As regulators pressure banks to strengthen oversight of their "critical" vendors, many are scrambling to adjust their contracts, reporting, systems and staffing.
In interviews with executives at several vendors to the financial services industry, their level of concern varies according to their size and experience with examiners. But even those who have long been subject to scrutiny say they are getting more questions from customers and staffing up to deal with the added compliance chores.
Some vendors say regulators are taking vendor risk more seriously than ever before, and expect the issues they raise in their exams to be addressed immediately. Others report that the new rules have dramatically elongated their sales cycle. There are even those who say they are just doing what they've always done, but with larger staffs and greater resources devoted to compliance.
"The regulators are very serious and they are raising the bar in terms of their expectations of banks and key technology service providers to safeguard U.S. financial systems," says Edward Ho, president of Fundtech, a payment processing company based in Jersey City that works with more than 400 banks, credit unions and government-sponsored entities.
The major bank regulators, including the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the Federal Deposit Insurance Corp. and the Federal Reserve have all issued updated rules in recent months that require banks to step up their oversight of third-party vendors deemed crucial to their operations. That includes risk-scoring them, micro-analyzing their numbers, and conducting on-site audits.
Some vendors have already been caught up by the higher expectations. Fundtech received a consent order from the Office of the Comptroller of the Currency in December, based on an exam conducted the year before, prior to Ho's arrival.
The consent order says Fundtech lacked formalized vendor risk policies and procedures and an enterprise-wide asset risk assessment. It also found the company's business continuity planning, patch management and log review programs to be inadequate.
Ho, who was recruited by Fundtech's private equity owners in 2013, says the company has made the fixes sought by regulators. A March exam went well with no significant comments, according to Ho, but the order can't technically be terminated until the fourth quarter of 2014.
"Banks and tech service providers need to pay sufficient attention and respect to the regulators' requests and respond without delays, to show they are serious," Ho says. "The organization has to be focused at the highest level on remediation efforts."
One item regulators are looking for is true independence of functions such as compliance and security. "I think we're at the forefront of a wave of intense scrutiny by regulators," Ho says.
Overall, small vendors seem far more concerned with the new rules than large ones.
"I have started to see this elongate my sales cycles," says Jeff Sant, executive vice president, Primatics Financial, a maker of software that automates stress tests. "I was in midst of negotiating a deal, and a new policy was written at the bank, and we had to start over."
Sant says he believes the new rules favor larger companies with the staff and resources to deal with more compliance. He worries that the new standards are thwarting innovation.
"Innovation comes up through these tertiary companies," he says. "The more you make it difficult for innovation to enter this space, you're going to lose something."
The same dynamic will adversely affect small banks, which can't deal with the cost of regulations and are used to a simpler process of vendor selection and management, according to Sant.
"Smaller banks are used to going out to dinner and signing something on a piece of napkin," he says.
One aspect of the revised rules that's tough on smaller vendors is the need to show financial stability, Sant says.
"We grow 30% a year, we look different every year," he explains. "You're not going to have a lot of small vendors who can show five years of steady growth and low leverage."
But the risk-scoring and onsite audits don't concern Sant, because as a vendor to large banks Primatics already does them.
Other large vendors used to working with bigger banks say they're used to strict regulations. Jacksonville, Fla.-based FIS, for instance, is already regulated as a technology service provider by the Federal Financial Institutions Examination Council's multiregional data processing program.
"I think we're in a good position to address the requirements," says Greg Montana, chief risk officer at FIS, which is the largest vendor of core banking technology to U.S. banks.
At the same time, Montana has expanded the company's compliance efforts as a result of regulators' intensified focus on vendors. FIS has had a dedicated risk information security and compliance program in place for nearly three years. The company has hired executives from Bank of America, Wells Fargo, AT&T and Verizon, as well as former regulators and law enforcement officers, into the program.
"We have a former member of the Federal Reserve on the team and a number of Secret Service agents," Montana says. A former audit leader at BofA runs a 10-person team dedicated to client risk relations that was formed about two years ago.
"Clients are asking for more transparency," Montana says. They are asking for more performance data and want to know how the company is handling controls around risks such as DDoS attacks.
FIS has incorporated the right to audit into its vendor contract terms, responding to revised vendor risk rules. It offers clients on-site reviews, and already hosts a two-day on site conference at its largest data center in Brown Deer, in Milwaukee.
FIS also offers clients an information portal about its risk, security, compliance and audit initiatives. The portal provides a sample board presentation customers can use to explain their compliance program with FIS.
Like FIS, D+H executives feel they've been dealing with strict regulatory rules for years.
Yet Scott Hansen, senior vice president of marketing acknowledges that the new rules will impact D+H's business.
"When we embark on a new product development initiative, say it's a mobile banking platform, we don't just look at how quickly or inexpensively can we develop a mobile banking app and throw it up in the Apple store," Hansen says. "We have to make sure all the procedures are hardened and that we have a complete, full failover facility for our mobile banking servers."
Like FIS, D+H, which is one of the five largest providers of core banking software to U.S. banks, provides customers with vendor due diligence packets. It's accustomed to regular on-site audits in all major facilities and has grown its compliance team.
Observers say the tenor of the regulators' guidance hasn't really changed, but the degree of scrutiny and follow-up has intensified.
"If a company was already running a fairly mature program and following industry best practices around third party risk, then none of this is mind-boggling," says Brad Keller, senior vice president of Shared Assessments, a provider of vendor risk assessments. The closer scrutiny of business processes is a new wrinkle.
"That's what we hear service providers say it's one thing to ask me about my security controls and make sure I'm protecting against risk from a technology standpoint," Keller says. "But getting into how I'm running my business feels intrusive to them. Unfortunately that's the direction the regulations are pushing."
This is the fourth in a series of articles about vendor management.