Small Banks Slowly Step Up Vendor Oversight

Community banks are becoming more vigilant managing third-party relationships.

Regulators are also urging banks to enhance oversight of vendor relationships. Banks should conduct extensive research before signing contracts and schedule regular reviews, industry observers advise.

"You can't outsource the risk" involved with vendor dealings, says Michael Brauneis, managing director in the risk and compliance group at Protiviti.

Small banks have historically used vendors sparingly, hiring them in areas such as investment services, says Richard Schaberg, a lawyer at Hogan Lovells. Outsiders were often well-versed in issues such as compliance.

Since the financial crisis, banks have expanded the use of third parties, Schaberg says. Vendors advise banks on regulatory issues and offer fee-based products to make up for tepid loan demand.

"Banks are looking to enhance their earnings, and this is a great way to do it," says Bert Otto, deputy comptroller for the central district at the Office of the Comptroller of the Currency. "But it has to be done right."

Small banks often hire outside firms to help with areas such as loan reviews, electronic data processing and remote deposit capture.

Banks must consider safety and soundness and compliance as they vet vendors, says Hugh Kelly, national lead partner of bank regulatory advisory at KPMG. Regulatory examinations will focus on a bank's efforts to consistently manage vendor relationships in areas such an information technology, and compliance, he says.

Due diligence is the first line of defense against making a bad hiring decision, industry observers say. Banks should request copies of a vendor's compliance and risk management practices, including detailed information on customer complaints. Banks should also review regulations that could affect a particular relationship.

"Our clients are doing a more robust due diligence," Brauneis says. "We're seeing banks getting more involved in directing these companies on how to manage certain processes."

Wausau Financial Systems has gotten more "proactive and aggressive" with security, audit and compliance, says Tim Patneaude, the Mosinee, Wis., company's chief operating officer and chief information officer. Wausau, which offers payment and receivables processing products, has a standard set of information that it updates annually and can be sent to prospective clients that are conducting due diligence.

Wausau's information includes assessments of business operations completed by outside auditors and security procedures. It also offers audited financials, which is critical since the firm is privately held, Patneaude says.

"We've got to objectively demonstrate that, by choosing us, the banks aren't increasing their risk," Patneaude says. "It's not as easy as saying we have all of this in place. We have to make sure we have solid documentation."

Small banks need to monitor the financial condition of third parties, Otto says. Banks must give themselves time to adapt if an vendor that provides a vital service closes or scales back.

Several banks "that have gotten burned because their vendors were going out of business because of financial conditions," Otto says. "Banks need to monitor that just like they do for a borrower."

Wausau undergoes periodic regulatory exams, and it encourages banks to contact regulators to review the results, Patneaude says. The OCC also recommends that banks make use of exam results.

Community banks should also conduct ongoing monitoring, industry experts say. Lax oversight is a common mistake for smaller banks, Otto says.

Such assessments should include reviews of a third party's financials and disclosures tied to customers and business continuity. More banks are requiring vendors to obtain certifications each year to show that they are meeting the contract's expectations.

Banks are increasing visits to the offices of higher-risk vendors, such as mortgage servicers or foreclosure lawyers, and they are holding third parties more accountable for falling short of contracted terms, Brauneis says. In the past, banks rarely enforced penalties, he says.

Internal testing is critical to making sure that outsourced activities are completed properly, Schaberg says. If a bank uses an outside firm for remote deposit capture, it should review a sample of recent transactions, while looking out for complaints.

Receiving a third-party's audits can be helpful, especially for services such as loan modifications, Schaberg says. Banks can refer to those audits to show regulators that they are monitoring their vendor relationships.

At 1st Enterprise Bank, management requests a range of information when it researches and monitors vendors, says John Black, the bank's CEO. The Los Angeles bank visits its most critical providers, "no matter where the company is physically located," he says.

The $706 million-asset bank also requests financial data, audits and regulatory exam results. It conducts public record searches and checks references. "Vendor management is a very important aspect of the overall risk management process," Black says.

Operations that deal directly with customers, such as call centers, require the most attention because of the added reputational risk involved, industry experts say. Problems can arise when those firms pitch and promote products and services to a bank's customers.

At call centers, banks are "responsible for ensuring that …employees don't overstep the line by using improper language for selling a product," Kelly says. This should involve recording all call center calls — and listening to a sampling of the recordings — to make sure employees stick to the prepared script.

Banks that have more than $10 billion of assets are also subject to oversight by the Consumer Financial Protection Bureau. That means additional requirements for managing third-party relationships and selling add-on products, Brauneis says.

"The potential for reputational risk is immense, especially for community banks," says Paul Rountree, president of First Green Bank in Mount Dora, Fla. "We are here because of our reputations."

The $200 million-asset bank specifically avoids working with vendors that management suspects will use "our customer data for their own gain," Rountree says. First Green receives "endless" e-mail solicitations from vendors that are pitching it a variety of new products and services, he says.

First Green considers several factors when evaluating a new product or service, Rountree says. For instance, the bank looks at whether the relationship might put too much distance between itself and the customer.

"As a community bank, we are more hands on," Rountree says. "We know our clients and we like to stay connected."

Constant monitoring has its cost, and it is important to keep expenses in check. That makes it important to make the monitoring process as efficient as possible, industry experts say.

Some activities require less attention than others, experts say. Because of this, smaller banks should determine the level of risk associated with each vendor partnership and tailor the level of monitoring accordingly. Oversight could range from annual reviews of contracts to monthly evaluations.

A number of banks are considering working with each other to complete due diligence at a lower cost. For example, a group of banks could band together to conduct an audit of a foreclosure law firm.

To be sure, regulators must be comfortable with collaborative arrangements. Such partnerships also present their own distinct set of challenges in areas such as privacy and competition, Brauneis says.

"Managing these relationships is ultimately the bank's responsibility, whether there's a regulatory concern there or not," Black says. "At the end of the day, our business is based on trust and confidence of the customer. The customer expects us to protect them."

For reprint and licensing requests for this article, click here.
Community banking Law and regulation Consumer banking
MORE FROM AMERICAN BANKER