Managing Your Vendors Being Compliant
Managing Your Vendors
• Introduction Vendor Management
• Effective Vendor Management • Q&A
Corporate Governance o Bank’s BOD and Senior Management are ultimately responsible for Vendor Management •
Managing activities conducted through third-party relationships, Identifying and controlling risks arising from such relationships
o Delegation to a Senior Management Committee • •
Operations Committee or Risk Committee Update selected committee charter to reflect this assignment
o Consider providing a complete, tiered vendor list for BOD for annual review
Important Definitions: Educate Your Team o Third-Party: Broadly defined to include all entities that have entered into a
business relationship with a financial institution, whether the third party is a bank or a non bank, affiliated or not affiliated, regulated or nonregulated, or domestic or foreign
o Significant Third-Party Relationship: Considered significant if the institution’s
relationship with the third-party is a new relationship or involves implementing new bank activities; the relationship has a material effect on the institution’s revenues or expenses; the third-party performs critical functions; the third party markets bank products or services; the third party provides a product or performs a service involving subprime lending or card payment transactions; or the third party poses ricks that could significantly affect earnings or capital.
• FDIC FIL Guidance for Managing Third-Party Risk provides general
framework of appropriate oversight and risk management of significant third-party relationships. **Incorporate these same definitions into Policy, Procedure, Program documents so that financial institution and regulators are on the same page**
Essential Framework
o Risk Assessment
o Due Diligence in Third-Party
Selection
o Contract Structuring and Review
Vendor Management Framework Risk Assessment Two Essential Components 1. Documentation - full decision write-ups of whether or not to enter into a third-party relationship
2. Analysis- analyze all third-party relationships under considerations
Vendor Management Framework – Risk Assessment Analysis should include: o Ensure relationship is consistent with the institution’s strategic planning and overall business strategy o Benefits, costs, legal aspects, potential risks associated o Expanded analysis for new product of service and significant third-parties o Develop thorough understanding of what the proposed third-party relationship will accomplish o Why use of third-party is in best interest of financial institution (vs. assigned in-house) • Risk/reward analysis • Long term effects of engaging vendor
Vendor Management Framework – Risk Assessment
Vendor Management Framework – Risk Assessment in Practice o Document discussion in applicable committee minutes o Develop form and provide for committee review o Set thresholds: Dollar amount, “significant third-party” •
You don’t want committee oversight for a lawn care contract
•
But, do not underestimate risk associated with janitorial services
o Business unit or Vendor Management should send out a Request for Proposal (RFP) o RFP response should outline cost, expertise performance criteria (i.e., deliverables and due date); internal controls; contractual requirements •
Resumes on audit engagements
o Receive multiple bids o Document consideration of outsourcing relationship, and o Document consideration of each third-party, and o Analysis/reason why bank chose to engage the third-party o Assign oversight •
Business unit (Vendor relationship owner – “VRO”)
•
Vendor Manager
Document analysis and decision to engage third-party
Vendor Management Framework – Due Diligence o Selection of a qualified entity to implement activity or program o Assess qualitative and quantitative aspects of potential third-party relationships •
Achieve financial institution’s strategic and financial goals and mitigate identified risks
o Due diligence is performed initially and throughout the third-party engagement •
Contract renewal
o Scalable, risk-based due diligence – scope and depth should correlate with importance and magnitude of third-party relationship •
IT vendors will have increased due diligence
Vendor Management Framework – Due Diligence in Practice o Develop a due diligence questionnaire and checklist of documents to be provided for each respective tier of vendors • Tier 1 and IT vendors will have more in-depth due diligence • Other tiers will have less due diligence • Some tiers may have no due diligence
o If you have vendors that were engaged prior to the Vendor Management Program, onboard those vendors at contract renewal o Provide vendors with Vendor code of conduct to acknowledge o Contact IT regulator to request copies of regulatory reports
Vendor Management Framework – Contract Structuring & Review o Ensure expectations and obligations of both the financial institution and the third party are outlined in a written contract o Board approval should be obtained prior to entering into any material third-party arrangements •
Delegate this approval to underlying Board or management level committee
o Appropriate legal counsel should review significant contracts prior to finalization o Level of detail in contract provisions will vary with the scope and risks associated with the third-party relationship
Vendor Management Framework – Contract Structuring & Review o
Scope
o
Cost/compensation
o
Performance standards
•
Key Performance Indicators (KPIs)
o
Reports
o
Audit
o
Confidentiality and security
o
Customer complaints
o
•
All customer and consumer complaints must be reported to financial institution
Business resumption and contingency plans
•
Business continuity plan and disaster recovery plan
o
Default and termination
o
Dispute resolution
•
Arbitration
o o
Ownership and license Indemnification
o
Limits on liability
Vendor Management Framework – Contract Structuring & Review in Practice
o Develop thresholds for contract review • • •
K < $ can be reviewed by business unit K >$ require attorney review K > $$$ require committee approval
o Engage in-house attorney for contract review • • •
Develop form contract for use with vendors Develop checklist of provisions in contracts Venue provision
o Must report consumer and customer complaints to financial institution to be incorporated into compliance department complaint reporting •
Include in reporting, but also keep report independently
Vendor Management - Oversight o Institutions should maintain adequate oversight of third-party activities • •
Quality control over products and services through third-party arrangements Minimize exposure to potential significant financial loss, reputation damage, and supervisory action
o The Board should initially approve, oversee, and review annually significant third-party arrangements •
Again, delegate this task and update respective committee charter to include this responsibility
o Management should periodically review third-party’s performance •
KPIs
o Compliance management system should ensure continuing compliance with applicable federal and state laws, rules, and regulations as well as internal policies and procedures • •
