "What benefit do we get out of that and why are we better off, other than price? It's going to be a critical issue."

Regulators might question whether the vendor's business model is scalable, or if the vendor has resources to grow along with the bank

"If you've got three people in a garage doing some type of real-time processing for you with deposits or credit cards, that's crazy," Taylor says. "

If the startup has developed some IP the bank wants to embed in its ACH processing system, that might be OK, "but what happens if they go away?" Taylor asks. "What are your use rights, do you have access to the source code."

Another element regulators, especially the Office of the Comptroller of the Currency, have been zeroing in on lately is vendor concentration risk — the fear that one popular vendor's missteps could affect multiple banks.

"It's too many banks using the same vendor, so if the vendor gets a cold, everybody gets a cold," Kaplan says.

Vendors' ability to handle compliance is another risk factor regulators expect included in the risk score. "Compliance by vendors has to be a forethought, not an afterthought," Kaplan says. "It's not good enough to say the bank is going to review everything, the vendor is responsible for compliance. If the bank doesn't realize the vendor doesn't have a compliance program, that's a problem."

Banks should look at the vendor's compliance staff, the compliance officers' backgrounds, and the training of that staff, he adds.

It all comes down to justifying the decision to work with a particular vendor, Kaplan says. For every vendor, banks need to be able to explain who the competitors are and why the bank chose the one it did. If the vendor selection feels sketchy, the bank will start to see pushback from regulators.

This is the second in a series of articles on vendor management.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER