Vendor relationships are a reality for virtually every shape, size, and kind of business. On any given day, you might have people who come into your bank to do simple things like deliver coffee or clean your offices. You’re almost just as likely to have outside providers who are handling complicated tasks like managing your servers. Though the coffee guy might not have access to private data, every vendor relationship brings with it some degree of risk. Knowing how to quantify that risk and engage proper security protocols are vital to the resilience and reputation of your institution.
We recommend that banks focus on four key areas of vendor management areas to protect the organization, its employees, its customers—and the provider with whom you have contracted.
You have selected a vendor, and are ready to enter into a contract. At this earliest point in the relationship, engage a lawyer to establish specifications and requirements that must be followed by all parties. These contracts will detail the current scope of services and product specifications, roles and responsibilities, compliance requirements, and service levels. It is just as important to take into account potential near-term regulations that could impact the institution and its vendor management processes. Government and regulators add new laws and guidelines (e.g., FFIEC) constantly, so vigilance is central to your ability to manage your vendors proactively. For instance, if new compliance stipulations alter expectations for the vendor, bank management should be prepared to revise contract language to spell out the changes and new contractual obligations for both parties, so you can reach mutual understanding and agreement before the revised contract must be signed.
Not all vendor relationships are equally complicated. Annually, if not quarterly, designated personnel should review the vendor list and qualify them by risk. For each vendor identified as high risk, business management should evaluate the function performed by the vendor and confirm that the controls in place are sufficient and followed by all parties.
High-risk vendors include those that handle sensitive documents/data (physical and electronic), have physical access to key business locations, manage or monitor the security for major company applications, and analyze financial or customer data.
Possible examples of controls could be as follows:
Designated compliance personnel—within the bank or via an outside party – should review the controls in place for each vendor and test that they are operating efficiently. Because of the size of some vendors (e.g., Microsoft, Google) and the multitude of requests they receive, be aware that you may receive an SSAE 16 report detailing the controls that the company has in place around the designated function that the business uses. Obtain the SSAE 16 report for each identified vendor on an annual basis and review/test the controls defined in the ‘User Controls Considerations’ section of the report to ensure those controls are in place and being followed by their personnel. Upon finishing the review, management should be able to gauge whether any gaps or issues exist or if the vendor should put any additional controls in place.
When entering into a contract, you will perform due diligence to ensure the vendor is financially stable. This review process should not be limited to the point of contract inception. (No business wants to enter into a contract with a vendor and only to have the service or product no longer offered or supported as a result of bankruptcy.) On an annual basis, bank management should request relevant financial documentation from each contracted vendor. A trusted and unbiased third party group/advisor should perform a thorough financial analysis for each contracted vendor. If the assessment indicates they are financially unstable or on a downward trajectory, consider alternative providers (particularly if this is a complex or high-security provision) or renegotiate the contract to allow for better protection in the event the vendor was to fail.
Vendor contracts are only worthwhile if you read them and hold the vendor to the contract terms. You expect a vendor to respond to an issue or provide support within an allotted timeframe, so it’s important to have the discipline to review them for compliance. For example, if a service or application is required to have certain security measures built in, make you know the security parameters, ensure they are properly set up, and that that they continue to operate as required. Again, annually, if not more frequently, review your vendor contract terms to ensure they are being met. If management determines that the vendor is not meeting contract terms, you have cause to end a contract or renegotiate the terms of the agreement.
Coffee delivery notwithstanding, vendor relationships tend to be critical and expensive. The company you have enlisted for a product or service should be clear on the expectations and intent on exceeding them. Just like any relationship, success takes intentionality, agreement, and effort from both sides. A joint, consistent vendor management process can help your bank and its providers to operate smoothly and securely for the good of both organizations and the customers who rely on you.
Join the conversation and receive updates of new posts: