{"id":1422,"date":"2017-12-04T13:15:06","date_gmt":"2017-12-04T18:15:06","guid":{"rendered":"http:\/\/blogs.luc.edu\/compliance\/?p=1422"},"modified":"2017-12-04T13:15:06","modified_gmt":"2017-12-04T18:15:06","slug":"financial-institutions-join-forces-for-vendor-management-compliance","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=1422","title":{"rendered":"Financial Institutions Join Forces for Vendor Management Compliance"},"content":{"rendered":"

Richard W. Shepherd
\nAssociate Editor
\nLoyola University Chicago School of Law, JD 2019<\/em><\/p>\n

Financial institutions often rely on outside vendors to provide information technology services.\u00a0 While doing so often provides economic efficiency and quicker technological innovation, the risks associated with outsourcing information technology services are significant.\u00a0 Institutions must develop strong vendor management programs to ensure the safety of their customer\u2019s personal information. Several large financial institutions have come together to create a new consortium to perform vendor and partner due diligence.<\/p>\n

<\/p>\n

Vendor Management: Benefits and Risks<\/strong><\/p>\n

\u00a0<\/strong>In the normal course of business, financial institutions increasingly rely on external service providers for a variety of technology-related services.\u00a0 Institutions typically outsource<\/a> to external service providers to keep up with rapidly changing technology, to provide their customers with the latest products, services, and delivery channels.\u00a0 Doing so is often more cost-effective than the financial institution developing the technology or service in-house.\u00a0 Financial institutions will often outsource operations such as the origination, processing, and settlement of payments and financial transactions, information processing, transaction processing, fiduciary and trading activities, security monitoring and testing, system development and maintenance, network operations, help desk operations, and call centers.<\/p>\n

While it may be cost efficient, outsourcing information technology services to an outside vendor does not remove the risk associated with information technology.\u00a0 Risks such as loss of funds, loss of competitive advantage, damaged reputation, improper disclosure of information, and regulatory action remain.\u00a0 Further, by outsourcing the service to an outside vendor, the financial institution may not be able to exercise the same level of control over the operation, compared to an in-house service provider.\u00a0 Thus, it is imperative for financial institutions to exercise strong vendor management practice to mitigate the risk associated with outsourcing.\u00a0 Vendor management practices<\/a> include prudent contract development, conducting a vendor risk assessment, assessing vendor financial stability, and maintaining compliance with the contract terms.<\/p>\n

\u00a0<\/strong>How do financial institutions practice vendor management?<\/strong><\/p>\n

\u00a0<\/strong>A strong vendor management program arises from a decision by the Board of Directors and senior management.\u00a0 When a financial institution decides to outsource information technology, the technology itself is often the driving factor in the decision.\u00a0 However, managing the relationship with the outside vendor is the more critical consideration.\u00a0 The board and management should establish enterprise-wide policies and procedures to make the outsourcing process consistent.<\/p>\n

The Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook<\/a> recommends the board to address outsourced relationships from an end-to-end perspective, by \u00a0establishing servicing requirements and strategies, selecting a provider, negotiating the contract, and monitoring, changing, and discontinuing the outsourced relationship.\u00a0 Further, financial institutions should consider factors such as:<\/p>\n