As regulators demand that banks keep closer tabs on their relationships with "critical" vendors, bank executives are struggling with a basic question: What is a critical vendor?
The major bank regulators, including the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the Federal Deposit Insurance Corp. and the Federal Reserve have all issued updated rules in recent months that require banks to step up their oversight of third-party vendors deemed crucial to their operations. Banks need to risk-score such vendors, conduct on-site visits, monitor them, and be extremely thorough in drafting contracts and service level agreements.
"[Critical activity] is a popular topic right now," says John Eckert, director of operational risk and core policy at the OCC, who spoke in a recent American Banker webcast.
The OCC's guidance defines critical activities as significant bank functions or shared services, such as internal audit and information technology, and activities that could cause a bank to face risk if the third party fails to meet expectations, that could adversely impact bank customers, or that could damage bank operations if the bank has to find another vendor or bring the function.
The OCC guidance also states that a bank's board and management have to determine which of the bank's third party relationships involve critical activities.
Deciding which vendors fall into the critical category is the first step to meeting all of the regulators' stiff new rules.
"If you had asked me In 1998, when I was involved with vendor management [rule] rewrites [at the Treasury Department], what do we mean by criticality, I would have said any computer system or technology that could cause disruption to your customer service beyond a reasonable recovery time objective, and anything that jeopardizes customer information or the security of that customer information," says
Paul Reymann, partner, McGovern Smith Advisors in Washington, D.C. "Today, it's a much broader focus."
Today, the definition of critical has expanded to include anything that might affect a loan, an ability to meet a consumer law, the bank's brand or reputation, or its ability to defend itself against cyberattacks, to name just a few.
Regulators have not pinned down exactly what a critical vendor is, saying it depends on the bank and its business mission. Instead, they have left it to bank directors and executives to determine which vendors are critical — no small exercise given that a bank, depending on its size, can work with dozens, hundreds or even thousands of third-party vendors.
"We have more than 22,000 active relationships," points out Felipe Prestamo, senior vice president and head of U.S. compliance services at TD Bank, who also spoke in the webcast. "Not all 22,000 are going to go to the board, not all 22,000 are going to receive the same level of attention from the risk control function. We need an intelligent process to stratify that population and focus on the ones that deserve that focus."
Obviously, core banking vendors fit the description of "critical," but beyond that it's open to interpretation.
For instance, the vendor that opened Target's point-of-sale network to a massive data breach over the winter holidays provided heating and air conditioning, surely not a service that anyone would have labeled "critical" two years ago.
Trustwave, the PCI compliance provider that gave Target's network a clean bill of health shortly before the breach, could also, in hindsight, be considered a critical vendor.
Yet before the breach and before the new rules, Trustwave, which also works with banks, would not have been subject to closer scrutiny and oversight, says Reymann. "Trustwave's reputation is impeccable. After the fact, people could be critical about that, but a prudent person hiring Trustwave would not have thought they have to go audit Trustwave."
Loan disclosure software could be considered critical. "If they don't do that right, they'll be in court with some kind of UDAP [Unfair and Deceptive Acts and Practices laws] violation or other enforcement action from the regulators or CFPB," Reymann says. "I would not have thought a while back that vendors that help with statements or disclosures would be critical, but they are."
Reymann points to a number of "sleeper risks" of which banks need to be aware.
One is reputation risk, which could suffer if a vendor — say a card processor or a firm that stores sensitive data — mismanages information or is the victim of a data breach. There's also consumer protection risk; some of the OCC's consent orders have forced banks to pay fines for identity protection and debt collection programs that were mismanaged by third parties. Other areas where banks need to closely monitor vendor relationships include legal and compliance, information security, and offshoring.
"If you're found lacking in certain controls and you're doing offshore activity, your risk is multiplied," Reymann says. "If I'm seeing control weaknesses in your vendor management program and you're doing offshore, I'm going to be looking closely at how you're managing the offshore relationships as a result."
Attorney Chip MacDonald sees critical vendors as any provider that could affect the business and might attract regulatory scrutiny. This could include vendors that touch customer-facing products and services and internal services needed to manage an institution, says MacDonald, who is partner at Jones Day in Atlanta.
The degree of scrutiny would depend on the importance of the customer segment served by the vendor and the bank's revenues and profits from that business, including the risk of loss in the event of a service interruption, MacDonald says.
Banks can also expect heightened scrutiny around vendors' access to the bank's electronic systems or networks, protection of sensitive data and maintenance of anti-money-laundering and Bank Secrecy Act programs, MacDonald says.
This is the first in a series of articles about how banks are coping with the heightened scrutiny of their relationships with vendors.