“3rd Party Risk Management: A Proven & Successful Framework.”
We are witnessing a renewed focus by bank regulators and examiners on vendor-related risks, including those that can directly affect consumers and your bank’s ability to comply with consumer compliance mandates. This is coupled with a willingness to issue enforcement actions against banks for 3 rd party service provider violations of consumer protections. The recent CFPB and OCC April 2014 consent order against Bank of America is a timely reminder.
1
Does this mean you shouldn’t take advantage of the expertise and benefits available through specialized vendors?
Absolutely not! It means you should be vigilant in knowing your vendors, assessing the risk to your organization, and monitoring and controlling vendors.
Economies-of-Scale, Profitability, & Risk
Using specialized service providers to support banks’ payments businesses creates economies-of-scale and delivers much-needed products and expertise to help banks remain competitive and profitable.
Many banks, for example, have or are creating relationships where the payment processor, who are deposit customers of the bank, uses it relationship to process payments for various merchants.
2 While this generally reflects legitimate transactions from the merchants, the risk can vary significantly depending on the payment processor’s customer base. For example, payment processors that deal with telemarketing and online merchants may have a higher risk caused by trends in consumer fraud or illegal activities.
In addition, many banks offer credit cards and other products through agent banking relationships and other third parties. As shown by the recent consent order against Bank of America, bank regulators and examiners will hold banks responsible for the actions of these third parties, including compliance with consumer protections.
A Regulatory Tsunami
Since many of the challenges identified in the 2008 economic collapse stemmed from non-bank entities, it makes sense that regulators are concerned with 3 rd party risk. Evidence is mounting that consumer protection is quickly becoming a paramount concern of regulators from the growing use of 3 rd parties for credit cards, prepaid cards, other forms of payments, and other outsourcing activities that have the potential to affect the consumer.
An increased threat of data breaches and money laundering has also been a genesis for this renewed focus on vendor management.
3 The importance of maintaining a prudent vendor program goes beyond any one line of business or product type. It is a universal issue across all vendor relationships.
A Heavy Responsibility
Outsourcing is a good thing, but it does include risks. The FFIEC agencies and CFPB have issued more than 116 pieces of guidance on how to manage vendor risk for 3 rd party payment processors, prepaid cards, information technology, information security, consumer compliance, and many other areas, as shown in the chart below. In short, they want bankers to be accountable and take responsibility for knowing and managing vendors as if they were an extension of the bank’s staff.
1 The CFPB, in cooperation with the OCC, issued a consent order against Bank of America and its credit card subsidiary - FIA
Card Services - to pay an estimated total of $727 million for alleged UDAAP violations related to credit card add-on products in connection with identity protection and debt cancellation services.
2
Sited in FDIC - FIL-3-2012.
3
OCC BULLETIN 2011-27: Risk Management Guidance and Sound Practices.

“3rd Party Risk Management: A Proven & Successful Framework.”
Example “Vendor Management” Regulatory References
CFPB –
 Bulletin Regarding Marketing of Credit Card Add-on Products

Final Policy Statement - Publication of Credit Card Complaint Data
FFIEC –
 IT Booklet on Outsourcing Technology Services

IT Booklet on Supervision of Technology Service Providers

Social Media: Consumer Compliance Risk Management Guidance
OCC –
 Bulletin 2013-33 - Use and Review of Independent Consultants in Enforcement Actions

Bulletin 2013-29 - Third-Party Relationships: Risk Management Guidance (Appendix B refers to 57 other publications)
 BULLETIN 2011-27: Risk Management Guidance and Sound Practices
FDIC –

FIL-3-2012 – Payment Processor Relationships (Refers to 6 other publications)
 FIL-56-2013 – Social Media: Consumer Compliance Risk Management Guidance (Refers to 22 other publications)
FRB –

SR 13-19, 12/5/13 – Guidance on Managing Outsourcing Risk (Refers to 4 other publications)
 Outlook Live Webinar (5/2/12) – Vendor Risk Management Compliance Considerations www.consumercomplianceoutlook.org
NCUA –
 LTR No. 13-CU15 – Private Student Loans (Direct & Indirect)
 LTR No. 13-CU13 – Changes to NCUA Regulations Related to Credit Union Service Organizations (CUSOs)

LTR No. 10-CU26 – Evaluating Payment System Service Providers (with a check list)

LTR No. 10-CU15 – Indirect lending & Appropriate Due Diligence

LTR No. 08-CU19 – Third-Party Relationships: Mortgage Brokers and Correspondents
 LTR No. 08-CU09 – Evaluating Third Party Relationships Questionnaire
 LTR No. 07-CU13 – Evaluating Third Party Relationships (Refers to 11 prior publications)
Sleeper Risk
A sleeper risk in a vendor can hurt your organization. Think about it—what would happen if the answer to one or more of these questions was “no” or “I don’t know.”
Sleeper Risks
Legal and Compliance
Reputation
Brand
Consumer Protections
Financial Stability
Information Security
Offshore
Does Your Vendor:
Comply with all applicable laws and regulations, including consumer protections?
Have the internal controls to avoid or mitigate issues directly affecting your customers?
Impose the same set of internal standards on itself and its subcontractors (e.g., for customer service, privacy, security, etc.) as you do for your brand?
Know your requirements as well as its own related to consumer protections?
Have the financial strength to fulfill its contract obligations over the long haul?
Have strict information security controls that meet all GLBA, PCI, NIST, or State standards?
Reside entirely within the United States, including subcontractors?
Prudent vendor management requires more than a list of vendors from your accounts payable system to manage outsourcing risk. Auditors and Examiners are looking for vendor information on risk, classifications, due diligence, contracts, internal controls, information security, consumer compliance, and more.
All of us are challenged to think more broadly about the risks and complexity of outsourcing. We now need to think about how to become more efficient in selecting, managing, and mitigating vendor risk to the bank and the consumer.

