05/26/2015

Vendor Management is Changing the Relationship Between Banks and their Service/Technology Providers

A panel discussion, Understanding Vendor Management Best Practices, focused on current guidelines and regulations, the role of core vendors, processes vendors facilitate, and the risk of third-party relationships, at the 2015 AFT Spring Summit at Bonita Springs, Fla.

 Kelli Schultz, co-founder & director of strategic sales, Digital Compliance, served as moderator for a panel that also included Keith Harrison, VP partner and contract management, Q2; and Terry Ammons, CPA, CISA, partner of Porter, Keadle, Moore

Compliance with regulations consumes a significant amount of resources today. It is critically important for all parties involved to understand the vendor both as a system provider and business partner.

The panel suggested regulators are looking to protect their interests in financial institutions. The rules come as a result ineffective business processes. With vendor management they are saying bankers you don’t really have your arms around this stuff. Now you have to prove you are taking great care of your company.

The NCUA is the only federal banking regulator that does not have the muscle to examine third-party vendors. That might change soon. In March, NCUA Chairman Debbie Matz appealed for Congress to give the National Credit Union Administration, the authority to scrutinize and control vendors, which range from large companies to small companies that only serve credit unions. “Vendors are such an integral part of the financial services industry,” Matz said. “We feel like our hands are really tied.”

For a time vendors resisted providing information to clients. However many financial institutions don’t know what they are supposed to do and need vendors help.

Panelists suggested vendors need to protect themselves as well as their clients. When there are third- party vendors involved as business partners, where core system providers are selling third-party products, it is important for companies to do their own vendor and compliance management.

For example, if a vendor connects to a core system in any way they need to perform an IT risk assessment.

Some panelists spoke about having a vendor management and compliance committee, performing their own due diligence and focusing on typical FFIEC exam questions.

Panelists also zeroed in on what is expected. Such as Service Organization Controls, the series of accounting standards that gauge the control of financial information.

SOC 1 reports, performed relevant to user entities’ internal control over financial reporting, are appropriate for vendor who process transactions for others.

SOC 2 compliance, designed for the growing number of technology and cloud computing entities, are becoming very common in the world of service organizations. It is appropriate for those who hold or have access to customer data but don’t process transactions.

Panelist emphasized that vendor management is not just about the vendors but about financial institution management as well.

“As a vendor you should be as nervous of your clients as they are of us,” one panelist suggested. “We have an interest in protecting our network and making sure clients are doing their part in protecting our networks.”