Incorporate Vendor Management into second line of defense processes Perform internal audit review as third line of defense
Vendor Management – Oversight in Practice o Use tiers to determine how often due diligence is updated • • • • • • • • •
Highest risk (Tier 1) vendors should receive annual due diligence update Updated financial information Updated insurance Updated audit or regulatory reports Litigation Changes in BCP or Disaster Recovery Plan Changes in personnel Consumer Complaints Complaints from business unit
o Develop questionnaire to be filled out by business unit • Questionnaire should focus on performance of vendor
Vendor Management – Supervision of Third-Party Relationship o FDIC will review Vendor Management through its Risk Management Program and routine safety and soundness examination o Compliance supervision will also review Vendor Management as part of its review o The principal focus of supervision will be management’s record and process of assessing, measuring, monitoring, and controlling risks associated with an institution’s significant third-party relationships •
Documentation
Vendor Management – Supervision of Third-Party Relationship in Practice o FDIC RMS will review vendor management during safety and soundness review o Large banks that are involved in the continuous examination process may have a Vendor Management target review o Large Banks may also have a specific IT Vendor Management target review as part of an IT exam o Compliance supervision will also review Vendor Management as part of its review
• Third-Party complaint log • Vendor Management Policy and Procedure that outline third-party
complaint log reporting
o The examination teams will be checking documentation on each vendor and ensuring there is enough there to purport management’s risk rating of the vendor
Vendor Management Program Summary- Documents o Charter: Delegating task of VM to management or Board committee o Policy: Vendor Management Policy, reference to VM in Compliance, BSA, M&A Policies o Treat third-party activity as if it were handled within the financial institution o Appropriately risk-rate and assess third-party relationship for significant activities and services and vendor engaged to perform such duties o Establish framework of Vendor Management program (Risk Assessment, Due Diligence
in Selecting a Third Party, Contract Structuring and Review, Oversight) o Establish role of Vendor Manager o Consider Certified Regulatory Vendor Manager (CRVM) certifications o Decide if bank will use Vendor Manager or also Vendor Relationship Owner (VRO) role
Vendor Management Program Summary- Documents o Procedure: Vendor Management Procedure, reference to VM in Compliance Procedure, BSA, M&A Procedures
• Request For Proposal form • Vendor Risk Assessment at onboarding form • Vendor Due Diligence form • Business Unit Vendor Performance Questionnaire • Form NDA • Form Contract • List of key contract terms and provisions • Vendor Code of Conduct: Acknowledged by each vendor o Should mirror internal Code of conduct, easy way to accomplish policy goal
Vendor Management Program Summary- Documents Vendor Management Program Summary – Framework Risk Assessment: o Set thresholds to establish significant vendors and document the following in committee minutes for significant relationships: • Risk assess outsourcing of third-party relationship, and • Risk assess vendors to be considered o Develop standard RFP document to be sent out to vendors for bid o Develop Risk Assessment form to be used with each vendor at onboarding
Due Diligence o Develop a tier system for vendors that dictate level of due diligence and subsequent oversight o Highest tier vendor may include vendors that offer core services, considered critical vendor by FDIC, consumer-facing vendor, or have a great impact on earnings of financial institution o Lowest tier vendor may not require due diligence • Develop due diligence form o Creates familiarity for vendors, VM department, and committee tasked with reviewing relationship
Vendor Management Program Summary- Documents Contract structuring and review o Develop dollar amount threshold of contracts to be reviewed by legal department or outside counsel o Other contracts can be reviewed by business unit, vendor management, legal assistant â&#x20AC;˘
Develop a form contract that can be used to engaged small vendors
o For larger vendors who will have their own contract, develop list of key terms and provisions to negotiate in contracts (i.e., venue, indemnity language, arbitration) o Audit, risk assessment, and compliance reports must include language that reports, work papers, and work programs can be provided to third parties performing supervision (usually requires notice before providing to regulatory agency) o American Arbitration Association is expensive o Have outside firm prepare these documents if bank does not have internal legal department â&#x20AC;˘
Catch previously-engaged vendors and onboard at contract renewal
Vendor Management Program Summary- Documents Oversight o Use tier system to determine how often vendors will be required to update due diligence â&#x20AC;˘
Highest tier vendor should update due diligence annually
â&#x20AC;˘
Do not perform annual due diligence at same time; stagger vendor due diligence updates
o Lowest tier vendor may not require due diligence updates, oversight will be performed by reviewing and recording vendor complaints from business unit o Other monitoring metrics: Insurance carrier ratings, Attorney Avvo ratings, Better Business Bureau ratings o Develop questionnaire for business unit engaging third-party to also be completed as part of oversight â&#x20AC;˘
Key performance indicators (KPIs)
o Complaints from business unit will be logged with Vendor Management o Complaints from consumers or customers will be logged by Vendor Management and Compliance
Vendor Management In a Nutshell – Other Considerations o Reporting • • • •
Develop Vendor Management reports to be provided to supervising committee Provide complete list of vendors tiered to supervising committee & Board of Directors annually Compliance complaint log should also be provided Create banned vendor list
o 3 Lines of Defense: Scale to your financial institution risk profile and size • • •
First line: Vendor Management ü Reports to supervising committee Second line: Compliance ü Reports to Compliance committee Third line: Internal Audit ü Reports to Audit Committee
o Certain events should trigger updates to compliance and internal audit risk assessments: • *Establishment of Vendor Management program • *Establishment of new significant vendor relationship • *Increased consumer or customer complaints from vendors
Vendor Management Elements of Engagement • What are some of the critical functions performed by a “third party?” • What could be the results of poor “risk assessment”? Vendor Management
• What are some of the goals of “due diligence”? • Why are systematic reviews of “third party” relationships important? • Why is proper vendor management vital to your bank’s success?