If a vendor is not keeping up with regulatory
requirements and does not have a business continuity
plan (bCP) and an information security program, the
compliance program of the bank is in perilous danger.
nontechnical control. In order to do so, the bank must answer
the following questions:
■ ■ Has your vendor historically maintained a secure environment?
■ ■ Are your security requirements part of the vendor contract?
■ ■ How do you know the vendor is fulfilling those requirements?
■ ■ What if a security incident occurs at the vendor? Is the bank
told and are procedures in place for a coordinated response?
These are just a few of the items listed in the handout for
the telephone seminar. Noticeably, we see vendor management
becoming a more robust component of the regulatory examination process.
Vendor management started as an IT component requiring
banks to identify and acknowledge the vendors it used. In three
years, vendor management guidance included the requirement
that the bank have knowledge of the vendor’s security protocols
protecting bank data and understand the vendor’s potential impact on the bank’s risk profile. Vendor management was about
information security as a whole, not just IT.
As part of information security, vendor management had to
be incorporated into business continuity testing, control matrices, and privacy programs. On the surface, vendor management
appeared to be simply a small fire in one designated field, but
the continued growth and due diligence requirements pushed
vendor management into more fields and subfields of the overall
risk management program of an institution. So, how exactly did
vendor management get to compliance?
Vendor management’s movement toward compliance was
quiet and stealthy until the last couple of years. (Keep in mind,
vendor management is still an IT and information security issue, too.) Between 2004 and 2007 there was little focus in the
compliance area on vendor management, but in 2008 the “state
of vendor management” began to emerge. Forrester Research,
a technology and market research company, said, “…[this]
shows that the investment and focus on vendor management
activities continues to increase. This trend shows that firms are
clearly taking more of an activist sourcing approach, which is
also paying off in a higher level of satisfaction with their decisions to outsource.” 6
In contrast, in 2008 as an industry we start to see the emergence
of the vendor as a real threat for the bank. What if the vendor is
mishandling data? What if the vendor files bankruptcy or shuts
down? What if the vendor has a power outage or a disaster and—
here it comes—you cannot provide bank statements, disclosures,
or other regulatory compliance documents?
Vendor management became a compliance issue because of
regulatory requirements to deliver information to the customer in
a specified time frame and in a specified manner. Regulations such
as Z, X, B, and CC (to name a few) are time sensitive and require
specific verbiage. If a vendor is not keeping up with regulatory
requirements and does not have a business continuity plan (BCP)
and an information security program, the compliance program
of the bank is in perilous danger. So now what?
While there is no specific section of the Compliance Examina-
tion Handbook7 called vendor management, it is intertwined with
the enterprise risk management program by default. Compliance
examiners will ask for the vendor management risk assessment as
well as the bank’s vendor management policies and procedures
and yes, they will look at a sample of your contracts as part of
your enterprise risk management program. Now that we know
how we got here, what do we do?
Much has already been written about vendor management.
This article, however, addresses the role the compliance function
can play in managing vendors. We discuss how to incorporate
vendor management into your compliance risk assessment process,
the type of due diligence expected to be performed on a vendor,
and how to monitor your vendors to ensure they are delivering
up to your standards.
■ ■ determine the criticality of the function to be outsourced. Do you know the compliance risks your vendors
present? This is an important question and one the regulators
expect you to be able to answer.
The key to a mature compliance function is being able to
appropriately determine all of your institution’s compliance
risks. For those functions that are outsourced, it is important to
determine how critical they are to your bank. To start, you might
seek the answers to two questions: What risks are impacted—legal,
reputation, operations, compliance? And, if this function fails,
what will be the practical implications to the bank?
For example, let’s imagine that your bank hires ABC Collections Agency to collect its past due debts. ABC will have direct and
indirect contact with the bank’s customers. In addition to a host