Broadened Regulatory Guidance
Recent regulatory guidance from multiple agencies is creating a focus on the need for broader risk management practices in the areas of operational risk of third-party service providers. Information Technology or Security controls provide a more black and white approach to compliance, while operational risk can feel more in the grey zone based on the scope and risk level. Building operational risk into your existing third-party or vendor risk management process is a key component to developing the holistic approach the regulators expect.
Almost every banking organization uses third-party vendors today to help accomplish their goals and objectives cost effectively. The presence of third-party vendors within financial institutions began with technology service providers. Now, outsourcing touches nearly all aspects of a financial institution’s business, from branch operations to marketing and web management. The OCC recently updated guidance on oversight of third-party risk in service provider relationships.
While the OCC has oversight for nationally chartered institutions, the guidance outlines the alignment to the expectations for community banking organizations to adopt a risk-based approach to adapt the principles in this guidance. Although a financial institution may successfully manage third-party relationships, it has much less control over vendor accountability – particularly when it comes to operational business or reputation risks. Your service provider is acting on your behalf, whether the regulatory driver is business continuity, information security, IT operations, consumer protection or direct marketing. As such, that vendor and its controls need to be integrated into your organization’s internal risk and compliance assessment.
Structuring and maintaining an ongoing vendor management program requires integration of multiple regulatory and risk drivers. In today’s market, vendors are a critical part of your overall security and risk assessment. Your organization should not only audit and review vendors objectively, but also look at ways in which the business partnership can help you meet the industry’s risk management expectations.
The Risk and Vendor Management Lifecycle
Most vendor management efforts focus on due diligence at vendor selection or during merger and acquisition efforts. However, effective vendor oversight requires ongoing due diligence for existing providers to adjust for changing market and organizational risks.
Regulatory expectations are focusing on the risk or vendor management lifecycle – building processes for each stage: planning, due diligence and selection; on-boarding of requirements; continuous monitoring; termination or off-boarding. The driver is to demonstrate more oversight of the lifecycle functions in how they are governed, with an assessment of process maturity.
Best Practice Focus Areas
Current market compliance trends show the uptick in compliance oversight across product lines. Organizations need to risk assess their offerings to see if they have triggered new compliance obligations or risk for consumer protection or Unfair and Deceptive and Abusive Practices (UDAAP). This requires an expansion of traditional “vendor risk” programs to address the non-IT activities that are more related to business processes and sales practices.
Documentation and Reporting
Oversight and Accountability
Independent Reviews
To ensure effective, consistent oversight, your vendor management policy and governance framework should identify how you will inventory your vendors, the measures you will use to assess the activities they perform and the risk criteria you will apply to evaluate their controls.
The Maturity of Your Processes
Effective third-party assurance does not need to be overly complex, but should be repeatable, adaptable and formalized. For example:
Linnea Solem is the Chair of the Shared Assessments Program and is the Chief Privacy Officer and Director of Business Risk & Privacy Management for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management .She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation.
Reposted with permission from Forward Banker