“3rd Party Risk Management: A Proven & Successful Framework.”
A Proven & Successful Framework
Most companies are at a different stage of managing vendor relationships and risk. So whether you are just getting started and trying to understand why you need to be focused on this topic or further along and looking for ways to strengthen what you are doing, there are six key elements that have to be considered in all vendor management programs.
Obviously, this requires more than an EXCEL spreadsheet. It represents a Vendor Risk Management “culture” throughout the organization and requires each employee to understand his or her duties and responsibilities.
1.
Information Gathering – You need to identify all vendors and collect specific information on each vendor that will enable you to classify each vendor based on the risk it poses to the organization and your customers.
Examples of this demographic information should include: vendor name & address; location where work will be performed; a primary contact at the vendor and an internal business unit owner; and operational areas or function that will be supported.
2.
Vendor Classification – All vendors should be classified based on the risk they potential pose to the organization and its customers. In determining how to risk-rate or classify each vendor, you should consider the criticality and sensitivity of the vendor to the organization. The higher the criticality and sensitivity of a vendor, the greater the need to implement, verify, and maintain sufficient control over the relationship to deliver the required product or services, as intended.
3.
Criticality is the overall value or importance to the day-to-day operations and the enterprise. In considering the criticality of the vendor, you need to consider the impact of the relationship to the organization. For example, if a significant incident occurred involving the vendor, how much harm would it do to your company’s security, financial stability, operations, reputation, strategic plans, compliance, legal standing, etc.
You should also consider the probability of such an event occurring. The higher the probability of a significant event, the higher the risk classification. The lower the probability, the lower the classification.
4.
Sensitivity is the overall value or importance of data to the enterprise. It helps to determine the level of protection required to ensure confidentiality and integrity of data. If a vendor has access to sensitive data or controls access to sensitive data, it should carry a higher risk classification.
5.
Request for Proposal – Before you start searching for vendors you should clearly define your business needs in a comprehensive Request for Proposal framework that outlines all of your requirements.
6.
Vendor Due Diligence – Due diligence is a standard approach to assessing a vendor’s competency, stability and reputation. Use all resources at your disposal, including federal and other databases as well as references, social media searches, and other Internet resources.
7.
Contracts – Do you have a clear contract with each vendor?
As you begin to narrow your search for a trusted vendor partner, you will need to consider the contractual requirements with each vendor. Everyone should place significant emphasis on the vendor contract.
Organizations that do vendor management well are those that have defined detailed control requirements in the contract agreement at the outset of the relationship and monitor those controls to ensure the relationship is working as anticipated. At a minimum, each contract should address: scope of work to be performed; performance metrics to measure success; information security mandates; audit responsibilities, expectations, and frequency;

“3rd Party Risk Management: A Proven & Successful Framework.” responsibilities of the vendor and the company key personnel; ownership of the relationship; off-shore activities; business continuity and incident response plans; termination; complaints handling procedures; other miscellaneous items.
If things don’t work out well with a vendor, the contract agreement will be paramount.
A good example of key contract elements is available in guidance issued last October by the Office of the
Comptroller of the Currency. It identified 17 areas to address in third-party contracts: the relationship’s nature and scope; performance measures and benchmarks; roles and responsibilities; the right to audit or require remediation; compliance responsibilities; cost and compensation; ownership and license; confidentiality and integrity; business contingency planning; indemnification; insurance; dispute resolution; liability limits; default and termination; customer complaints; subcontractors; and foreign-based third parties. A vendor’s refusal or inability to appropriately address all of these areas during contract negotiation should raise a red flag for your organization.
Other Documentation – You should request and centrally house all related documentation, e.g., Service Level
Agreements, Non-disclosure Agreements, financial documents, resumes of key personnel, and SOC II/SSAE16
Executive Reports.
Ignorance of vs. Attention to the Details
Outsourcing provides advantages. In order to get the full benefit—with the least amount of risk – you must know who you are dealing with, have the means and will to monitor the relationship, and implement a prudent vendor management framework. For more information on a proven six-step framework, download our paper - 3rd Party
Risk Management: A Proven & Successful Framework. It isn’t enough just to have language in your contract that gives you rights, you have to act upon those rights. The CFPB found Bank of America lacking in its knowledge of its vendors. Why? The executives probably thought they knew their vendor, when in reality, they were only distantly acquainted and therefore vulnerable to its sleeper risks.
About the Author
Paul Reymann is a Partner with McGovern Smith Advisors, LLC. He has over 28 years in compliance and risk management, including 13 years with the Department of Treasury. He co-authored the Gramm-Leach-Bliley Act
Data Protection regulation. He is the visionary behind outsourced managed compliance products and services to make it easier for businesses to meet today’s tsunami of regulatory challenges. You can reach Paul by email at preymann@mcgovernsmithadvisors.com
or call him directly at 410-417-5035.
About McGovern Smith Advisors, LLC.
McGovern Smith Advisors understands our clients’ needs and delivers the knowledge and services that empower them to advance their payments business and remain competitive, compliant, and profitable. Our clients tell us we are unique in our depth of payments expertise. We bring forward-thinking advice and services on strategy, product development, profitability, compliance, RFPs & contracts, partnership formation, 3rd party vendor risk management, M&A, advocacy, and consumer campaigns to each client engagement. Visit www.mcgovernsmithadvisors.com
for more information about how we can help you succeed.