While much of the attention paid to regulatory requirements for financial institutions (FIs) tends to focus on Dodd-Frank and mandates issued by the Consumer Financial Protection Bureau, a notable change of late has been the heightened requirement for vendor management oversight and third-party risk assessments. Although the Bank Service Company Act is hardly new, it has recently become the basis for these types of mandates. Powered by different agencies, the message is essentially the same: When it comes to vendors, the buck stops with the FI. In fact, the FDIC requires that it be notified within 30 days of any new service provider relationship being struck.
Each regulator has its own published guidance on how FIs should manage third-party risk, but the themes are consistent across the board – from the vendor selection process through ongoing management, FIs must demonstrate they are closely monitoring performance and have contingency plans in place, if needed. The level of oversight required for a given vendor depends on the “criticality” of the service it provides. Payments, settlement, clearing and digital banking have all been deemed “critical” services, and as such, are held to the highest standards.
The Contingency Plan
These standards require FIs to obtain exit rights in cases of a vendor’s failure to perform. Just as importantly, FIs must continuously refresh their supplier due diligence, including clearly understanding the options should a change become necessary. These processes must be clearly documented and vetted by auditors.
An FI’s tenure with an existing provider is considered irrelevant for these due diligence purposes. “We’ve been a client of Vendor X for 30 years with no problems,” is considered insufficient support, unless accompanied by an extensive paper trail backing up that claim and documenting ongoing protections.
In another recent addition to the framework, any vendor who interacts with end customers on the FI’s behalf must have a documented escalation process for consumer complaints. On the surface this sounds like a natural FI requirement, but in reality, it creates a host of gray areas. What constitutes the threshold for consumer interaction? For example, could this be applicable in those rare cases when a customer might contact a card network for an emergency replacement card?
It Takes a Village (of FIs)
In a backhanded way, these additional requirements provide an assist to credit unions and community banks, because they now have the teeth to demand further reporting detail and other protections from their vendors. They should still expect pushback, however. Service providers face their own oversight burdens and are motivated to both limit exposure and preserve competitive leverage. Many of these regulatory requirements remain subject to interpretation.
Large FIs typically have sizable vendor management organizations and mature processes capable of meeting the requirements associated with these types of mandates. However, these organizations and processes are used to oversee very complex vendor environments where the higher degree of vendor integration and related de-conversion costs exceed those for small FIs. Still it’s refreshing to see some accommodations being made for banks and credit unions to pool resources to address these noncompetitive issues.
For instance, The Office of the Comptroller of the Currency (OCC), in particular, requires that FIs perform an “in-depth due diligence and ongoing monitoring” of third parties. Recognizing the burden this places on small FIs, the OCC allows them to collaborate on certain diligence tasks, such as engaging an external auditor. The OCC, like other regulators, makes available an interagency Technology Service Provider examination report to contracted FI clients of applicable providers for use as part of internal diligence processes.