Essential Elements of FFIEC Vendor Due Diligence

Transcription

1 Essential Elements of FFIEC Vendor Due Diligence

2 Essential Elements of FFIEC Vendor Due Diligence Overview of the Whitepaper This CBIZ Credit Risk Advisory Group whitepaper was written for lenders, financial institutions, borrowers and other interested parties as a basic overview of the key elements of the FFIEC Examination Handbook on Outsourced Technology Services. It can also be applied to any other vendor or third party that a financial institution may use for services, processes, etc. It is not intended to advocate a position for or against the subject but will try to provide general overview on the topic. Who is the FFIEC? The Federal Financial Institutions Examination Council (FFIEC) was established on March 10, The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB) and to make recommendations to promote uniformity in the supervision of financial institutions. The FFIEC Council is responsible for developing uniform reporting systems for federally supervised financial institutions, their holding companies, and the nonfinancial institution subsidiaries of those institutions and holding companies. It conducts schools for examiners employed by the five federal member agencies represented on the Council and makes those schools available to employees of state agencies that supervise financial institutions. What do we mean by Vendor Due Diligence? For the purposes of this white paper we are talking about the overall process and components including selection, qualification, validation, review, monitoring and other related tasks for any third-party providers of products and services to financial institutions. Do not mistake this for a narrow view or a subsection called Due Diligence within the Service Provider Selection section of the FFIEC IT Examination HandBook. We aim to take an all-inclusive view of the responsibilities, duties and requirements of a financial institution whenever they engage a third party vendor. Purpose of Vendor Due Diligence Performing initial and ongoing vendor due diligence is a best practice for all industries, not just for financial institutions. Because the vitality and business continuity of financial institutions is crucial to the health and wealth of the economy, a special emphasis is placed upon this area by regulators. Whenever a bank, credit union or other financial institution doesn t perform a task, process or service and relies on another party it must validate that party and their ability to perform now and in the future. If it is for a crucial process or service then the effects of that vendor/partner not performing as expected could be catastrophic to the financial institution, its clients, counterparties, and others. Although the FFIEC had policies on vendor due diligence for several years the scope and importance of vendor due diligence became paramount after the global financial crisis of 2008 as many financial institutions, their counterparties and vendors were brought to the brink of extinction. As a result, whenever a financial institution does not perform or provide a product or service itself it must undergo a thorough vetting process across several dimensions.

3 Essential Elements of FFIEC Vendor Due Diligence Essential Elements An Overview The essential elements of a vendor due diligence program should contain the following items: Comprehensive o Your process should include all of the outside, third parties used by the organization. o Your vendor due diligence program should have sufficient depth and breadth. o It should be dynamic versus static and be able to evolve as necessary. Accountability o The board and top management are ultimately responsible for the vendor process. o You have to Know Your Vendor just like you Know Your Customer. o Regulators are frequently citing a lack of or inadequate vendor due diligence in exams. Risk Management Timely Objectivity o It is an essential fiduciary duty of the organization to mitigate risks in its supply chain. o A risk assessment process should be done to prioritize and rank vendors into a spectrum of categories from key/crucial to ongoing operations to non-essential. o The ability of the vendor to perform to expectations should be evaluated periodically. o Information on your vendors should always be up to date and current. o You should be proactive versus reactive to changes in a vendor s ability to perform. o Important information on vendors should be verified and confirmed for accuracy. o The choice and use of vendors should be clear to an independent third party reviewer. Let s walk through each of these essential elements above to see why they need to be part of your vendor due diligence process. The initial step in the process is to do a critical self-assessment to determine where your vendor due diligence currently stands. This should be driven by the board of directors and executive management with the feedback and involvement of the employees and staff that rely on these outsourced services. Consideration should also be given to the potential effects on your customers. You then want to identify any gaps or missing elements, perform a prioritization of vendors into a spectrum from most essential to least essential, and create a roadmap from your current vendor due diligence process to your ideal vendor due diligence process. You need to define the ideal vendor due diligence process to be able to compare and contrast where you are now and what your best possible evolved state would be. Only then will the gaps and shortcomings become apparent and the roadmap to your ideal version become clearly visible.

