In today’s fast-paced banking environment, many institutions are outsourcing services such as loan review, asset and liability management, internal audit, compliance, stress testing, policy development, risk consulting, and other services so that their own internal resources are used most efficiently and effectively for customer service, business development and strategic initiatives. It simply makes more economic sense for many institutions to use outside skilled experts on a part-time basis for such services, as opposed to staffing with full or part-time employees who may not be experts or have the level of experience necessary in these risk management disciplines.
Regulatory agencies have made it clear to all banks that vendors accessing portfolio data and borrower information need to be properly vetted to ensure that they have appropriate data and security controls in place to reduce exposure of the bank to cyber crime, fraud and other data security concerns.
However, there is a fine line between prudent management of your outside vendors, ensuring the safety and security of your bank’s data, and excess paperwork and due diligence dealing with non-pertinent aspects of a vendor that can disrupt important work for the health of your financial institution. The OCC's guidance on vendor management, released in October 2013, clearly states, “The management plan should be commensurate with the level of risk and complexity of the third-party relationship”.
Many vendor-provided services are internally focused “advisory” or “consulting” assignments, and as such, not considered “critical” to the bank’s risk profile or any threat to the security or assets of the bank’s customers. It should be noted that if something is designated as “not-critical”, that does not mean it is not important.
It can be a challenge for banks today to “right size” their third party vendor management program for these types of service providers. What is too much or too little vs. “just right”? The OCC is very detailed in explaining risks and what is expected of banks to mitigate those risks. Clearly, the OCC and other regulators expect vigorous risk management, but also differentiate between “critical” vendors and other vendors, and they do not expect every non-critical vendor to be required to fill out every question in the “one size fits all” questionnaires that banks often use by default. Industry best practices would be to customize what level of information is needed from a vendor, taking into consideration the complexity and level of risk in the vendor relationship with the bank.
The regulatory advisories and guidance on third-party risk management focus on applying the appropriate controls for the level of risk that the vendor service or activity represents to the bank and its customers, but this nuance is not often recognized as part of the process in real life.
Banks that apply a “one size fits all” approach to vendor management, treating smaller vendors of internally facing non-transactional risk management services at the same level as full scale critical vendors such as core processors, place an unusually onerous burden on the smaller non-complex and non-critical third-party expert firms. This “one size fits all” process and result is similar to a bank regulator expecting the same compliance level for regulations from both the “Too big to fail” systemic institutions and smaller community banks.
Some examples of these disproportionately demanding burdens include asking providers of non-bank critical services, where commercial client data is reviewed but no “Gramm–Leach–Bliley Act Confidential” data is retained, such as asset and liability consulting or loan review. This “one size fits all” process forces non-critical vendors to fill out lengthy forms, produce excessive liability insurance, and audit documentation at the same level as a “critical” banking system provider that has access to transactional data and consumers’ confidential personal information.
This type of “one size fits all” thought process could eventually eliminate the niche expert provider that has the ability to deliver excellent value at reasonable cost to community banks. Smaller non-critical vendors typically care intensely about their clients’ business and provide essential independent and objective perspective to bank management, acting as a sounding board, and trusted advisor as well as provider. Often, larger vendors have rotating junior staff and offer less leadership and guidance to the smaller institution as that is “out of the scope.”
Alternately, some banks may choose to ignore all controls and prudent measures of third-party vendor management with their smaller risk service providers, including sole proprietor audit and risk review companies. This also exposes the bank to added risk if they do not ask for any audit controls (such as SOC 1), appropriate professional insurance or proof of data security controls. Lowering the due diligence process to this level exposes the bank to unnecessary risk of data loss or breaches of confidential information.
So where is the balance? How can a bank retain a third-party vendor in a way that will protect the bank’s systems and data in an efficient manner? Ardmore would recommend that the prudent course of action is to apply some reasonable controls, but not unnecessary “check the box” due diligence that wastes time and added expense for both the bank and vendors. It also may cause the vendor’s work or proposals to be delayed.
The prudent risk controls for a provider of “non-critical” and non-confidential data retaining services would generally include:
A SAEE 16 SOC 1 Audit control document – attesting to adequate controls for the vendor relevant to their activities;
Documentation of adequate controls of the vendor’s hardware, software, networks, network penetration testing results and laptop controls such as encryption, remote wipe capabilities, anti virus and asset tracking; and
Reasonable professional insurance thresholds to match the criticality and complexity of the services offered.
By taking prudent steps to “right size” vendor management, banks can protect themselves appropriately for the risk and complexity of the provided services, but also enable smaller vendors to continue to thrive and be “trusted advisors” to financial institutions. As always, a balanced approach serves both parties well.
Julie Hawthorne is VP & Director of Client Services & Operations at Ardmore Banking Advisors