Eugene Kublanov, Managing Director, Shared Services and Outsourcing Advisory
Greg Matthews, Managing Director, Risk Consulting
For today’s banks, managing third-party vendors and suppliers has never been more challenging. We would like to talk about these challenges, effective ways to address them, and the tools available to help banks mitigate risks related to third-party vendors.
First of all, why is third-party management such a critical issue these days? One reason is the simple fact that banks are increasing their third party spend. Given the current low-interest rates, banks are trying to build efficiencies and strip out costs, often by using cost-effective, outsourced providers. As a result, many banks are dealing with more vendors than ever before, but managing and coordinating so many vendors is not proving to be a simple task.
The main reason, however, involves the growing regulatory scrutiny in the U.S. For example, the Consumer Financial Protection Bureau has introduced new regulations that apply to services that banks provide to their consumers — even if these services have been outsourced. In effect, the CFPB is saying to banks —”You must look after your vendors as if they were a division or a department of your bank. So the same oversight you apply to your employees must also apply to your vendors.”
If banks are responsible for third party oversight, who in the organization has a single view of those third parties that would properly conduct the monitoring activity? More specifically, who is responsible for compliance? Is it the line of business that appointed the vendor? The procurement function in charge of contracting with the third party? Or is it the compliance department?
To address these challenges, banks need to adopt a risk-based approach that begins with a careful assessment and categorization of the third party portfolio. After assessing the risk associated with each category of third party, banks need to develop an effective approach for managing the existing portfolio and adding any new third parties in the future.
Any effective approach should take into account five key areas —planning, due diligence and selection, contract negotiation, ongoing monitoring, and termination.
While most banks will define the objectives for the third-party relationship, assess the risk exposure, and work through IT and security-related topics, few put together a comprehensive relationship management plan, assess the resource and skill requirements for managing the relationship, and have a structured road map for managing change with internal and external stakeholders that are impacted by the decision to leverage a third party. Too often, organizations find themselves in the RFP process before adequate time and energy has been spent defining what happens after the contract is signed.
Due Diligence and Selection
The key challenge organizations face tends to arise in the scope of due diligence performed. While core areas of a third party’s business are certainly reviewed, including financials, operations, business continuity plans, and IT and physical security, other areas that may be more difficult or time consuming to assess may go unvetted. These areas might include the experience and reputation of the third party’s principals, subcontracting relationships, compliance training, incident and reporting systems, and conflicting arrangements with other third parties.
Governance professionals in the banking industry need to pay particular attention to contractual terms that firmly bind the third party to performance levels expected of an internal business unit and clear definitions of repercussions in case of failure to perform. Special attention should be paid to the third party’s compliance with company and regulatory requirements, compliance training, customer management, information protection, subcontracting, and right to audit.
After contracts are signed is typically when the hard work begins. The ongoing monitoring and management of third-party relationships requires investment, good discipline, process orientation, and the right resources to manage risk and capture the full value of the contracted arrangement. Unfortunately, the monitoring phase of the sourcing life cycle is the one governance organizations are least prepared to manage and where compliance breakdowns and the resulting fines typically occur. Successful third-party management programs will have five key components in place:
- A sufficiently staffed and skilled organizational model for third-party vendor management
- A process-driven approach to executing the vendor management function
- Defined metrics to provide enterprise-wide visibility on third-party performance and compliance
- Leverage enabling technologies to create efficiencies, elicit insights from data, and maintain an auditable account of compliance obligations tracking
- A portfolio management approach that adjusts the third-party portfolio to align with internal company changes, economic cycles, and risk appetite
Not all third-party relationships are destined to end well. Banks often face situations where a third party may not be meeting performance expectations, financial obligations, or contractually agreed-upon terms. In order to shield the company from potential risk or find ways to create value, vendor management organizations need to perform the critical role of proactive portfolio management and terminate third-party relationships. In terminating or off-boarding vendors, governance organizations need to pay keen attention to a host of transition-related activities and functions. These may include the capabilities and resources required to manage an orderly transition from one third party to another, the risks associated with data retention, data destruction and decommissioning of user access, handling of joint IP issues, and potential reputation risk to the bank as a result of termination.
Business is all about taking on risk for return. With a solid understanding of risk exposure, an effective approach to managing risks and a vendor management function entrusted with ongoing monitoring banks can be well positioned to thrive in the current economic and regulatory environment.
Hear Eugene and Greg discuss more about issues related the Financial Services industry in the KPMG Advisory Institute podcast: Managing Vendors – It Isn’t What It Used to Be.