Banking Exchange Magazine Logo

Recent red flags related to vendor risk management

Last year, in 46% of the FDIC IT examinations in which bank ratings were downgraded, inadequate vendor management was cited as a causal factor, says Donald Saxinger, senior examination specialist in FDIC's Technology Supervision Branch.

"I'm not saying it was the primal causal factor, but, in 46% of the downgrades, vendor management was cited," Saxinger says. He spoke during the recent ABA Telephone Briefing "Vendor management: Unlocking the value beyond regulatory compliance."

Saxinger says he drilled down with his colleagues to find more specific reasons this factor has emerged in troubling IT exam results.

"The No. 1 issue that a lot of examiners told me was the banks are not requesting copies of the exams of their service providers," he says. "We do examine service providers. It would be a very good monitoring and continued due diligence practice to see what the regulators are saying about your service providers."

Other related observations and suggestions gleaned from exam results include:

Vendor management needs to consider all service providers that hold sensitive customer information, not just IT vendors. These include loan workout consulting, appraisal review companies, outside attorneys, and others.

Make sure to get the proper exam reports about individual vendors. Some banks just obtain reports for the host data center, but not for the specific application that the banks were using.

Even the proper reports don't cover everything that a bank must consider in its security risk management efforts. For example, one service provider with an otherwise clean report did not have an internal audit program and its business continuity planning was poorly documented.

"When you're contracting with a vendor, you need to ask questions more than just what's in the [exam report]. What other types of audits do they have? You need a security audit. You need to comply with Gramm-Leach-Bliley. Do they have effective business continuity?" Saxinger says.

For information on obtain an audio copy and materials from the ABA telephone briefing, go to

John Ginovsky

John Ginovsky is a contributing editor of Banking Exchange and editor of the publication’s Tech Exchange e-newsletter. For more than two decades he’s written about the commercial banking industry, specializing in its technological side and how it relates to the actual business of banking. In addition to his weekly blogs—"Making Sense of It All"—he contributes fresh, original stories to each Tech Exchange issue based on personal interviews or exclusive contributed pieces. He previously was senior editor for Community Banker magazine (which merged into ABA Banking Journal) and for ABA Banking Journal and was managing editor and staff reporter for ABA’s Bankers News. Email him at [email protected]

back to top


About Us

Connect With Us


Webinar: From KYC to IDV

How three leading banks are utilizing cutting-edge
digital tools to onboard, win, and wow customers

Time/Date: June 23, 2021 11:00 a.m. ET

Digital adoption, already moving at warp speed, accelerated seven years into the future during the COVID-19 pandemic. As the number of bank branches continues to fall, with at least one study predicting all branches will disappear by 2034 (Fox Business) and foot traffic declining (Vox), today’s most innovative banks are charting a new, digital-first path to win over customers while increasing security, meeting KYC compliance requirements, and winning customers to drive revenue.

In this webinar, you’ll hear from John Baird, Founder & CEO of Vouched, Tyler Crawford, COO of Bankers Healthcare Group, Anand Sathiyamurthy, CPO of Flagstar Bank and Daniel Sheehan, Chairman & CEO of Professional Bank as they describe their vision for digital transformation and how customer expectations are changing to digital first. They’ll also explore how fostering an innovation mindset creates new ways to tackle complex KYC problems and allows them to quickly compete in new markets and win customers.


This webinar is brought to you by:
Vouched Logo