Third-party vendors, such as escrow management providers, are critical to the operations and success of any bank or credit union (though some institutions will have more vendor relationships than others). Managing those vendor relationships closely is critical in today’s environment, as there are many risks associated with outsourcing key business responsibilities.
At the end of the day, regardless of whether a task is performed internally or by a third-party, the financial institution is on the hook for any compliance concerns—-not to mention countless other risks. As the FDIC says in this informational resource, an institution can “outsource a service, but cannot outsource the responsibility.”
This blog explores the risks associated with third-party vendor relationships and best practices for banks and credit unions to manage these important partnerships.
Risks of poor vendor management
Insufficient vendor management can lead to serious consequences for banks and credit unions, almost all of which will negatively impact the bottom line through added costs, internal disruptions, tarnished brand image, and more. Here are some of the top risks to be cognizant of:
Is the vendor complying with all state and federal regulatory requirements? If not, the financial institution could be on the hook for huge penalties.
As cybercriminals continue finding new ways to infiltrate corporations and databases, some are beginning to exploit weak security through third-party vendors as a way to gain access to bank or credit union records.
Audit red flags
If you’re not managing vendors properly and keeping contracts up to date, there may be red flags during your next audit—potentially leading to a more comprehensive audit that could lead to fines.
Missed service and/or pricing opportunities
Stay in touch with your vendors and on top of your contracts, to ensure you aren’t missing any new service opportunities or pricing incentives.
Mergers and acquisitions are messy transactions to start with, and are even more complex when adding various third-party vendors to the mix. Consistently managing your vendors will make the M&A process much smoother.
If you have a vendor handling core parts of your business, and that vendor falls through, your institution could be in trouble and some internal operations may be disrupted.
All of these risks also go hand-in-hand with reputational concerns. If your institution is facing data breaches, delays, fraud, and other issues, borrowers may lose confidence in banking with you.
Vendor management best practices
The risks are substantial, but that doesn’t mean banks and credit unions shouldn’t work with third-party vendors. In fact, it can often be extremely beneficial to outsource certain tasks. The important thing is that the financial institution closely manages all vendors, to control the associated risks. The following are vendor management best practices to consider.
Policies & procedures
The Board and senior management should create policies and procedures around the outsourcing process, including evaluating potential risks, selecting the best vendor, negotiating contracts, and overseeing the relationship.
Comprehensive risk assessment and due diligence must be part of the vendor selection process, to ensure (among other things) reliability, security, financial strength, experience, data controls, regulatory compliance, and more.
Ongoing monitoring & reevaluation
The risk assessment and vendor management process should not stop once a new service provider signs on with the institution. It’s essential that banks and credit unions continue to monitor all their vendor relationships, to reevaluate risks and identify concerns.
This ongoing monitoring must include contract management. Too often, service providers and businesses miss their contract renewal period, resulting in outdated contracts. This poses a significant risk to the institution. Read more about the importance of keeping contracts up to date.
Finally, it’s critical that banks and credit unions establish and maintain proper documentation with all their third-party vendors and service providers. Documentation will vary, but may include service level agreements (SLAs), nondisclosure/confidentiality agreements, and due diligence documents.
Learn more about the importance of managing vendor relationships—particularly keeping contracts up to date—in this one-page resource.