The Importance of Third-Party Vendor Risk Management Programs
by Tony DaSilva, S&R Subject Matter Expert, Federal Reserve Bank of Atlanta
Vendor management comprises all of the processes required to manage third-party vendors that deliver services and products to financial institutions. Significant effort is required from both the institution and the third-party vendor to maximize the benefits received from the relationship, service, or product, while simultaneously minimizing associated risks. As the scale, scope, and complexity of these relationships and services increase, the related risks and the importance of effective vendor management should proportionately increase. In addition to traditional core bank processing and information technology services, banks outsource operational activities such as accounting, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement, and loan servicing. The increased use of outsourcing to third-party vendors and the importance of the relationships between banks and those vendors intensify the need for community banks to have highly effective third-party vendor risk management programs in place.
Over the past several years, managing third-party vendor risk has required greater attention from community bankers. On a daily basis, cyber-related incidents and contingency plan failures occur, involving serious to sometimes critical incidents that may have significant impact on community banks. As a result, bankers have devoted more resources to vendor risk management, integrating vendor management oversight into their critical processes. Therefore, it should be no surprise to anyone that the adequacy of vendor risk management is a top concern for community bankers and regulators.
Federal Reserve Supervision and Regulation (SR) letter 13-19, “Guidance on Managing Outsourcing Risk,” states that “a financial institution’s service provider risk management program should be risk-focused and provide oversight and controls commensurate with the level of risk presented by the outsourcing arrangements in which the financial institution is engaged. It should focus on outsourced activities that have a substantial impact on a financial institution’s financial condition, are critical to the institution’s ongoing operations, involve sensitive customer information or new bank products or services, or pose material compliance risk.”1
Technological advances enable community banks to provide customers with an assortment of products, services, and delivery channels. As a result, community banks are increasingly relying on third-party vendors for a variety of technology-related services. Because the responsibility for properly overseeing these relationships remains with the institution’s board of directors and senior management, an effective vendor risk management program should provide the framework for management to identify, measure, monitor, and mitigate the risks associated with outsourcing arrangements. The bank’s senior management should develop and implement enterprisewide policies to consistently govern outsourcing processes. These policies should address third-party vendor relationships from an end-to-end perspective and should include procedures for establishing servicing requirements and strategies; selecting a third-party vendor; negotiating the contract; and monitoring, changing, and discontinuing the outsourced relationship.
While the components of an effective vendor risk management program may vary based on the scope and nature of an institution’s outsourced activities, effective programs usually include the following elements:
- Risk assessments, due diligence, and selection
- Contract provisions and considerations
- Incentive compensation review and service-level agreements (SLAs)
- Oversight and monitoring
- Business continuity and contingency plans
Risk Assessments, Due Diligence, and Selection
When considering the outsourcing of significant bank functions to a third-party vendor, the bank’s board of directors and senior management should ensure that the outsourcing of a particular function is consistent with the institution’s strategic plans and evaluate proposals against well-developed and specific criteria. Management should also establish and approve appropriate risk assessments and risk-based policies to govern the third-party vendor or outsourcing process. The risk assessments should be updated at appropriate intervals consistent with the institution’s vendor risk management program. The policies should recognize the risk to the institution from outsourcing relationships and should be appropriate to its size and complexity. The degree of oversight and review of outsourced activities will depend on the criticality of the products and services, access to customer information by the third-party vendor, and any specific risks attributed to the selected third-party vendor.
Management should use due diligence as a validation and verification process to confirm that the third-party vendor meets the institution’s needs. The amount and formality of the due diligence performed may vary according to the estimated risk of the outsourced relationship and the institution’s familiarity with the prospective third-party vendor. A common weakness that examiners often see is an institution that relies on one core third-party vendor for most of the institution’s products and services. While relying on one third-party vendor can result in operational, financial, and oversight benefits, diversification may be a more practical solution depending on the type of products or services offered by the financial institution. Also, the financial institution should be aware if the third-party vendor is further outsourcing all or part of its responsibilities to a subcontractor. If agreements allow for subcontracting, the institution should impose the same contract provisions on the subcontractor. Contract provisions should clearly state that the primary third-party vendor is overall accountable to the institution for all services the vendor provides as well as for services provided by its subcontractors.
Contract Provisions and Considerations
Contracts should clearly specify the details of the third-party vendor business relationship. The contract needs to establish a common understanding between the institution and the third-party vendor as to what needs to be achieved and should (1) define all deliverables, service levels, and metrics; (2) define responsibilities and obligations; (3) define terms and conditions; (4) specify how risk will be allocated between parties; and (5) define legal counsel and jurisdiction stipulations.
Also, contracts should clearly define the rights and responsibilities of each party, including: 2
- support, maintenance, and customer service;
- contract time frames;
- compliance with applicable laws, regulations, and regulatory guidance;
- training of financial institution employees;
- the ability to subcontract services;
- information security and cybersecurity (including access controls);
- the distribution of any required statements or disclosures to the financial institution’s customers;
- insurance coverage requirements; and
- terms governing the use of the financial institution’s property, equipment, and staff.
In today’s high-risk information security and cybersecurity environment, it is critical that contracts establish third-party vendors’ responsibilities to meet or exceed specific cybersecurity standards or guidelines. SLAs can specify monitoring and audit processes, including performance measures for a financial institution to use to assess a third-party vendor’s performance with respect to meeting cybersecurity and other performance expectations.
The institution’s legal function has a critical role in defining its contractual requirements and writing and reviewing contracts. Compliance, audit, risk management, information security, and business continuity functions should also be involved in reviewing contracts. Unfortunately, examiners have seen contracts that have not been executed properly. This typically happens when an institution is under time constraints to change third-party vendors and needs to follow an aggressive conversion time frame to end the relationship with its previous vendor.
