the hazards of vendor management - presented to nc bankers association by richard lafferty and...

BANK VENDOR MANAGEMENT:

These materials have been prepared by Poyner Spruill LLP for informational purposes

only and are not legal advice. This information is not intended to create, and receipt of it

does not constitute, a lawyer-client relationship.

UNDERSTANDING THE RISK MANAGEMENT LIFE CYCLE

AND AVOIDING THE PITFALLS

MARCH 25, 2015

Overview

• Goals of Session

– Understand risks associated with using vendors

– Understand general regulatory requirements

– Understand how to identify “critical vendors”

– Understand the risk management life cycle

2

Understanding Vendor Risks

• “The buck stops with YOU”: Reliance on outside vendors

(including compliance consultants) to provide services or

operations to the bank does not relieve a bank from

potential liability or from its responsibility to ensure that

outsourced activities are conducted in a safe and sound

manner and in compliance with applicable laws.

• As a result, problems experienced by vendors can

become the bank’s problems.

3

Vendor Risks: Cautionary Tales

• In 2014, the OCC & CFPB assessed $57 million in fines and restitution

against U.S. Bank in Cincinnati for overcharging more than 420,000

consumer accounts for add-on services (such as credit monitoring and

identity theft protection). Accounts were charged by the vendor,

Affinion and its subsidiary Trilegiant, and errors were discovered by

the bank. The bank terminated the vendor relationship but was still

fined two years after the relationship ended.

• In 2013, a processing center for banking software provider Jack Henry

& Associates was flooded by Hurricane Sandy. Bank clients had

transaction processing disruptions and the vendor faced regulatory

enforcement action for failure to resume operations in a timely

manner.

4

Vendor Risks: Cautionary Tales

• In 2013, First California Bank was fined by the FDIC for unfair and

deceptive trade practices because its vendor Achieve promoted

certain features on Achieve’s website related to a prepaid reloadable

MasterCard product that weren’t actually available.

• In 2012, the OCC fined Capital One Bank $35 million for failure to

develop a comprehensive enterprise risk management system after

one of its vendors was offering debt cancellation and credit monitoring

programs in an unfair and deceptive manner.

• In 2012, the FDIC and FinCEN fined First Bank of Delaware $15

million for failure to implement an effective BSA/AML compliance

program – specifically, failure to adequately oversee payment

processor relationships and related products and services in a manner

commensurate with associated risks.

5

Categories of Vendor Risks

• Reputation risk. Reputation risk is the risk arising from

negative public opinion. Vendor relationships that result in

dissatisfied customers, interactions not consistent with

institution policies, inappropriate recommendations,

security breaches resulting in the disclosure of customer

information, and violations of law and regulation are all

examples that could harm the reputation and standing of

the financial institution in the communities it serves. Also,

any negative publicity involving the vendor, whether or not

the publicity is related to the institution's use of the vendor,

could result in reputation risk to the institution itself.

6


• Operational risk. Operational risk is the risk of loss

resulting from inadequate or failed internal processes,

personnel, and systems, or from external events. Vendor

relationships often integrate the internal processes of

other organizations with the bank's processes and can

increase the overall operational complexity.

7


• Transaction risk. Transaction risk is the risk arising from

problems with service or product delivery. A vendor's

failure to perform as expected by customers or the

financial institution due to reasons such as inadequate

capacity, technological failure, human error, or fraud

exposes the institution to transaction risk. The lack of

effective business resumption and contingency plans

increases transaction risk. Weak control over technology

used in the vendor arrangement may result in threats to

security and the integrity of systems and resources. These

issues could result in unauthorized transactions or the

inability to transact business as expected.

8


• Financial or credit risk. Financial or credit risk is the

risk that a vendor, or any other party necessary to the

vendor relationship, is unable to meet the terms of the

contractual arrangements with the financial institution or

to otherwise financially perform as agreed. Thus, the

financial condition of the party is a key factor in

assessing credit risk.

9


• Legal and compliance risk. Legal risk arises when a

vendor exposes a financial institution to legal expenses

and possible lawsuits or even criminal charges.

Compliance risk arises when a vendor violates applicable

laws, rules or regulations or the institution’s own internal

policies/procedures or business standards.

