For bankers, picking the right vendor was once a matter of being taken out for a steak dinner: If the meal was good, the conversation flowed and the salesperson was enjoyable, the deal was on.
Today, thanks to stiffened regulatory rules pushed out in 2013, as well as high-profile stories of vendor sloppiness (for instance, the Target breach, where hackers broke in through an air conditioning provider to steal personal data from millions of credit and debit cardholders), this is no longer the case.
And regulators have continued to take a tough stance on vendor due diligence and risk management, especially on the security front, according to Mercedes Tunstall, partner at the Washington law firm Pillsbury Winthrop Shaw Pittman.
“There is still a lot of, ‘Have you done enough with your vendors on security?’ ”
Banks have to vet their vendors thoroughly and have to maintain an intimate knowledge of their financial performance, cybersecurity arrangements and technical performance.
This can be a lot of work, especially for large banks that purchase technology and services from thousands of vendors.
A few weeks ago, HSBC, Goldman Sachs, Morgan Stanley and Barclays announced they had invested in a platform called KY3P that is designed to make this easier. Banks give KY3P’s operator, IHS Markit, a list of all the vendors they work with and their contacts at those companies. IHS Markit sends those vendors a due diligence questionnaire based on guidelines from various regulatory agencies, including the Office of the Comptroller of the Currency, and puts the answers in a database to which all members have access.
It checks the completeness of the vendors’ responses, reviews attachments, and adds financial data it buys from Standard and Poor’s and Dun & Bradstreet. Banks pay an annual subscription fee for the service.
“Banks are looking for solutions that help them reduce their cost base and get vendor responses in a more efficient way,” said Ellen Schubert, KY3P's chief executive. “It’s very difficult from a communication perspective inside these very large firms in terms of onboarding new vendors, because there’s so many people involved in the process. There’s a real appetite for utilities and standardization.”
About 80 banks, asset managers and hedge funds already use the data hub, which contains 15,000 vendor profiles. The bankers have enthusiastically embraced the idea.
“One of the challenges we have in our industry is that as we’re increasingly using third parties, which is a good thing, but we’re inevitably having to ask those third parties a number of different due diligence related questions,” said Daniel Crease, global head of third-party management at HSBC.
The banks independently ask many of the same vendors the same questions, Crease said.
“There’s a lot of potential inefficiency and duplication there,” he said. Getting all the third parties to download their information into a central data hub would “take away some of the old-fashioned manual processes and make the data available on demand in our organizations, which is quite powerful.”
Banks have tried to set up shared utilities in the past for things like back-office work and a national debt registry. Often they have been unable to agree on what the standard should look like or who should run the utility.
Tunstall doesn’t see any of this being an issue here, because banks don’t need to share any information — only the vendors hand over data.
“Banks have historically been happy about that kind of situation,” she said.
Crease said there are “absolutely going to be obstacles, because these things are never straightforward.”
But he said it will ultimately be a success given the size of the burden.
“Because of increasing regulatory scrutiny around this topic along with our own operational desire to do this more effectively as banks, as we increase our dependence on third parties, I’m fairly confident about this,” he said.
Why vendor risk management is hard
HSBC has about 2,500 critical vendors with which it spends 80% of its procurement budget and has to conduct extensive due diligence. It has smaller engagements with many thousands more. These numbers are typical for large, global banks.
Crease doesn’t complain about the volume of vendor risk management work. But he worries about inefficiency, as the vendor due diligence process tends to be manual on the bank's side and vendors get inundated with requests.
Risk-related due diligence is the easier part, he said.
“Our financial crime and compliance checks are very binary — an organization is either on a sanctions list or a watch list or it’s not,” he said. Though the lists do have to be checked every day, those look-ups can be automated.
The more difficult side of vendor risk management is operations, Crease said.
“You want to know the performance, the reliability, the experience, the overall execution ability of that organization to fulfill what you’re asking for,” he said.
Hardest of all, Crease said, is vetting subcontractors, which sometimes have to be examined just as closely as primary vendors.
“That’s probably one of the emerging, more complex areas we have to get at as an industry,” he said.
It can become infinite, trying to vet and monitor every subvendor of every vendor.
“The reality is you can’t,” Crease said. “Or you could, but it’s unlikely you could ever economically use a third party.”
Crease said he hopes KY3P will make due diligence-related data about third parties more readily available across the life cycle of an engagement, not just at the time of contract signing or renewal.
“If we could have some dynamic data, such as cyber-risk data or negative news alerts, more readily available on desktops of people that own the relationships within the organizations, I think that’s a powerful step forward,” he said. “That prevents risk management of third parties falling into the dangerous territory of being a box-ticking exercise; it makes it useful data that helps people do their job.”
What will regulators think?
Schubert said KY3P has met with nine regulators so far, including U.S. and global agencies, and their response has been positive.
“They were very much in favor of having utilities, specifically for the questionnaires,” she said. “They wouldn’t comment on the questionnaires, but we have had some of our firms go through audits using the questionnaire and they’ve had good response.”
The Office of the Comptroller of the Currency threw lukewarm support to the idea in a recent frequently-asked-questions bulletin. In it, the OCC essentially asserted that such services are useful, but lacking in some cases.
“If they are using the same service providers to secure or obtain like products or services, banks may collaborate to meet certain expectations,” the OCC wrote. “Like products and services may, however, present a different level of risk to each bank that uses those products or services, making collaboration a useful tool but insufficient to fully meet the bank’s responsibilities.”
Banks that use a customized product or service, for instance, may not be able to use collaboration to fully meet their due diligence, contract negotiation, or ongoing responsibilities, the OCC said.
Regulators have asserted that it’s not enough for banks to do a “check the box” type of due diligence on vendors, Tunstall said. A bank can’t just pull data from a data aggregator, decide it looks good and consider its due diligence job done.
“The regulators will say, ‘You haven’t done any thinking; there isn’t anything you’ve done that has allowed us to understand how this vendor works into your own risk matrix,’ ” Tunstall said. “They want to see companies put thought and the time in vetting the vendors.”
For any critical vendor, such as a third party a bank relies on to function or a vendor that touches customer or trade-secret data, banks need to have direct conversations with the vendor and perhaps put in place custom solutions in case the vendor goes down, Tunstall said.
Crease also acknowledged that KY3P is not set up to do all vendor risk management work. The standardized questionnaire sets that sit on KY3P deliberately don’t address all of the needs of each organization; it’s closer to 60-70% for a complex engagement and 90-100% on a less complex engagement, he said.
“Over time, as we increasingly work together on the standardized questionnaires, we can keep adding to them and refine them, taking away things that are not important,” Crease said. “I think there’s an opportunity to continue to work together to evolve.”
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.