The Regulatory Impact on Vendor Management

Increasing regulatory oversight affects the management of third-party relationships, but process automation can enhance the ability to conduct vendor management


6. Legal risk. GLBA, for example, proscribes clear protections of customer data. Whenever customer data is shared with a third party, adequate security and protection procedures on the part of the vendor must be validated.

What Vendor Relationships Are Subject to Oversight?

Although other types of third-party relationships might be implicated, research suggests two primary sets of vendors that are subject to regulatory oversight. Benchmarking conducted with leading institutions has shown that a substantial number between 50 and 400 of vendor relationships fall under the following categories:

Suppliers providing technology in support of core business processes
When you stop and consider it, your "information technology supply chain" meaning the aggregate of software, hardware, telecommunications services, consulting and other services vendors is the basis for most of your business-critical processes. Therefore, these vendors' performance is inseparable from your ability to run the business.

Suppliers performing functions on your behalf, such as outsourced business processes
Outsourced processing, such as automated clearing house (ACH), call centers, bill presentment, and back-office clearing, amount to reliance on these vendors to perform business-critical functions. The growing trend toward outsourcing more business processes with a larger number of niche suppliers means greater vigilance is appropriate.

Key Principles of Vendor Management

Auditability
Regulators will put the burden of proof on member institutions. It's not enough to have the right processes in place to manage your vendors. You have to prove it.

Many supplier interactions are undocumented or contained in disparate systems. It's hard to gather the basic data in support of an audit. Combine this with the numerous stakeholders involved and you encounter a situation where preparing for an audit is a huge undertaking.

Consistency
Another basis of accountability to regulators is the consistent application of the vendor management process. Lapses in applying the processes will be examined by regulators and flagged for corrective action.

What's especially challenging is the cross-departmental nature of supplier interaction. Consider how the stakeholders in legal, audit, procurement, line-of-business, risk and corporate finance all come together to collaborate on a common, defined process.

Linking Due Diligence with Ongoing Assessment & Audits
The continuum between vendor selection and vendor relationship management is important. Those risk factors that you consider during due diligence become the risk factors by which you must measure the vendor over the life of a contract. As the situation changes, risk scoring should be compared to a baseline that was established up front, before a vendor was even selected. In this way, periodic risk audits will provide the early detection that ensures corrective action is taken.

Potential Points of Failure

Institutions have documented their vendor management policies and gained the blessing of regulators. However, there is a false sense of security in letting the process end with a written document.

As you consider whether automation and strong process accountability is right for your company, evaluate the following risks to compliance:

* Lack of continuity between due diligence and ongoing oversight
* Assuming a paper-based policy will be followed
* Not considering the challenges of decentralized stakeholders

Automation to Ensure Compliance and Create Organizational Value

Automation Opportunities
In order to mitigate risks associated with vendor selection and management, FSP's should consider automating the vendor selection and management processes. An enterprise system ensures:

  • Enhance Your Experience.

    When you register for SDCExec.com you stay connected to the pulse of the industry by signing up for topic-based e-newsletters and information. Registering also allows you to quickly comment on content and request more infomation.

Already have an account? Click here to Log in.

Enhance Your Experience.

When you register for SDCExec.com you stay connected to the pulse of the industry by signing up for topic-based e-newsletters and information. Registering also allows you to quickly comment on content and request more infomation.

OR

Complete the registration form.

Required
Required
Required
Required
Required
Required
Required
Required
Required
Required
Required