If third-party vendor risk management is becoming an overwhelming chore for your bank, perhaps you're interpreting the most recent guidance from the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. too literally.
You may need to lighten up at least a bit. The OCC's guidance does not instruct banks to remove all risk, just to appropriately manage that risk. Its Oct. 30 bulletin says, "A community bank should adopt risk management practices commensurate with the level of risk and complexity of its third-party relationships."
While banks certainly need to adhere to OCC and FDIC guidance, the key is to avoid overreacting. This can be difficult some bankers. I often get calls from community bankers concerned that their vendor won't allow them to include the right to conduct surprise data center audits in their contracts or worried that they don't have the necessary resources to audit their third-party vendors' subcontractors. Some bankers tell me that they won't consider working with a start-up or smaller vendor even if their product is in perfect alignment with the bank's strategy because they fear regulators want them to choose only "safe" vendors.
But bankers are wrong to think they have an inalienable right to audit under regulatory guidance. The largest bank technology vendors have hundreds or even thousands of bank clients. If every bank client demanded a right to audit and then followed through on visits, vendors would be hosting at least several banks per day, every day. They might as well offer group tours.
It may well be enough for banks to receive and review their vendors' third-party reports as part of their vendor management programs. Banks have the right to refuse to accept those audits, but in that case, I would wonder why the bank is doing business with a particular vendor in the first place.
If the vendor does not have third-party reviews, the bank will need to conduct the audit or retain an independent party to do one. But you definitely don't need to perform a surprise audit and show up at the data center without advance notice. Data centers are secure environments; if you are not on the approved list of visitors, you won't get in.
Another comment misinterpretation of regulatory guidance on vendor management is that vendor size matters most. Banks increasingly believe that regulatory guidance forbids them from working with smaller or less-established vendors and that choosing a large vendor will provide a safe harbor.
This is not the case. The OCC states that a bank must select "an appropriate third party and understand and control the risk posed by the relationship, consistent with the bank's risk appetite." Vendor management includes determining if the vendor's offering fits the bank's strategy, but the guidance does not dictate vendor size.
When bankers argue that they are wary of selecting a less well-known vendor, I often point out that under that logic, consumers would never entrust their community bank with deposits when they could open an account with Bank of America, Citibank or Wells Fargo. The truth is that bigger is not always better and the biggest provider may not always be the right fit for a bank's needs.
There is a dark side to vendor risk management hysteria: compliance fears are sucking innovation out of the banking industry. When banks shy away from partnering with smaller vendors and start-ups, they ironically leave themselves exposed to more risk. If smaller ventures are unable to pass vendor risk management hurdles, they will go out of business or else be acquired by major players, creating concentration risk among the few remaining vendors.
Every relationship has risks, and banks are in the business of managing them. Regulators recognize that risk is necessary; they are simply asking banks to understand and validate risk. Don't shortchange your bank and stifle advancement by misinterpreting vendor management regulations.
Paul Schaus is president of CCG Catalyst, a consulting firm for banks in the United States and North America. Contact him at firstname.lastname@example.org.