10


• Other risks. The types of risk introduced by an

institution's decision to use an outside vendor cannot be

fully assessed without a complete understanding of the

resulting arrangement, and even then it may be difficult if

not impossible to identify all potential risks in advance.

Thus, a comprehensive list of potential risks that could be

associated with a third-party relationship is not possible.

11

Regulatory Requirements

• Bank regulators seek to mitigate the risks described above

by requiring institutions to implement and maintain vendor

management controls.

• Vendor oversight is not new. Traditionally, this area has

been regulated from a safety and soundness standpoint.

• In the past, regulators’ concerns were mainly focused on

IT capabilities, information security, service level

standards and the like. Cybersecurity and guarding

against customer data breaches are still at the top of the

list, but now there is also increasing scrutiny in other

areas.

12

Regulatory Requirements

• Regulators now expect financial institutions to

appropriately assess, measure, monitor and control a

broader spectrum of service provider risks.

• Vendor risk management is expected to be addressed in

the bank’s compliance management policies/procedures

and systems.

13

Regulatory Requirements (Dodd-Frank)

14

• Dodd-Frank vests the CFPB with supervisory and enforcement authority over

large (greater than $10 billion in assets) insured banks and credit unions,

certain non-depository consumer financial services companies, and each of

their affiliates and service providers. For institutions up to $10 billion, the

CFPB may require reports relating to consumer financial protection and may

participate in prudential regulators’ consumer financial protection

examinations on a “sampling” basis, but it does not have direct

supervisory/enforcement authority. It does, however, have direct

supervisory/enforcement authority over service providers that serve a

substantial number of smaller insured depository institutions. The CFPB’s

primary focus is to determine compliance with federal consumer protection

laws and regulations, and it will “take a close look at service providers’

interactions with consumers.”

Regulatory Requirements (Sources of Recent Guidance)

• FDIC Letter FIL-13-2014, “Technology Outsourcing: Informational

Tools for Community Bankers” (April 7, 2014)

• FDIC Compliance Manual Section VII-4.1, “Abusive Practices – Third

Party Procedures” (January 2014) (content is similar to earlier FDIC

Letter FIL-44-2008, “Guidance for Managing Third-Party Risk” (June 6,

2008))

• FRB Letter SR 13-19, “Guidance on Managing Outsourcing Risk”

(December 5, 2013)

• OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management

Guidance” (October 30, 2013)

• FDIC Letter FIL-46-2012, “Supervision of Technology Service

Providers and Outsourcing Technology Services” (November 6, 2012)

• CFPB Bulletin 2012-03, “Service Providers” (April 13, 2012)

15

Vendor Risk Management Programs

• A bank should implement and maintain a vendor risk management program that is commensurate with the level of risk and complexity of its vendor relationships.

• The program should ensure that for critical vendors the risk management and oversight of the vendor relationship is “comprehensive.”

• Aspects of vendor risk management itself may be outsourced (for example, to consultants specializing in this area), but this does not diminish the responsibility of the bank’s board of directors and senior management to ensure that vendor risk is addressed in a safe and sound manner and in compliance with applicable laws.

16

Critical Vendors

• As stated above, a bank should adopt comprehensive risk

management and oversight of relationships with critical

vendors.

• When a vendor relationship is or becomes “critical” may

not always be clear, and it may vary depending on the

bank, its business mission and other factors. There is,

however, some guidance from regulators.

17

Critical Vendors

• Generally, vendor relationships that involve critical bank

activities such as payments, check clearing, or

custodianship of funds; significant shared services like

information technology; or other activities that:

– could cause a bank to face significant risk if the vendor fails to

meet expectations

– could have significant adverse customer impacts

– require significant investment in resources to implement the vendor

relationship and manage the risk

– could have a major impact on bank operations if the bank has to

find an alternate vendor or if the outsourced activity has to be

brought in-house

18

Critical Vendors (Examples)

19

• An online banking/bill pay or mobile banking/deposit platform service

provider is clearly a critical vendor.

• Vendors providing consumer disclosure software for loans, credit

cards, deposit accounts, etc., are likely critical, due to the problems

that can ensue from errors.

• A lawn maintenance service for one or more branches would not be a

critical vendor.

• What about janitorial services? The answer may not be clear-cut.

