Part Two – Developing the Proper Balance
There can be no doubt that bank vendor management is a “hot topic” among regulators these days. Each of the “prudential regulators” (OCC, FDIC, FRB) have all issued recent guidance about developing third party relationships. As we discussed in the first part of this series, the guidance from each of the regulators has a central theme. Put succinctly,
“A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships” 
The guidance from each of the regulators includes differing levels of detail. However, there are common themes of risk that are delineated. In addition, it is clear that the regulators expect financial institutions to complete due diligence on the third party services they engage. Unfortunately, one of the questions that remains open is just what level of due diligence is required for each relationship. A corollary question might be which services that are performed by third parties are considered critical or core services.
While we agree that bank vendor management is a critical issue and that your bank’s vendor management program must be appropriate and comprehensive, we also believe that there must be a balance between the due diligence it performs on third party services and what the bank does internally vis a vis the third party providers.
History of Vendor Relations and the Reason for the Guidance
Starting at the beginning of the first decade of the new millennium, the relationship between banks and third party services providers enjoyed a relative boom. During the time period, banks used third parties to offer services that were traditionally in house such and core operating systems. In addition to these services, banks also used outside firms to offer new and diverse products that the bank itself had not offered. Subprime lending and brokered deposits are two such products.
While the use of outside vendors has many benefits such as reduced costs and leveraging the skills and experience housed at the outside firm, these relationships can also increase risks. By the middle of the decade, the level and types of risks that these firms present began to present themselves. Some of the areas that regulators began to find trouble with third party vendors included:
- Several banks relied too heavily on a provider to administer the flood loan portfolio. When examiners reviewed the portfolio, they found many instances where the insurance amount was inadequate. Further, in one case, the provider was unaware that changes had occurred in the flood mapping.
- Vendors who have been retained to assist with loan modifications have in many cases, failed to meet the agreed upon terms of modification. In other cases, vendors delay the processing of loan modifications by sending borrowers duplicate document requests, causing hardships for the borrowers. If bank management is not monitoring a vendor’s activity, it will not be aware of problems that may be occurring with the vendor. We are all too familiar with how this process created a huge problem during the financial crisis of 2009.
- Vendors who promised revenue enhancement. In several cases, the revenue enhancement schemes included things like increased overdraft fees additional charges to customers for use of their credit facilities. This additional revenue resulted in UDAAP violations at banks and in at least one case lead to enforcement action.
- Privacy concerns that have been created by the failure of a third party vendor to maintain adequate security over customer records.
Various cases such as these has led to the guidance that we now see being issued by the regulatory bodies. The Federal Reserve issued a statement that describes the types of activities that can lead to problems with third party relationships.
- Overreliance on third-party vendors. The regulators have made it clear that banks are ultimately responsible for the work of their third party providers. Therefore, even though the bank is outsourcing, it must do what is necessary to administrate the area.
- Failure to train new staff or retain knowledgeable staff. There must be somebody at the bank that understands what it is that the provider is doing!
- Failure to adequately monitor the vendor. There should be a way for the bank to determine that the vendor is meeting standards. The Bank must have a way to regularly monitor the results of the vendor.
- Failure to set clear expectations. The bank has to be clear in what it needs, this includes letting the vendor know that expectations include keeping up to date with changes in regulations.
The guidance in the area of vendor management is written to address these concerns and the problems that have historically been caused by the third party vendors. All of the guidance is clear that the regulators will hold the banks ultimately responsible for the actions of its vendors.
Level of Due Diligence
One of the questions that we noted above was about what level of due diligence is required for a third party contract. The OCC guidance defines a critical activity as:
Critical activities — significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that:
- could cause a bank to face significant risk if the third party fails to meet expectations.
- could have significant customer impacts.
- require significant investment in resources to implement the third-party relationship and manage the risk.
- could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house.
For those arrangements that involve critical activities, the expectation is that the bank will perform comprehensive due diligence at the start of the contracting process as well as monitoring throughout the execution of the contract. The steps that are necessary for the proper engagement of a third party for a critical activity are discussed in each of the regulatory guidance documents that have been released.
The OCC bulletin provides the most comprehensive list that includes:
- Relationship Plan: Management should develop a full plan for the type of relationship it seeks to engage. The plan should consider the overall potential risks, the manner in which the results will be monitored and a backup plan in case the vendor fails in its duties.
- Due Diligence: The bank should conduct a comprehensive search on the background of the vendor, obtain references, information on its principals, financial condition and technical capabilities. It is during this process that a financial institution can ask a vendor for copies of the results of independent audits of the vendor. There has recently been a great deal of attention given to the due diligence process for vendors. Several commenters and several banks have interpreted the guidance to require that a bank research a vendor and all of its subcontractors in all cases. We do not believe that this is the intention of the guidance. It is not at all unusual for a third party provider to use subcontractors. We believe that a financial institution should get a full understanding of how the subcontracting process works and consider that as part of the due diligence, however, it impractical to expect a bank to research the backgrounds of all potential subcontractors before engaging a provider.
- Risk Assessment: Management should prepare a risk assessment based upon the specific information gathered for each potential vendor. The risk assessment should compare the characteristics of the firms in a uniform manner that allows the Board to fully understand the risk associated with each vendor. 
- Contract Negotiation: The contract should include all of the details of the work to be performed and the expectations of management. The contract should also include a system of reports that will allow the bank to monitor performance with the specifics of the contract. Expectations such as compliance with applicable regulations must be spelled out. The OCC bulletin includes the following phrase:
- Ensure that the contract establishes the bank’s right to audit, monitor performance, and require remediation when issues are identified. Generally, a third-party contract should include provisions for periodic independent internal or external audits of the third party, and relevant subcontractors, at intervals and scopes consistent with the bank’s in-house functions to monitor performance with the contract
This language has also been the subject of a great deal of media and financial institution attention. Some have interpreted this phrase to mean that a community bank that uses one of the large core providers has the right to perform an independent audit of the provider. We believe that this interpretation is inaccurate as it would be impractical to carry out. We believe that the phrase means that the financial institution is entitled to a copy of the report of the independent auditor.
- Ongoing Monitoring: Banks must develop a program for ongoing monitoring of the performance of the vendor. We recommend that the monitoring program should include not only information provided by the vendor, but also internal monitoring including
- Customer complaints;
- Significant change sin sources of expenses and revenues;
- Changes in loan declines, withdrawals or approvals;
- Changes in the nature of customer relations ships (e.g. large growth in CD customers).
- Oversight and Evaluation: There should be a fixed period for evaluating the overall success and efficacy of the vendor relationship. The Board should, on a regular basis evaluate whether or not the relationship with the vendor is on balance a relationship with keeping.
While all of the above steps represent best practices for developing relationships with vendors, it is important to remember that a balance must be maintained. The vendor management program cannot be so time consuming or stringent that a bank is left without the ability to engage consultants. However, there must be sufficient diligence and monitoring of vendor relationship to ensure that the bank is managing risks effectively.
 OCC BULLETIN 2013-29
 Ib. Id.
 It should be noted that the regulatory agencies have made it clear that they expect the Board of Directors to present a credible challenge to the information being presented. To do so, the Board must be fully informed of the risks associated with each potential vendor.