Incentive Compensation Review and Service-Level Agreements
Institutions should consider if contract performance incentives might encourage third-party vendors to take imprudent risks. Inappropriately structured incentives may result in reputational damage, increased litigation, or other risks to the financial institution.
An institution should include SLAs in its outsourcing contracts to specify and clarify performance expectations as well as to establish accountability. SLAs formalize the performance criteria that the institution will use to measure the quantity and quality of a third-party vendor’s service. Management should closely monitor a third-party vendor’s compliance with key SLAs.
Oversight and Monitoring
An effective vendor oversight program can help ensure that third-party vendors deliver the quantity and quality of services required by the contract. The monitoring program should use effective techniques to target the key aspects of the outsourcing relationship. The institution’s vendor oversight program should include a process for monitoring a third-party vendor’s security control and financial strength as well as the potential impact of an external event on the third-party provider’s ability to continue to fulfill its contractual obligations.
Because of the potential cybersecurity risk of external network connections, an institution should ensure that these connections are appropriately monitored and controlled. To improve and enhance monitoring effectiveness, management should periodically rank third-party vendor relationships according to their risk profile to determine which vendors require closer monitoring. Management should base the rankings on the residual risk of the relationship after analyzing the quantity of risk relative to the controls over those risks.
Business Continuity and Contingency Plans
A financial institution’s disaster recovery and business continuity plans should address critical outsourced services. In addressing outsourced services, an institution needs to assess the ability of these critical third-party vendors to implement their disaster recovery and business continuity plans as well as whether their recovery and business continuity plans align with the institution’s plan. Therefore, an institution should understand all relevant third-party vendors’ business continuity requirements, incorporate those requirements within its own business continuity plan, and ensure that third-party vendors test their plans annually. Management should require third-party vendors to report all test results and to notify the institution after any business continuity plan modifications. The institution should integrate vendors’ business continuity plans into its own plan, communicate roles and responsibilities to the appropriate personnel, and maintain and periodically review the combined plan.
Additionally, cyber resilience is crucial in today’s high threat level environment because it reflects an institution’s ability to prevent an impact from a cyberthreat or its ability to recover systems and processes following cyber-related incidents of all types and levels of impact. If cyber resilience is not properly managed, a financial institution’s recovery from a cyber-related incident may be unnecessarily delayed, lead to financial and legal repercussions, or preclude an institution from recovering at all. This is why it is important to include a cyber event in business continuity training and testing, both with employees and an institution’s third-party vendors.
Common Vendor Risk Management Program Weaknesses
Examiners have observed the following weaknesses in institutions’ vendor risk management programs:
- Insufficient oversight by the institution’s board of directors
- Lack of a formal documented outsourcing policy
- Vague contract terms and requirements that lack specificity on a third-party vendor’s performance or contract terms that favor the service provider or third-party vendor
- Third-party vendor performance reviews conducted by inexperienced institution personnel
- Inadequate disaster recovery tests between a third-party vendor and the institution as well as tests that do not address a possible cybersecurity event
- Information security and cybersecurity procedures of the third-party vendor that are not adequately reviewed and assessed by the institution
- Inappropriate risk rating by the institution of its critical third-party vendors
The current regulatory guidance applies to outsourced activities beyond core bank processing and information technology-related services. Third-party vendors that an institution categorized as minor, lower-tier, lower-risk service providers several years ago may today pose greater risks similar to a major core processor. For example, an appraisal company or a loan collections recovery firm that has access to a financial institution’s sensitive nonpublic data or networks can pose substantial risk if not properly managed. An effective vendor risk management program should be risk-focused and provide oversight and controls commensurate with the level of risk associated with the third-party vendor relationship.
In summary, community banks should have a comprehensive outsourcing risk management process to govern their third-party vendor relationships. The process should include risk assessment, selection of third-party vendors, contract review, and monitoring of the performance of third-party vendors. Third-party vendors should be subject to the same risk management, security, privacy, and other policies that would be expected if an institution were conducting the activities in-house.
- Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook InfoBase, available at ithandbook.ffiec.gov/it-booklets.aspx.
- FFIEC IT Examination Handbook InfoBase: Outsourcing Technology Services, June 2004, available at ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services.aspx.
- SR letter 16-14, "FFIEC Information Technology Examination Handbook — Information Security Booklet," September 19, 2016, available at www.federalreserve.gov/bankinforeg/srletters/sr1614.htm.
- SR letter 16-11, "Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less Than $50 Billion," June 8, 2016, available at www.federalreserve.gov/bankinforeg/srletters/sr1611.htm.
- SR letter 13-19/Consumer Affairs (CA) letter 13-21, "Guidance on Managing Outsourcing Risk," December 5, 2013, available at www.federalreserve.gov/bankinforeg/srletters/sr1319.htm.
- SR letter 13-1/CA letter 13-1, "Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing," January 23, 2013, available at www.federalreserve.gov/bankinforeg/srletters/sr1301.htm.
- SR letter 12-14, "Revised Guidance on Supervision of Technology Service Providers," October 31, 2012, available at www.federalreserve.gov/bankinforeg/srletters/sr1214.htm.
- SR letter 03-5, "Amended Interagency Guidance on the Internal Audit Function and Its Outsourcing," April 22, 2003, available at www.federalreserve.gov/boarddocs/srletters/2003/sr0305.htm.
- 1 See SR letter 13-19, “Guidance on Managing Outsourcing Risk,” available at www.federalreserve.gov/bankinforeg/srletters/sr1319.htm.
- 2 See SR letter 13-19.