Probably not “critical,” but they would have access after hours to bank

premises where confidential customer and other information is kept.

Thus, at a minimum, careful attention should be given in choosing the

vendor and in contract negotiations to things like company reputation,

personnel background checks, and bonding/insurance requirements.

Community Banks

• Smaller banks tend to rely on vendors more than their larger peers, which

have more resources to keep functions in-house. Smaller banks also often

have more limited resources to monitor vendors. See, for example,

“Regulators step up focus on cybersecurity at community banks,”

charlotteobserver.com, January 30, 2015.

• FRB acknowledges that community bank programs may be simpler and utilize

fewer elements/considerations than those of larger banks.

• OCC note on community bank compliance: Vendor risk management

guidance applies to all banks with outside vendor relationships. A community

bank should adopt risk management practices commensurate with the level of

risk and complexity of its vendor relationships. Just as with larger institutions,

a community bank’s board and management should particularly focus on

identifying those relationships that involve critical activities and ensuring that

the bank has risk management practices in place to assess, monitor and

manage the risks.

20

21

Risk Management Life Cycle

Risk Management Life Cycle (Overview)

• A bank’s vendor risk management program should, at a minimum, address the following processes:– Planning and Risk Assessment. The bank should assess risk and options for

controlling risk through vendor agreements.

– Due Diligence and Selection. The bank should select only qualified entities to implement the activity or program.

– Contract Negotiating and Review. The bank should ensure that the specific expectations and obligations of both the institution and the vendor are outlined in a written contract prior to entering into the arrangement.

– Ongoing Monitoring and Oversight. The bank should perform continuing oversight of the operational and financial performance of the vendor on an ongoing basis to meet the terms of the contract.

– Termination. Contingency plans must ensure that the bank can transition the activities to another vendor, bring them in-house, or discontinue them when a contract expires or the terms of the contract have been satisfied, in response to a default under the contract, or in response to changes in the bank’s or vendor’s business strategy.

22

Risk Management Life Cycle (Overview)

• In addition, a bank should perform the following

throughout the life cycle of the relationship as part of its

risk management process:– Accountability and oversight. Assigning clear roles and responsibilities for

managing vendor relationships and integrating the bank’s vendor risk

management process with its enterprise risk management framework enables

continuous accountability and oversight.

– Documentation and reporting. Proper documentation and reporting facilitates

accountability, oversight and risk management associated with vendor

relationships.

– Independent reviews. Conducting periodic independent reviews of the risk

management process enables management to assess whether the process

aligns with the bank’s strategy and effectively manages risk posed by vendor

relationships.

23

Risk Management Life Cycle (Accountability)

• The bank’s board of directors (or a board committee) and

senior management are responsible for overseeing the

bank’s overall risk management processes. The board,

senior management, and employees within the lines of

business who manage vendor relationships have distinct

but interrelated responsibilities to ensure proper

management of outside service provider risk.

24


25

• Board of directors responsibilities include:

– Ensure an effective vendor risk management process is in place consistent with the bank’s strategic goals, organizational objectives, and risk appetite.

– Approve the bank’s risk-based policies that govern the vendor risk management process and identify critical activities.

– Review and approve management plans for using vendors that involve critical activities.

– Review summary of due diligence results and management’s recommendations to use vendors that involve critical activities.

– Approve contracts with vendors that involve critical activities.

– Review the results of management’s ongoing monitoring of vendor relationships involving critical activities.

– Ensure management takes appropriate actions to remedy significant deterioration in performance or address changing risks or material issues identified through ongoing monitoring.

– Review results of periodic independent reviews of the bank’s vendor risk management process.


26

• Senior bank management responsibilities include:

– Develop, establish and implement the bank’s vendor risk management process.

– Develop plans for engaging vendors and identify those that involve critical activities.

– Ensure appropriate due diligence is conducted.

– Review and approve contracts with vendors.

– Ensure ongoing monitoring of vendors.

– Ensure appropriate documentation and reporting throughout the life cycle for all vendor relationships.

– Ensure periodic independent reviews of vendor relationships.

– Hold accountable bank employees who manage relationships with vendors.

– Escalate issues involving critical vendors to the board as necessary.

– Terminate arrangements with vendors when appropriate.


