the Devil’s in
RichaRd h. haRvey, jR., esq., cRcm, and shawndRa Rutledge, cRcm
IF YOU’RE A COMPLIANCE OFFICER you no doubt have very little leisure time for reading articles that appear to have little, if any, appli- cability to the numerous responsibilities you already own. Thus, at first glance you might be inclined to take a pass on this article. You probably view vendor management in the traditional sense—it’s an information technology (IT) or operations function. However, as this article reveals,
vendor management and compliance are inextricably connected. And, as you will see,
the devil is in the details.
How did we get where we are today? Well, let’s start by taking a walk back in time.
Vendor management first came on the scene as a specific topic of risk around 2000. It
started in the IT area and has morphed into its own piece of the regulatory examination
process. IT has always been the starting point for vendor management. It truly began
with the fury of fear about the Year 2000 (Y2K) problem in software systems. As early as
December 17, 1997, statements such as the following were made by the Federal Financial
Institutions Examination Council (FFIEC) regarding vendor due diligence: