4 Tips for Risk-based Due Diligence That Ease the Burden
No one likes being told what to do; that’s just human nature. It’s no wonder banks are still bristling at recently beefed up vendor management regulatory guidance and the corresponding examiner scrutiny. But don’t forget: knowing your vendors and understanding the risks they pose to your institution is far more than just a compliance requirement. In today’s intricately connected environment, it is necessary for running a successful operation.
Why the Bank Push Back?
Between the vendor management guidance issued by both the OCC in late 2014 and the FFIEC in early 2015, many banks are feeling the pressure. And it’s typical that about 12 to 18 months after final guidance is published, examiners expect to see banks making progress toward compliance with new requirements. So for vendor management, that time is now.
While some banks are prepared for those examinations because they’ve strengthened their vendor management programs to meet the requirements of Appendix J of the FFIEC Handbook, there are still many that have made only minimal progress. And some banks have made zero progress. This lack of headway typically is due to paralysis caused by a lack of understanding of the requirements or push back caused by the perception that the guidance is excessive. Regardless, it’s time banks gain a better understanding of vendor management, starting with these four tips:
1. Don’t Make Vendor Due Diligence Harder Than It Needs to Be
Due diligence must be performed on all vendors, just not to the same degree. Far too many banks are performing the same amount of due diligence on every vendor, likely resulting in inadequate due diligence on higher risk vendors and excessive due diligence on lower risk vendors. That’s a lose-lose proposition of inefficiency and inadequacy.
Using a risk-based vendor due diligence approach solves this problem. It focuses your effort where it’s most beneficial, which happens to coincide with the areas emphasized by regulatory guidance. There are four key steps to risk-based vendor due diligence:
- Pull the most recent list of all your vendors from your accounts payable system
- Classify them by definitive “risk-based” categories:
- General vendors: the majority of vendors
- GLBA vendors: your sensitive data and information is in their hands
- Strategic vendors: you cannot do business without them
- Perform the appropriate level of due diligence as described below for those risk categories
- Repeat the due diligence at appropriate intervals (for strategic vendors, no less than annually)
2. General Vendor Due Diligence Should Be Quick and Painless
Any time you contract with an outside vendor, investigate the following factors and ensure all corresponding documentation is stored in a safe place, like a dedicated vendor management repository:
- Business Impact Analysis: Ask yourself what happens to your bank if something happens to this vendor, i.e., they go out of business or lose a key subcontractor.
- Business Type and Status: Determine if the vendor is a legal entity, and of what type: corporation, LLC or sole proprietorship.
- Insurance: Confirm the vendor has general liability insurance and any specialty insurance needed for their specific industry or function. Collect a copy of the vendor’s certificate(s) of insurance, and implement a process to collect a new one when a policy renews.
- Contract: Develop a written, enforceable agreement that is signed by appropriate representatives of both parties.
- Service Level Agreements: Ensure that both parties have agreed on how performance will be measured. For lower risk vendors, this may simply be a section in the contract. For higher risk vendors, a separate, more detailed service level agreement may need to be drawn up.
- Relationship Owner: Identify the employee who will own this relationship and monitor performance, handle contract renewals, and ensure all documentation is up-to-date and stored appropriately.
- Confidentiality Statements: In some cases, your bank may need a vendor to sign a confidentiality statement. This typically occurs when proprietary information will be shared with the vendor, i.e., details about an upcoming product launch shared with a graphic designer or freelance writer.
And that is sufficient due diligence for all of your general vendors—the risk category that likely makes up the vast majority of your vendor list.
3. GLBA Vendor Due Diligence Should Focus on Protecting Your Data
Vendors that have access to your confidential customer data should be placed in the GLBA category. In addition to completing the tasks for general vendors, you must conduct enough additional due diligence on these vendors to ascertain whether they are able to protect your data to the level required by the Gramm-Leach Bliley Act, including:
- Third-party Audit: Determine if the vendor has a current, appropriate third-party audit on file and collect the corresponding SOX report. In the absence of an external audit, your bank may use an internal audit to determine if that, alone, gives you enough confidence about the vendor’s internal controls and ability to keep data secure.
- Additional Insurance: Confirm that, within the vendor’s general liability policy, it has specific Cybersecurity and Errors and Omissions (E&O) coverage.
- Bonding: In addition to insurance, confirm that the vendor is bonded.
- Specific Contract Language: Pay more attention to GLBA vendor contracts, incorporating specific language about your right to audit and their responsibility to safeguard confidential data.
- Confidentiality Agreements: While a confidentiality statement may not be required for all general vendors, banks should definitely draw up confidentiality agreements with all GLBA vendors because of their access to your confidential information.
- Information Security: In addition to contract agreements about information security, obtain a copy of the vendor’s Information Security Policy.
- Business Continuity and Disaster Recovery: Review the vendor’s Business Continuity Plan, including all test results to gain reasonable confidence that they can protect your data in the event of a disaster and have accounted for all foreseeable disasters. While many vendors will not share their entire plan due to the sensitive information contained, a summary should be available for review.
- Employee Background Checks: Understand the vendor’s hiring protocol, including whether they complete background checks for functions that will be responsible for your bank’s data.
- Vendor’s Own Due Diligence: Find out if the vendor is conducting adequate due diligence on subcontractors used to perform services for your bank.
While these additional tasks will require more time, remember that this level of due diligence is only needed for a finite group of vendors—likely just a handful.
4. Strategic Vendor Due Diligence Should Ensure Your Business Viability and Continuity
These vendors are those that your institution cannot do without. They perform a critical product, channel, operational or technological function. The strategic category usually consists of the fewest number of vendors, providing an inverse equation: the least number of vendors require the most due diligence, including:
- Financial Soundness: Review of the company’s financial statements, conducted by someone with extensive finance and accounting experience.
- Ownership of the Company: Determine who owns the company, and whether it’s a domestic or foreign entity.
- Contract Protections: Use detailed language that ensures the continuity of the vendor’s critical function. The contracts section of Appendix Jidentifies the key elements that should be included in contracts with strategic vendors.
- Continuous Relationship Monitoring: Identify how (manually, systemically or both) the vendor’s performance will be monitored, and by whom. With a critical vendor, you simply cannot risk a default in service going undetected.
- Capacity: Determine the vendor’s capacity, i.e., how many other entities does it serve? Are you confident in the vendor’s ability to continuously provide the function you need?
- Legal and Compliance Issues: Check to see if the vendor has any pending lawsuits or compliance violations, and review their past history of the same.
- Mergers or Acquisitions: Be aware of any news regarding mergers or acquisitions with the vendor. Make sure your contract protects you in any of these events.
- Corporate Image, News and Social Media: Follow their brand in traditional and social media in order to intercept any hints of trouble for the vendor.
- Alternative Vendor on Deck: Identify another viable vendor who could take over in the event this vendor can no longer perform their critical function.
That’s a lot of work, but for most community and regional banks, this only needs to be completed on one or two vendors, and rarely more than five.
Comprehensive Vendor Management is Achievable—and Necessary
While time-consuming, it’s in your institution’s best interest to ensure that general vendors have been appropriately vetted, that GLBA vendors can protect your sensitive data, and that strategic vendors can perform their critical functions. Otherwise, the penalty could come in the form of both lost business and compliance violations—a double whammy no bank wants to face.
Steve Sanders, CSI vice president of Internal Audit, oversees the evaluation of risks associated with IT, financial and operational systems. He has a strong knowledge of cybersecurity and privacy, accompanied by an educational background in computer security and data protection.