27

• Bank employee responsibilities include:– Conduct due diligence of prospective vendors and report results to

senior management.

– Perform ongoing monitoring of vendors and ensure compliance with contract terms, service level agreements, bank policies, etc.

– Ensure that the bank and/or vendor addresses any identified problems.

– Escalate significant issues to senior management.

– Notify the vendor of any significant operational issues at the bank that may affect the vendor.

– Maintain appropriate documentation throughout the life cycle of the relationship.

– Recommend termination of arrangements with vendors when appropriate.

Risk Management Life Cycle (Independent Reviews)

• Senior management should ensure that periodic

independent reviews are conducted on the bank’s vendor

risk management process, particularly when a bank

involves vendors in critical activities. The bank’s internal

auditor or an outside auditor may perform the reviews, and

senior management should ensure that the results are

reported to the board.

28

Risk Management Life Cycle (Documentation)

• A bank should properly document and report on its vendor risk management process and specific arrangements throughout their life cycle. Proper documentation and reporting facilitates the accountability, monitoring and overall risk management associated with vendor relationships and typically includes:– approved plans for the use of vendor relationships

– a current inventory of all vendor relationships, identifying critical vendors

– due diligence results and recommendations

– analysis of costs associated with each vendor relationship

– maintenance of executed contracts and any amendments

– regular performance and other reports required from the vendor (for example, audit reports, security reviews, and reports showing performance in relation to service level agreements)

– regular reports to the board and senior management on the results of independent reviews of the bank’s risk management processes and the monitoring of vendors involved in critical activities

29

Risk Management Life Cycle (Regulatory Reporting)

• Bank Service Company Act (12 USC Sec. 1863,1867):– notice required to primary federal regulator of certain vendor

arrangements, which are then subject to regulation and examination by the regulator to the same extent as if the services were performed by the regulated institution itself

– notice must be given within 30 days after the contract is executed or performance begins, whichever occurs first

– applies to:

• check and deposit sorting and posting

• computation and posting of interest and other credits and charges

• preparation and mailing of checks, statements, notices and similar items

• any other clerical, bookkeeping, accounting, statistical or similar functions

30

Risk Management Life Cycle (Planning/Risk Assessment)

• Planning and risk assessment are fundamental to the initial decision of whether to enter into a vendor relationship with respect to any product or service. Questions to be answered should include:– Is the function in question appropriate for outsourcing or better handled in-

house?

– Is the proposed relationship consistent with the bank’s strategic planning and business strategy?

– What are the benefits, costs, legal considerations and potential risks associated with using an outside vendor (or any particular vendor)?

– What is the bank’s ability to provide adequate ongoing oversight over the vendor relationship?

– What is the long-term financial impact of the proposed relationship?

• Upon completion of the risk assessment phase, the bank may want to develop a detailed business requirements document for significant or critical services to assist in the task of selecting a vendor.

31

Risk Management Life Cycle (Due Diligence)

• Due diligence is the process of ensuring that only qualified vendors

are selected, particularly to provide significant or critical services. The

scope of due diligence may vary depending on the importance of the

services and risk to the bank. If applicable, the bank should review a

prospective vendor’s due diligence process for selecting

subcontractors, and the bank may do its own due diligence on

subcontractors.

• Due diligence is not a one-time event. It should be performed prior to

selecting a vendor and periodically during the relationship, such as

when considering a contract renewal.

• “Risk scoring” of vendors is gaining popularity among regulators.

32


• In conducting due diligence, a bank should assess:

• Technical and Industry Expertise

– assess vendor’s business reputation and experience and

ability to provide services to meet present and future needs

– evaluate principals, key project personnel and any

subcontractors

– assess knowledge of laws/regulations

– verify any required licenses, certifications, etc.

– consider intangibles (values, culture, etc.)

– identify areas where the bank may need to

supplement the vendor’s expertise to reduce risk

33


• Operations and Controls– as applicable, evaluate (through audit reports, etc.) adequacy of:

• vendor’s risk management program, including policies, processes and internal controls

• facilities management (for example, access requirements)

• training for employees (including compliance training)

• data security

• privacy protections

• employment policies including background checks

• insurance coverage (liability, fire and other hazards, fidelity, errors and omissions, etc.)

