Vendor Management Compliance is an increasingly important aspect for financial institutions and it is getting more and more complicated, too. New regulations further add to the challenge, but establishing the right framework is also an opportunity.
An introduction to Vendor Management Compliance
Vendor Management Compliance is an increasingly important aspect for companies. Why? Well, take cyber security for example: the level and volume of sophisticated attacks grows every year and damages from cybercrime are expected to cost the world $6 trillion by 2021and by then cyber security is likely to exceed $1 trillion. However, as well prepared any organisation might be the biggest risk in terms of data breaches does not lie within its own walls but in many cases can be traced to third parties in a supply chain.
At the same time vendor management is an extremely complex field and often firms struggle to not only to understand their own obligations, but how to comply with them or even know about how far a firm’s relations – and in turn obligations – go. Since all firms depend on external suppliers, it isn’t a problem that can be ignored, especially in light of the heavy fines that loom in case of non-compliance. Considering the sheer range of vendors a financial institution works with – from setup and maintenance of facilities, to data providers, to software systems for front, middle and back office, basically anything that is in relation to the provision supplies, goods, products, services, consulting an so on either on a one off occasion or an ongoing relationship – we have an idea of the challenges in terms of management and transparency. Some examples of IT operations in a bank, which are frequently outsourced, are the origination, the processing, and settlement of payments and financial Transactions, as well as information processing that is related to the creation and maintenance of customer accounts or the information and transaction processing activities that support critical banking functions like loan processing.
The particular risks that result from third parties are manifold: they come in the form compliance risks such as violations of laws, rules, or regulations or noncompliance with policies or procedures. They can manifest themselves in the form of reputational risks like dissatisfied customers or violations of laws or regulations that lead to public enforcement actions. They can be categorised as operational risks such as losses from failed processes or systems or losses of data that result in privacy issues. Transaction risks through third party suppliers are problems with service or delivery. And they appear in the form of credit risks such as the inability of a third party to meet its contractual obligations. The risk of a potential exposure of a financial institution gets leveraged when a vendor deals directly with the bank’s customers, for example, when delivering products and services to an institution’s customers.
Over reliance on third-party vendors or inadequate monitoring of a vendor’s activities increase the risk even further and in many situation when financial institutions were fined for the misbehavior of their supplies, an institutions’ board and senior management disregarded the fact that they are ultimately responsible for all aspects of the bank’s operations, including products and services provided by vendors.
Therefore, with the financial, reputational, compliance or legal risks that stem from third party suppliers in mind, it is obvious that vendor risk management needs to be addressed at all times in the relationship with vendors: before entering into the vendor relationship, during, and even after it ends.
The Lifecycle of Vendor Relationships
From start to finish
The lifecycle of the relationship with a vendor – regardless whether one-off occasion or on-going commitment – can be categorised into the seven steps:
- Specific need of financial institution is identified
- Rules and objectives for relationship are determined.
- Invitation for submission vendor proposals or search for solutions
- Vendor Due Diligence and risk ranking
- Vendor selection and contract negotiation
- Vendor monitoring regarding performance and adherence to service level agreement
- End of contract/Project Evaluation
The whole process runs from the identification of a specific need in a financial institution – e.g. the requirement for a software solution because of new monitoring obligations, the engagement of external lawyers, or the hiring of builders to conduct work on the premises – to the conclusion of a project at the expiration of the contractual term or the achievement of the objectives. This is in turn then take us back to the beginning in the form of an evaluation to determine whether, for instance, the contract should be renewed.
In any cases, while some of the aspects of the steps above are less complicated, there are some crucial points that we want to look into further.
The first is transparency with regard to what the financial institution expects to gain from the project and how it wants it to execute. This includes simple aspects like scope, procedures and timing, i.e. deadlines for project stages, deliverables, as well as more delicate matters like the financial institutions access to a vendor, for example for audit or review, the confidentiality of data, or responsibilities. While some of this and other aspects will be subject to the contractual negotiations, it is beneficial to clarify others at an earlier stage, for instance, the transmission of a financial institution’s overall strategy, values and objectives since the clearer these are communicated and aligned between vendor and bank the better the overall outcome.
