November 3, 2020
Banks and Vendor Risk Management
For a long time, banks in the United States have had a more rigorous vendor risk management process due to a regulatory environment that demands a higher rate of compliance. You will find that nearly every bank has a vendor risk program that is well defined and comprehensive. However, the actual details of each vendor risk program vary and banks only need to follow general guidelines to achieve compliance.
Tiering and inherent risk are a popular topic in the vendor risk community but this has been practiced widely for a long time in banking. In this OCC Bulletin, inherent risk is specifically identified, “Before entering into a third-party relationship….discuss the risks inherent in the activity”. Tiering not only saves time but it is a smart way to reduce risk. It allows an organization to prioritize vendors based on how they are used by the bank. Everyone always jokes about the company that cuts the grass not needing a risk assessment and it’s true. With so many vendors, it’s paramount to segment appropriately.
There are many parts to a vendor risk program and due diligence of the vendor is one of the most critical. For a bank, vendor due diligence can be summed up into three parts based on guidance from The Federal Reserve.
- Business Background, Reputation, and Strategy
- Financial Performance and Condition
- Operations and Internal Controls
For many banks, it is up to them as to what questions of the vendors are asked and what evidence is needed to complete due diligence. Fortunately, industry standards like the SIG have been created to help banks in the process map questions back to their risk management framework.
Perhaps the largest and most technical part of due diligence relates to a vendor’s information security program. This makes sense as the amount of technology that is now used by any given vendor has increased exponentially. This adoption of technology has inserted a corresponding increase in risk of data breach and exposure. Based on anecdotal estimates, Information Security accounts for 50-80% of vendor due diligence.
The banking industry is perhaps the farthest along when it comes to vendor risk management. Organizations in other industries can look to banking to understand how they can improve on managing an important risk vector that has gained a lot of publicity. We will also continue to see additional innovations in banking as their vendor ecosystem continues to evolve.