Banks are taking a closer look at their vendor management, and their regulators are doing likewise.
"Even big banks have gaps in their vendor management," says Mercedes Kelley Tunstall, of counsel at Ballard Spahr, Washington D.C., pointing to concerns surfacing around credit card debt collections as evidence. "Vendor management continues to be a big focus for banks."
One reason is that regulators are holding banks responsible for the faults of their vendors. "About a half a billion dollars in enforcement actions certainly got everybody's attention," says Edward Kramer, executive vice president of regulatory affairs for Wolters Kluwer Financial Services. He refers to three enforcement actions made by the Consumer Financial Protection Bureau that resulted in a combined $101.5 million in fines plus $435 million in restitution for the financial firms involved all based on flaws in the way the banks monitor their vendors.
The CFPB issued a bulletin in April 2012 to call attention to vendor management. The message is: banks are responsible for any faults of the vendors they work with.
Beyond great contracts and terrific procedures and policies, banks must regularly check to see whether their vendor demands are being met on an ongoing basis, Kramer says. "It's not a yearly activity," he says. "You can't rely on contractual provisions. It's an enormous job."
When he was a regulator, upwards of 10 years ago, Kramer recalls sending examiners to listen in on banks' call center vendors' conversations to ascertain whether the firms were overpromising. With an eye on consumers' best interests, such techniques should only be amplified by regulators today, he expects.
Certainly, banks have been working to improve their vendor management. In anticipation of Dodd-Frank rules, Kramer says some banks made moves to put better programs in place in recent years, while others already had them.
Vendor reassessments some are making include more upfront due diligence and checking up on partners over the course of their relationships. "Organizations are performing much more regular review of their vendors," says Mike Brauneis, a managing director in the risk and compliance practice of Protiviti.
So much so that some vendors are struggling to cough up the data required of their customers. "Vendors are scrambling to meet [audit] requests," Brauneis says, adding banks need to demonstrate they follow up with vendors about any issues unearthed in the audits. "Every category of vendor is subject to much higher oversight than they have been in the past."
Mercantile Bank, of Grand Rapids, Mich., has made minor modifications to its vendor management program in recent years due to changes in its risk management approach and regulatory guidance. "[There's] a higher level of concern with vendor onboarding to see a more linear process," says John Schulte, chief information offer and senior vice president of Mercantile Bank.
The Michigan bank, which tends to attack multiple projects at once, has been working to formulize its workflow so that any action gets formally approved in a document before the next steps in the process are taken.
In recent years, the bank has been asking vendors about their DDoS recovery strategies. It digs deeper to find out if and when its vendors are using third-party data centers themselves. This is not always something a possible partner readily reveals, says Schulte. To troubleshoot, contracts now include requests to see vendors' contracts with other vendors when the data is hosted elsewhere.
Mercantile Bank, which has introduced many features that other banks lack such as partnering with PayPal for its mobile payment system, has learned that proactively letting examiners know what it's working on helps to improve the examination experience.
"What we've learned is to communicate with regulators more upfront," says Schulte. "We're doing a better job communicating before the examiners come onsite."