February 6, 2014
Authored by: Bryan Cave Leighton Paisner
… and not micromanage your vendors!
A cursory review of the Risk Management Guidance issued by the Office of the Comptroller of the Currency (OCC), and similar guidance from the Federal Reserve, may impart the notion that a financial institution is obligated to essentially run its vendor’s business as well as its own, meticulously examining every policy and procedure for each of its vendors and testing operational compliance issues. (See OCC Bulletin 2013-29 Third-Party Relationships (October 30, 2013))
Despite the initial impression, a financial institution can implement a vendor management and monitoring program that is both prudent and practical. Focusing on both the spirit and detail of the regulatory guidance can be essential. Institutions have an overarching obligation to manage their risk and ensure that vendors are conducting business in a way which is “safe and sound and in compliance with all applicable laws.” The level of risk and complexity of the vendor activity are key factors to consider.
A variation of a few idioms provide some practical guiding principles:
- An ounce of prevention is worth a pound of cure. The key to vendor management is selecting the vendors. Say it with me “due diligence, due diligence, due diligence.” This is the time to ask all of the probing questions and look behind the documents to verify the information. If a vendor represents that its employees have all of the necessary certifications, ask for proof for your records. Have the vendors certify to you that they have not been subject to any sanctions, penalties or verified complaints from the licensing or state business organization. You can build these representations into your contract terms as well. Also, you should confirm the level of experience that your vendors’ employees have in the particular subject area in which you intend to engage them. Be sure to consider functions that are closely related to the particular subject area. For example, if you are hiring a disaster recovery company, research whether it can provide you with periodic data backup and not just restore access to data from weeks or months ago.
- One size does not fit all. Assess which areas pose the greatest risk to your business; these areas should receive more detailed monitoring. Generally, your information technology vendors will always fall into this area. For mortgage servicers, foreclosure law firms are at the top of the list, while prepaid program providers rise to the top for institutions who offer prepaid card products. A good rule of thumb is to ask: does the vendor have direct contact with your customers or have direct access to your customer’s private information? If yes, that is where you need to have more comprehensive monitoring.
- Play nice. Work with your vendors, not against them. Your vendors work in this area all of the time but your monitoring team may not. There are likely some nuances to the subject area where your vendors can offer some insight. You will save a lot of resources (time and money) if your monitoring group is not imposing requirements based on an inaccurate assumptions about the business operations and/or interpretation of state or local law. Your vendors are on the front line and may be able to offer insight into new regulations or practices. Nuances matter, so work to develop a collaborative understanding of the them from each parties’ perspective. Approach your monitoring program as a partnership, applying remedial action as necessary, and you will reach a better result for everyone.
- What gets rewarded gets done. Be careful about how you rate and compensate your vendors. If your performance measurement and compensation is based on speed, you risk that your vendors will focus on speed and not quality. This may sounds like common sense, but look closely at your performance markers and you may discover that many of them are measured by the time required to complete the task. Risk Management likely requires a focus on quality, efficiency and effectiveness.
- The left hand needs to know what the right hand is doing. Your monitoring team and your business groups need to communicate. Although your monitoring team should be independent from the employees in your business group, your business group needs to be informed about vendor performance issues identified by your monitoring team. For instance, your business group may inform you of related issues with a multi-state vendor’s other locations. Key information includes the scope of work, the volume of work and the location of the work. Monitoring needs to reflect all those factors. Activities and outcomes for one segment of work may impact the need for monitoring in other segments.
About the Author. Karen N. Louis is a regulatory compliance attorney with Bryan Cave LLP and has served as in-house counsel for a national bank developing and implementing its vendor management program.