Regulators' stiff new vendor management rules for banks have driven Bank of America to bring some technology work that it had previously outsourced back in-house.
The rules require banks to keep closer tabs on their tech partners, and David Reilly, B of A's technology infrastructure executive, says the changes have added risk and cost to the process of selecting third-party vendors.
"There are a couple of major infrastructure services over the last few months we have brought under direct control in part because of this macro change we're seeing," he says.
The macro change is the enhanced guidance that came from the Federal Financial Institutions Examination Council and the major bank regulatory agencies late last year.
Among other things, the rules call for banks to be more selective in choosing vendors, and require them to risk-score the vendors and conduct regular vendor audits. Bankers say the guidelines are slowing technology buying decisions, increasing costs and in some cases, driving a shift from outsourcing to in-house IT.
One of the most troubling requirements is the expectation that banks apply every control they would apply to their own third-party agreements to their vendors' third-party agreements. For instance, banks have to ensure that not only are their vendors conducting background checks on new hires, but that their vendors' vendors are as well.
"Increasingly, that creates a burden," Reilly says. "There's a cost associated with that for all our vendors. Over the next couple of years these changes will lead to less services being outsourced and more coming back in house."
Keeping IT functions in-house has its own risks such as the risk of software not receiving the regulatory and security updates it needs but those risks do not include contract risk or oversight risk.
Like Reilly, Philip Smith, the director of information technology at the $219 million-asset Harvard State Bank in Illinois, also finds monitoring fourth- and fifth-party risk to be an immense challenge.
If a vendor farms some of the work it does for the bank to other vendors, it can be hard for the bank to get all the information it needs from those subcontractors, points out Smith. The bank is dependent on the primary vendor to vet the others. "If you go to [the subcontractors] directly, they're going to say I don't know you, you're not signing a contract with us," he notes.
Bruce Livesay, the chief information officer at the $24 billion-asset First Horizon National in Memphis, has also found that the new regulations have slowed some tech buying decisions as the bank has tried to make sure it addresses all third-party risk factors.
"There is definitely more scrutiny to make certain the new guidance is covered by our process," he says.
Yet the new vendor management regulations have not dramatically changed the bank's process around vendor selection or contract negotiations, he says. "Our vendor management processes were already fairly mature, including vendor risk ratings and most of the suggested regulatory risk factors," he says. The intent of the regulations is consistent with past guidance, although the language is much more specific and clear, he says.
B of A's Reilly concurs. "Things that you might have previously described as best practice have become absolutely non-negotiable," he says. "We now have north of 20 terms and conditions in our hardware, software and services contracts that are non-negotiable. If a partner, large or small, cannot agree to those terms, we cannot do business with them."
One example of a non-negotiable condition is limits of liability around confidential information. "Our partners have to treat that information with the same level of care and diligence as we would in any self-provided service," Reilly says. "We have to have that enshrined in a contract."
The new regulations have made life harder for vendors that work with banks, Livesay says, by giving banks additional authority to request thorough contract terms and conditions.
"The regulators are pushing banks to explicitly obtain greater transparency and a greater level of detail than ever before from vendors," he says. Banks have to examine not only the risk controls their vendors use, but their supporting processes as well. Vendors are adding staff to support the increased demand for risk- and compliance-related requests. These changes will ultimately drive up costs for the vendors and the banks."
They're hitting small vendors hardest.
"The new regulations make it clear that there is additional risk associated with smaller vendors and startups," says Livesay. "The ultimate outcome of the new regulations will likely be a smaller universe of banking vendors."
Ironically, this could increase concentration risk over time as vendors consolidate and banks choose to deal with fewer partners, Livesay points out.
Harvard State's Smith disagrees that the new rules make it harder for banks to work with small vendors and tech startups.
"As long as the company is willing to share [information], the age or size of the company isn't the question, it's a matter of getting information you need to make the informed decision," he says. A two-year-old company might have built a product around a strong security framework that's superior to that of older companies, for instance.
The amount of due diligence information vendors are willing to provide varies greatly, Smith observes. One company may provide all its financial and security reports, and share all its security policies and procedures. Another might not want to provide its security policy to an outside firm because of the potential risk.
If a vendor can't cough up the needed information, that can be a deal breaker, he adds.
Still, Smith says vendors get that banks are under more pressure from regulators and, as a result, are not pushing back as much when banks ask for additional information.
"That doesn't mean you're going to get it, there's just more understanding about why you're asking," he says.
This is the fifth and last article in a series on vendor management.