Due Diligence and Vendor Management Compliance
The complete Vendor Due Diligence needs to be conducted at an early stage, but in any case prior to the selection of a vendor. Delayed information can have catastrophic consequences for the success of the respective project and sometimes for the financial institution itself if the project is of a certain level of relevance for the business. There are several key aspects the due diligence process needs to cover, though the following is far from conclusive and the eventual aspects vary from case to case. In addition to financial statements and regulatory reports the experience and ability of a vendor with regard to implementing and monitoring a proposed activity as well as the general business reputation are important factors. With regard to the financial indicators, it should also be considered how significant the project is for the vendor’s financial and organisational condition. Other aspects that are relevant range from the qualifications and experience of the company’s principals, the strategies and goals of a third party and how they align with those of the financial institution, the resources of a vendor and the potential need to employ subcontractors and its extent, but the list goes on and needs to be evaluated carefully for each project.
Risk Assessment and Rating
The Due Diligence process is closely connected to the risk assessment and rating of a vendor. Based on the information and results produced in the former, the latter needs to determine the costs, benefits, legal aspects, and potential risks associated the considered vendor(s). This risk assessment should also consider all relevant laws and regulations to ensure compliance.
The ongoing vendor monitoring predominantly refers to checks of the adherence of a vendor in relation to Service Level Agreements (SLAs) and contractual provisions. It is also vital though to keep an eye on the financial condition of third party based on the financial statements provided by the vendor as well as publicly available information and the overall control environment of a service provider, which can be achieved through requesting certain company information, reports or review like audits. The monitoring process should also consider potential changes due to the external environment, for instance, in the form of regulatory changes. The entire process is based on three pillars: the on-going monitoring to identify and evaluate changes in risk from initial assessment, the implementation of effective controls to address identified risks as part of the monitoring process, and the documentation of procedures, roles, responsibilities, reporting mechanisms and results.
The involvement of senior management and the board of directors is of paramount importance for effective vendor risk management. However, it is almost equally important to involve all stakeholders across a financial institution including the business in addition to the compliance function.
While these aspects focus more on the general process of vendor risk management, there are specific situations that are no less relevant and need to be addressed equally.
Specific Situations #1 – Existing relationships
While it is important to introduce a solid process to manage vendor risk, the first step in any review of the status quo needs to be the identification of all existing third party relationships. As highlighted above, there are various potential relationships across a financial institution and overlooking only one of them in a review can result in leaving an organisation vulnerable to the different risks we discussed already. At the same time, it isn’t enough to simply determine the various vendors, but also the services and products they provide, the responsibilities and specific risks that rise from these relationships as well as the impact on the business.
Specific Situations #2 – Breach of Obligations
Talking about risk and things going wrong: what should you do if you identify a breach of the obligations in a vendor relationship. It is almost impossible to eliminate all risks entirely, but establishing an effective risk management process also contains the consideration of all eventualities. If this is the case, an organisation can respond swiftly to limit the damage and take steps to address an issue, while the specifics naturally depend on the respective relationship and service/product the third party provides.
Specific Situations #3 – New Regulations
We already touched on one of the game changers in any relationship with third party providers: regulation. One prominent example that has caused the industry headaches is the requirement introduced by MiFID II to unbundle research provisions. This means that financial institutions need to be able to demonstrate the various aspects and sources their research is based on, which in some cases borders on the impossible. In terms of vendor risk management it means that firms need to dig deep to determine how their existing (and future) relationships might impact their regulatory obligations and act accordingly.
Another example is the General Data Protection Regulation (GDPR)that introduced the roles of data controllers and data processors. Vendors that act as data processors therefore fall into the remit of responsibility of a financial institution and any wrongdoing would thus fall back on them.
When ESMA last year assessed the FinTech industry and its impact and friction points for the financial sector, the regulator highlighted that all arrangements with respect to outsourcing and cloud computing have to be implemented in a manner that complies with European legislation, in particular with regard to data security and data protection rules like GDPR. What this means in details and what the expectations of European regulators are can be derived, for example, from the EBA’s recommendations on outsourcing to cloud service providers that will apply from 1 July 2018. It presents financial institution with a very difficult task and while, in general terms, it is difficult to plan for all regulatory changes when establishing a vendor risk management framework, it is nevertheless possible to include regulatory change management in a way that rule changes are translated and implemented into the existing framework.
As with any challenge there are also benefits that come from it. Instead of being scared stiff, it is worth facing the upsides a robust vendor risk management framework offers. Whereas many institutions often rely on the knowledge of single individuals, the objective of establishing any risk management process must be to get rid of such a dependency. Also, think of the end result in the form of better accountability in case of shortcomings and a better protected organisation. And as always, when done properly, any comprehensive review is a chance to understand your organisation better and based on this understanding and insights, identify ways to do better business.