• records maintenance (including whether the bank will have timely access to its data maintained by the vendor)

• business resumption and contingency planning

34


35

• Financial Condition

– analyze vendor’s financial statements, annual reports, SEC filings,

etc.

– analyze market share (and whether trending up or down)

– consider financial impact of proposed contract on vendor

– assess vendor’s technological expenditures and whether it has

adequate resources to invest in and support necessary technology

– examine significant complaints, litigation or regulatory actions that

might affect the vendor’s financial condition


• Special consideration should be given to proposed vendor relationships with

affiliated parties and parties that may be wholly or partially foreign based or

that use foreign subcontractors.

• Agreements with affiliated parties must still be on an “arms-length” or

substantially “market terms” basis, in accordance with applicable guidance

and regulations such as Regulation W.

• Vendors with foreign aspects should be evaluated for additional risks of doing

business in the applicable country or countries (for example, risks involving

the economic, social, political or military environment) and for the vendor’s

ability to comply with applicable U.S. laws, regulations and guidance.

36

Risk Management Life Cycle (Contracts)

• Any vendor risk identified in risk assessment or due

diligence phase should be addressed in vendor contracts

themselves.

• Contract is critical in satisfying requirement of oversight –

supplier’s controls, conditions, performance, etc.

• Without adequate contract, no effective way to satisfy

regulatory obligations.

• Counsel should review all significant vendor contracts.

37


• General principle - the scope of services being provided and risks associated with those services determine:– required contract provisions

– importance of contract provisions

– level of detail in contract provisions

38


• Required/Suggested Provisions– scope of services

– performance standards

– security and confidentiality

– controls

– audits and other reports; regulatory oversight

– compliance with laws

– business resumption and contingency plans

– subcontracting (including “offshoring”)

– access to or use of bank’s premises, equipment, and employees

– insurance

39


• Required/Suggested Provisions – costs and compensation

– use of intellectual property and other property

– customer complaints

– duration

– dispute resolution

– indemnifications

– limitations of liability

– default and termination

– assignment

40


• Scope of Services

– specifications for services and vendor’s obligations

– bank’s obligations

– time frames for performance

– party responsible for delivering any required customer disclosures

– notification to bank and bank’s approval rights regarding material

changes to services, systems, controls, personnel, locations, etc.

– guidelines for modifying or adding services or renegotiating

contract

41


• Performance Standards

– minimum service levels

– remedies/penalties for failure to meet service levels

42


43

• Security and Confidentiality

– limits on use and disclosure of information

– compliance with privacy and other laws and bank’s privacy policy

– notification of breaches of security

– corrective actions

– responsibilities relating to destruction/return


• Controls

– internal controls of vendor

– records to be maintained by vendor and bank’s access to records

– parameters relating to any financial functions, such as payment

processing or extensions of credit

44


45

• Audits and Reports; Regulatory Oversight

– types: financial, internal controls, security reviews, other reports

– internal vs. external audits; on-site examinations by bank

– frequency and timeliness

– costs

– resolution of deficiencies

– access by regulators

• Now includes CFPB under Dodd-Frank


• Compliance with Laws

– vendor’s agreement to comply

46


• Business Resumption and Contingency Plans– natural disasters or man-made causes

– backup systems and record protection

– right of bank to obtain copy or summary

– testing and results of testing; at least annual typical for critical services

– costs

– frequency of updates

– notification when implemented

47


• Subcontracting

– “hot button” issue with examiners

– bank to approve significant subcontractors

– primary vendor to be responsible

– notice and approval of changes

48


49

• Offshoring

– either foreign vendors or domestic vendors with foreign operations

or subcontractors

– privacy/confidentiality of customer information and bank records in

compliance with U.S. laws

– all information transferred offshore remains bank’s property and

will be returned at termination

– authority of U.S. regulators to examine offshore activities

– choice of governing law and jurisdiction for disputes


• Access to or Use of Bank’s Premises, Equipment,

Employees

– conditions for access to premises and/or equipment

– provisions covering vendor’s use of bank employees

• Insurance

– required coverages

– notice to bank of changes

50


51

• Costs and Compensation

– fees/calculations for base services

– charges based on activity

– charges for nonrecurring items, special requests or services

– costs/responsibility for purchase and maintenance of hardware

and software

– cost increases and limits

– compensation schemes must be carefully structured for safety and

soundness


• Use of Bank’s Intellectual and Other Property

– ownership

– allowable use

– work products developed by vendor for bank

– timely return of items

52


• Customer Complaints

– Bank or vendor to respond?

