Richard W. Shepherd
Associate Editor
Loyola University Chicago School of Law, JD 2019

Financial institutions often rely on outside vendors to provide information technology services.  While doing so often provides economic efficiency and quicker technological innovation, the risks associated with outsourcing information technology services are significant.  Institutions must develop strong vendor management programs to ensure the safety of their customer’s personal information. Several large financial institutions have come together to create a new consortium to perform vendor and partner due diligence.

Vendor Management: Benefits and Risks

 In the normal course of business, financial institutions increasingly rely on external service providers for a variety of technology-related services.  Institutions typically outsource to external service providers to keep up with rapidly changing technology, to provide their customers with the latest products, services, and delivery channels.  Doing so is often more cost-effective than the financial institution developing the technology or service in-house.  Financial institutions will often outsource operations such as the origination, processing, and settlement of payments and financial transactions, information processing, transaction processing, fiduciary and trading activities, security monitoring and testing, system development and maintenance, network operations, help desk operations, and call centers.

While it may be cost efficient, outsourcing information technology services to an outside vendor does not remove the risk associated with information technology.  Risks such as loss of funds, loss of competitive advantage, damaged reputation, improper disclosure of information, and regulatory action remain.  Further, by outsourcing the service to an outside vendor, the financial institution may not be able to exercise the same level of control over the operation, compared to an in-house service provider.  Thus, it is imperative for financial institutions to exercise strong vendor management practice to mitigate the risk associated with outsourcing.  Vendor management practices include prudent contract development, conducting a vendor risk assessment, assessing vendor financial stability, and maintaining compliance with the contract terms.

 How do financial institutions practice vendor management?

 A strong vendor management program arises from a decision by the Board of Directors and senior management.  When a financial institution decides to outsource information technology, the technology itself is often the driving factor in the decision.  However, managing the relationship with the outside vendor is the more critical consideration.  The board and management should establish enterprise-wide policies and procedures to make the outsourcing process consistent.

The Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook recommends the board to address outsourced relationships from an end-to-end perspective, by  establishing servicing requirements and strategies, selecting a provider, negotiating the contract, and monitoring, changing, and discontinuing the outsourced relationship.  Further, financial institutions should consider factors such as:

• Ensuring each outsourcing relationship supports the institution’s overall requirements and strategic plans
• Ensuring the institution has sufficient expertise to oversee and manage the relationship
• Evaluating prospective providers based on the scope and criticality of outsourced vendors
• Tailoring the enterprise-wide, service provider monitoring program based on intimal and ongoing risk assessments of outsourced services
• Notifying its primary regulator regarding outsourced relationships, when required by that regulator

Vendor management is absolutely critical to financial institutions.  Improper practices can lead to customer information being compromised, resulting in damaged reputation and financial cost.  Equifax was compromised by an information technology vendor used to collect website performance data.  During the data breach, the personal information of 143 million people was compromised.  Equifax could spend $300 million to settle the crisis, and the stock market value of the company has dropped by $4 billion.  Further and most importantly, the reputation of Equifax has been destroyed.

Penalties for noncompliance with vendor management regulations can be severe.  A major bank recently outsourced identity protection to a vendor, who was found to be in violation of federal regulations.  The institution entered a consent order, paid $618 million in restitution, and $80 million in civil money penalties.

How are competitors working together?

 In response to the risk associated with outsourcing information technology services to outside vendors, Bank of America Corp, JPMorgan Chase & Co, Wells Fargo & Co, and American Express & Co, created a company to standardize the work of vetting third party vendors.

Large financial institutions, like the ones backing the new venture, have between 10,000 and 20,000 vendor relationships.  Each relationship has its own nuance and risk associated with its management.  Effectively managing and mitigating the risks associated with each relationship is a daunting task, requiring a great deal of resources and expertise. After two years of negotiations, the institutions created TruSight to manage the risk associated with vendor management.

TruSight is designed to conduct third-party risk assessment reports of potential outside vendors and partners that meet regulatory requirements.  The goal is for the financial institutions to share a common source of due diligence research complied company by company.  Doing so reduces the cost associated with vendor management, and makes the process much quicker, opposed to each financial institution completing the process independently.  TruSight is developing a library of reports on particular vendors.  The library will be built on the records of the financial institutions which subscribe to the service.  If a vendor is not in the library, TruSight will perform vendor due diligence on request.

As financial institutions continue to integrate more complex technology into their products, services, and delivery channels, prudent vendor management practices become more and more important.  The risks associated with failure to properly manage vendors is so significant, it has induced rival financial institutions to work together to better manage the risk.  The creation of TruSight is a step in the right direction for financial institutions.