The first three enforcement actions of the Consumer Financial Protection Bureau resulted in a combined $101.5 million in fines plus $435 million in restitution for the involved financial institutions. But what caught our attention was that all three actions cited flaws in how those banks monitored vendors.
In the action against American Express, for example, federal regulators attributed all but one of the violations "to deficient management oversight of the bank’s service providers."
A new regulatory environment is only one of the pressures increasing on the once-insular world of financial operations. Ever-more-complex supply chains must become productive as competitors threaten. Meanwhile, operations must retain high effectiveness as more informed consumers make more sophisticated demands.
In response to these pressures, many financial institutions have increasingly relied on third parties. Most large institutions have over 1,000 vendors; many have tens of thousands. Although vendors can perform work efficiently, many banks lack intelligence about how their vendors manage risks.
In regular reviews of vendor risk management in the financial institutions domain, we find that banks are increasingly concerned about vendor risk: the large number of suppliers represents a new risk environment, they say, with less control than they’d like. But they don't have consistent methods for rigorously vetting those risks—and the task strikes many as potentially onerous.
Vendor risk management is indeed the most pressing challenge in financial operations risk management today. But we also believe it can be more effective and less expensive than some banks fear. In our view, banks should make three key shifts in perspective to effectively address these issues.
First, banks should broaden their approach to the types of risks they assess. Too often, vendor risk management has been limited to one or two critical dimensions such as information security or physical security. Regulators are now interested in many different types of risk. Our assessments have found that cross-portfolio risks regarding concentration and geography are among the types most commonly overlooked.
Given the broader set of risks that we recommend examining, treating every vendor exactly the same would make the work of risk assessment unduly onerous. However, we suggest applying a custom lens to the vendor portfolio by grouping vendors into logical categories that need to be assessed only for a subset of applicable risks.
For example, if a vendor has contact with customers, it needs scrutiny to avoid fraud, mis-selling, etc. But if not, these risks will not need to be evaluated. This approach avoids a common pitfall wherein banks review each vendor in their portfolio using a one-size-fits-all lens. The custom approach can significantly reduce workload.
This leads to our third shift: Automation and effective organizational structures can improve both efficiency and consistency. A central team should set policies and guidelines to ensure consistency in implementation and reporting, while business units and functions govern and manage risks for vendors assigned to their respective groups.
Each of our recommendations involves a high-level perspective on vendor risks. This is valuable for several reasons. First, as discussed, it improves efficiency. Second, regulators will be assessing a bank's overall preparedness to react to risk events—its holistic view of enterprise risk. The more a bank understands the big picture of vendor risks, the better it can fit them into enterprise risks.