– if vendor responsible, send copies with responses to bank

– periodic reports regarding status and resolution

53


54

• Duration

– consider technology involved and state of industry

– benefits of longer terms vs. wisdom of shorter terms for rapidly

changing technologies

– coordination of interrelated contracts


• Dispute Resolution– consider process to resolve problems/disputes expeditiously

55


• Indemnifications

– mutual indemnification provisions

– should be carefully reviewed

– bank ultimately responsible for safety/soundness and compliance

56


• Limitations of Liability

– supplier may attempt to limit its liability

– bank must consider whether reasonable in light of anticipated loss

from failure to perform

57


• Default and Termination

– what constitutes default, remedies, opportunity to cure

– termination provisions vary with service

– convenience

– change in control

– substantial cost increases

– failure to meet service levels or otherwise perform

– insolvency

– ability to timely terminate without prohibitive expense/penalties

– adequate time for notice and transition

– return/destruction of bank’s data, records, other property

58


• Assignment

– no assignment without bank’s consent

– no changes to subcontractors without bank’s consent

59

Risk Management Life Cycle (Oversight)

• In general

– regularly evaluate relationship in light of bank’s strategic goals

– meet as needed with vendor personnel to discuss performance,

etc.

– oversight activities vary with services

60


• Monitor Financial Condition and Operations

– evaluate financial condition at least annually

– ensure vendor meeting obligations to subcontractors and others

– review audit and other reports and evaluate vendor’s systems and

controls; follow up on deficiencies

– review vendor’s adherence to policies regarding internal controls,

security, backup plans, etc.

– monitor compliance with laws and regulations

– assess effects of changes in personnel

– review insurance coverage

– review licensing/registration requirements

61


62

• Assess Quality of Service and Support

– review performance reports; follow up on deficiencies

– evaluate vendor’s ability to support bank’s strategic direction

– evaluate adequacy of training for vendor/bank employees

– review customer complaints; follow up as needed


• Monitor Contract Compliance and Revision Needs

– review service level performance

– determine whether other contract terms are being met

– assess whether revisions to service levels or other terms needed

– review invoices for proper charges and appropriateness of any

price changes

– monitor external environment (regulatory changes, economic

conditions, competition, etc.) to determine if contract revisions (or

termination) needed

63


64

• Monitor Business Resumption and Contingency Plans

– review plans to ensure any critical services can be restored in

acceptable time

– review testing program and results

Risk Management Life Cycle (Termination)

• A bank may terminate vendor relationships for various

reasons, including:

– expiration or satisfaction of the contract

– desire to seek an alternate vendor

– desire to bring the activity in-house or discontinue the activity

– breach of contract

65

Risk Management Life Cycle (Termination)

66

• The bank’s policies should ensure that relationships terminate in an efficient manner, whether the activities are transitioned to another vendor or in-house, or discontinued. In the event of contract default or termination, the bank should have a plan to bring the service in-house if there are no alternative vendors. This plan should cover:– capabilities, resources, and the timeframe required to transition the activity

while still managing legal, regulatory, customer, and other impacts that might arise

– risks associated with data retention and destruction, information system connections and access control issues, or other control concerns that require additional risk management and monitoring during and after the end of the vendor relationship

– handling of joint intellectual property developed during the course of the arrangement

– reputation risks to the bank if the termination happens as a result of the vendor’s inability to meet expectations

– the extent and flexibility of termination rights may vary with the type of activity

Questions?

• Chris Roede

• [email protected]

• 919-783-2932

67

• Bardin Simmons


• 919-783-1031

• Richard Lafferty


• 704-342-5269

• Martha Svoboda


• 919-783-2840

mailto:[email protected]




the hazards of vendor management - presented to nc bankers association by richard lafferty and...

Law

bank vendor management

vendor relationships

bank clients

california bank

bank of delaware

risk management life

deceptive manner

associated risks