Do you really know what vendors are doing?

Outsourcing is popular. In fact, it is often necessary, as the support systems for products and services grow too complex to manage inside the bank. And suddenly, we are talking about third-party vendors.

Third-party vendors have been much in the news of late, and the news has not been good. There have been deviations from marketing scripts to put purchase pressure on consumers or to deceptively describe a product. There have been problems with timely transactions—and even data hacking.

When the vendor has a problem, the bank’s name makes the news.

Outsourcing a function does not mean that responsibility and liability have been outsourced. No matter how carefully a contract imposes liability on the vendor—and most contracts don’t do this effectively enough—the blame will fall on the bank. Directing and monitoring vendor practices is therefore critical to the bank’s reputation.

Take steps before you outsource

There are five basic questions to ask when deciding to outsource a function and additional steps to take when selecting a vendor.

1. Do vendors share bank
culture? Banks must be sensitive to the needs and concerns of consumers and small businesses who rely on banks to handle their financial transactions. This includes protecting privacy as well as assets. It also means managing transactions correctly and promptly. Vendors, on the other hand, do not have the direct dependence on consumers that banks do. Instead, banks and other large businesses are their customers. This buffers their exposure to consumers.

This difference can allow a very different set of corporate ethics and values to prevail in vendors than in banks. Compare the service requirements and expectations of consumer customers and commercial customers. Anyone in commercial lending will tell you there is a significant difference in customer needs and expectations. Any vendor should be reviewed for its willingness and ability to support the bank’s customers in the same way that the bank would.

As closely supervised entities, banks hew to high standards of performance and customer service. Generally, vendors are not supervised. As unsupervised entities, they can operate quite differently from banks. The problem for banks is that some vendors want to provide banking services without being held to bank customer-service standards.

Both the bank’s policy and the due diligence of potential vendors should stress the importance of the bank’s relationship with its customers and the ability of the vendor to seamlessly maintain that relationship.

2. Are vendors willing to share consequences? Every contract with vendors should hold the vendor fully responsible for providing the service in a manner consistent with the bank’s service to customers. Every contract should hold the vendor fully responsible for compliance with all applicable laws and regulations. Particularly when dealing with customer information, the vendor should adhere to the bank’s requirements for protection of that information and customer privacy.

If the vendor is not willing to share the risks of errors or noncompliance, you don’t want to do business with that firm. Period.

3. Will vendors share the culture of supervision? Too often, when banks request information about a function, vendors respond negatively. “Trade secret!” they may insist. And when all other responses fail, vendors will claim that none of their other clients want or need that, so there will be a charge for it—a really big charge.

Problems arise when requesting any type of change. Even though the regulation is pretty clear or examiners are insistent, vendors have been known to refuse to make the change. Again, the reason given is “none of the other users want that” and there will be a significant charge.

This tactic doesn’t work for banks when being audited or examined, and it shouldn’t work for vendors. Ask for the user list and contact other users who have the same regulator. Chances are pretty good that they have been told the same thing.

4. Are the board and top management exercising proper oversight? Examiners never want to hear, in reply to a question: “That’s not a problem. We’ve outsourced it.”

Management of vendors starts at the board level. The vendor management policy should establish that the board will review and approve each vendor selection.

The board’s responsibility doesn’t stop there. The board should review the vendor’s performance at least annually, using management and audit reports. And the board should ask questions.

Next come management’s responsibilities. In addition to ensuring that vendor selection is preceded by appropriate due diligence, management should periodically review each vendor’s operations and performance. These management reviews, based on staff and audit reports, should consider the degree to which the vendor is carrying out contract requirements. Management also should assess risks with each such review.

Management also must be sure that there is sufficient in-house staff to oversee and monitor vendor performance. Failure to maintain sufficient staff to maintain vendor oversight is cited all too frequently in enforcement cases.

The ongoing management reviews of vendor performance should include an assessment of the effectiveness and consistency of the vendor relationship in meeting the bank’s strategic goals.

Finally, the annual review should verify the vendor licensing or registration, and should evaluate the vendor’s financial condition.

5. Does the contract give the bank the ability to oversee vendors properly? The contract should provide the bank with the authority to take steps to properly manage vendors. Most contracts, especially those drafted by vendors themselves, give detailed descriptions of expected performance. Where vendor-drafted contracts usually fall short is in providing appropriate authority to the bank to oversee the vendor’s performance. Before signing any vendor contract, banks should be careful to include several elements.

• First, the contract should give the bank authority to conduct regular audits of the vendor. This does not mean sitting in a conference room while the vendor presents a dog-and-pony show. It means digging through files and computer records to verify performance. It does not mean accepting vendor assurances that it has done an audit and found no problems.

• Second, the contract also should require the vendor to provide regular—and detailed—reports that track performance. The bank should carefully study each report from a vendor to evaluate what the report does—or does not—reveal.

• Third, the bank should ensure that the contract authorizes the bank to make onsite visits, listen to calls, and review and monitor customer complaints.

• Finally, just as with an internal bank function, the vendor’s performance should be monitored, using testing, reports, special inquiries, and customer feedback.

Key vendor management elements

Transferring any work to a vendor should be done carefully and deliberately. It calls for a policy with clearly stated goals and expectations. In addition, the policy should clarify responsibilities for oversight, reporting, monitoring, and audits of performance. A checklist (see box at right) can be used to review vendor contracts for required elements.

Vendors may not like it, but all contracts with vendors should clearly authorize the bank and appropriate regulators to have access to vendor records as necessary for evaluating compliance with laws, rules, and regulations. Not only is the bank responsible for the vendor’s compliance with regulations affecting the bank, but the bank must be able to demonstrate this compliance to examiners.

Many vendors use subcontractors, therefore the bank should consider whether the use of subcontractors is an acceptable risk for the bank. If the bank accepts the use of such subcontractors by vendors, the policy and all contracts should provide the bank with the authority to audit performance, ensure compliance with regulatory requirements, and require reports.

The vendor management policy also should address how the bank will manage and monitor performance of the vendor. The bank should expect to monitor the vendor’s performance, using its own staff or consultants answerable to the bank.

The policy should address how reports from the vendor will be required and reviewed. Too often, banks simply accept reports that the vendor generates without evaluating whether the reports actually provide necessary information.