Written by Josh Layne, Vice President of Vendor Management & Compliance
We operate in a world of outsourcing, with much of the banking industry required to bring in vendor partners to be competitive and provide the services expected by members and customers. Those vendors come in all kinds of shapes, colors and flavors, and all pose different risks to the financial institution looking to partner with them.
The FFIEC and its agencies have had vendor management guidance on the books for decades now. About half of that guidance is focused on how to select and contract with a vendor. Having myself been in this industry for almost as long, I’ve seen all kinds of methods for selecting and vetting new vendors by financial institutions. It’s not often I see a consistent process enforced across financial institutions, or even consistency within a single institution between its departments.
Vendor management guidelines prescribe items that should be included when selecting a new vendor to understand the risk related to outsourcing a service. But the regulations can be a bit fuzzy on exactly what to look for and why. I wanted to make straightforward list of items to ask any new vendor before partnering, both from a rock-solid compliance standpoint and an eye on the real-world impact.
Below is my list of basic due diligence you should run on any new vendor you’ll partner with for any length of time. Some of the items listed can be found in the public sphere, but most of these will require your potential vendor to answer specific questions and share some supporting documentation. And all of it will require your effort to manage each is covered, documented and digested before you sign a contract.
Basic due diligence for ANY new vendor includes:
- Length of time in business, experience and location
How experienced is the vendor and how much of that is directly relevant to the services it will provide your institution? For some services performed onsite, proximity to all your locations may be very important. Also, you should avoid any unnecessary risks a foreign entity or processes that include offshoring data can introduce whenever possible.
- Market position for its services
Is the vendor established in the market it serves? Is it a change leader or is it considered antiquated or somewhere in between? Is it growing or shrinking its customer base, and how aggressively?
- Types of customers
Is the banking industry the vendor’s primary customer base or would you be one of several industries the vendor focuses on? Does it serve financial institutions your size or does it primarily work with larger/smaller institutions? How could that directly relate to you and where you fit on the vendor’s target customer?
- Recent negative news
Much of this can be discovered with public information searches. Beware, if you’re doing this on your own through googling, it can be quite time consuming. A better approach is using a third party that specializes in company information, like Argos Risk (Maple Street’s partner), Dun & Bradstreet, Bloomberg or any number of other companies.
Negative news that can illuminate different risks in multiple areas can include
– Significant service issues
– Recent reported data breaches
– Recent layoffs and/or offshoring activities
– Recent bankruptcies
– Open lawsuits and recent legal issues and settlements
– Bulletins from CFPB, FDIC or NCUA
- Recent mergers or acquisitions
This may or may not open you up to immediate or long-term risk – it depends on the nature of the merger/acquisition and how or if it directly impacts your expected experience and goals with the vendor. Some of these activities can add additional capability to a vendor’s service offering. Some may be a sign the vendor is struggling to maintain its business model and was bought and will be sold for parts.
Have a direct conversation with the vendor about this and discern how this may or may not impact you during the contract term. This advice holds true for large software platforms as much as for local contractors performing non-essential services.
- Reputation via reference checks with existing customers
Please don’t underestimate the value of reference checks on a vendor. This may be your biggest source of real information to take into your decision. Try and go beyond the references the vendor provides, too. The best practice is finding other financial institution customers in your situation, with the same or very similar software or service levels, expected volumes and general location.
You should also create a standard set of questions to ask, based on your assumptions and needs, and whenever possible ask the questions the same way to references. This method will help you compare answers better and see where there may be trends.
- Inherent risk assessment (This is already done by Maple Street!)
This is an important step, as a solid inherent risk assessment will tell you how much risk this vendor’s proposed service could open your financial institution up to, and therefore how deep into the controls due diligence you really should dive into. An inherent risk assessment will make it clear, objective and consistent what should be done for critical, important and low-risk vendors, what you need to ask the vendor to provide for your review, assessment and acceptance of risk. It’s also a compliance requirement.
As noted above, the good news is Maple Street does this for you.
- Financial health
This is deceptively simple: how healthy is the vendor from a financial standpoint? Is it stable or is it trending down in multiple financial aspects, giving off clues to its long-term viability? Is it aggressively growing through debt? Spend enough time here so you can paint a clear picture of how well this vendor can serve your financial institution in the near and long-term. As a tip, always try and secure multiple years of financials so you can assess a financial trend, not a point in time.
This area can also be the biggest blind spot. Private companies are usually reticent to open their books to customers, let alone potential customers. This is when bringing in a third-party specialist is very handy. We partner with Argos Risk, a company that can create a Comprehensive Report that includes financial health and viability scores and a Dun & Bradstreet overview for a fair, one-time cost. It’s better to have something to assess than a big blind spot on a vendor’s ability to stay in business.
- 3rd party audits like SOCs, BCPs, Pen Tests
These are the best controls to assess a potential vendor with a high operational reliance you expect to have and/or the vendor has a high access and use of your private data. Having a 3rd party report or audit will provide a third-party attestation (i.e. proof) that the vendor has controls to prevent or minimize service interruptions and data breaches.
Mainly used in assessing technology vendors, SOC reports, tested BCPs and third-party penetration testing can be just as valuable for a non-technology partner. It demonstrates the vendor is thorough in protecting itself from events that could roll down to you and your service.
- Insurance, amount and policy mix
Any potential vendor should carry current business insurance, period. General Liability would be expected for every single company you would partner with. Specific insurance policies covering possible events relative to the service is even better. For example, technology vendors should carry technology specific insurance. Often overlooked, you always want to assure any vendor working onsite carries workers comp coverage. Don’t focus too much on the amounts, focus on the mix and if claims can be made on likely events, beyond the standard GL policy.
- Residual risk assessments
This is an important step in any new vendor vetting process. You want to bring it all back home in a residual risk assessment, documenting the potential risks left over and you would own after you have reviewed and assessed all of the vendor’s controls. It’s where you lay out all of the cards and make a determination this vendor and its risks are worth moving forward on.
These items aren’t revolutionary and no doubt you have seen the same items in several places in different forms online or in seminars. The list is also not completely comprehensive. I didn’t get into fourth-party vendors, supply chain questions and concentration risks. I also didn’t include a list of contract issues to be aware of. We do cover these in some of our past blog posts, you should check them out.
I do think the list above does well as a baseline and minimum for almost any vendor you would partner with. Time invested to really understanding who your potential vendor is and any obvious risks it could open you up to is time well spent. These things uncovered in vetting can also be brought into contract negotiations to further minimize your risk and leverage better pricing and service levels. As we often say, no amount of monitoring and risk assessment will fix a bad vendor selection or a bad contract. Consistent, comprehensive due diligence reviews pre-contract helps prevent both.
Maple Street offers support through helping create and coach a consistent vendor management process, and we offer offline tools to support this due diligence effort including New Vendor Checklists, RFP templates, and a Reference Check Questionnaire template.
We’re also launching a New Vendor Vetting service as you read this, having rolled it out to several clients over the past few months. This service includes a standard Street Smart Vendor Review Kit by our specialists, an Argos Risk Comprehensive Report on your potential vendor and a New Vendor Checklist completed by Maple Street. There are options for both critical and important vendors, as well as a “lite” version for exempt, non-essential vendors. To learn more, click here.
Do you want to learn more about Maple Street’s due diligence services? Call 800-513-6839, email firstname.lastname@example.org or visit www.maplestreetinc.com/learn to get started.