4 Comprehensive Essential Elements of FFIEC Vendor Due Diligence You should endeavor to perform both initial and ongoing due diligence on all of the vendors you utilize. While this may be a difficult and daunting objective when you have hundreds or thousands of vendors, your review should have 100% coverage. Another aspect of a comprehensive vendor due diligence process is the various dimensions, data or aspects it is capturing. What are you confirming and validating? Is it enough to make a good decision on the ability of the vendor to perform as needed? What gaps or deficiencies are there in your vendor due diligence program? The initial and periodic assessments of your vendor due diligence system will allow you to determine what parts are working and what elements are missing. Which important elements or changes should be implemented immediately and which can be deferred or delayed? How does your system or process compare to your peer group? Is your vendor due diligence system and process deficient and inadequate according to your regulator? This also leads to whether your vendor due diligence program is static or dynamic. Is your vendor program rigid and inflexible? Is it reviewed once a year or less frequently? Is your vendor program proactive and able to adapt to change and the environment or is it always out-of-step and reactive? To be considered comprehensive your vendor due diligence should have both depth and breadth of information. In addition to the quantitative it should have qualitative aspects as well. You must be able to make decisions and interpretations on the data that you have and not just view this as a function of data collection and warehousing. Accountability At the end of the day, the financial institution is ultimately responsible for its vendors and any third parties it uses. In addition to the Know Your Customer or KYC requirements that we are all familiar with this concept should also be applied to Know Your Vendor or KYV. For instance, vendors may be entrusted with private and personal information on your customers that if not properly safeguarded could be used for criminal activities. You could be exposing your institution not only to financial liabilities but severe reputational risks as a result of your negligence. Telling a customer, regulator or other stakeholder that a failure or problem isn t the fault of your organization because that was the responsibility of a vendor is not a valid excuse or acceptable transfer of accountability. Financial institutions need to have the involvement and engagement of the board of directors, executive management team and the functional or operational staff that engage and utilize the vendors and third parties. Policies and procedures for vendors need to be reviewed by the board and executive management and revised as necessary. The functional and operational staff needs to be aware of the guidelines of working with and evaluating vendors. The various responsibilities of managing the vendor due diligence within your organization should be driven by your policies and procedures and then carried out by the appropriate individuals or departments based upon their role or function.

5 Risk Management Essential Elements of FFIEC Vendor Due Diligence The reason financial institutions are required to evaluate their vendors is to mitigate the myriad risks by entrusting responsibilities for functions, processes and services to third parties that are beyond the reach of the financial regulators. The inability of a vendor to perform as expected or agreed can have significant negative consequences for your financial institution. Performing appropriate vendor due diligence allows you to better understand the probability of failure of a vendor, for whatever reason, and have contingency plans for most scenarios even if they are unlikely to occur. One of the initial steps to perform in your vendor due diligence is an overall risk assessment and prioritization. This can be done by sorting the vendors by the annual costs, tiers of minimum annual spend levels, if they perform an essential or non-essential function, or if they are a sole provider of a service or function without a backup internally or externally. The ideal method of vendor risk assessment would evaluate and incorporate all of these aspects. By going through the process of vendor risk assessment the financial institution will now be able to categorize and prioritize their vendors. Post-assessment you should be able to easily identify your key/critical vendors, non-essential vendors, and everyone in between as well as better understanding your risks by vendor. Knowing this ranking of vendors will help to better define your due diligence requirements for vendors based upon what they do, your degree/level of reliance on them, and also let you make any necessary adjustments to your policies and procedures. Timely Another often neglected aspect of vendor due diligence is the timeliness of information and data. An annual or even longer cycle of information updates on your vendors is a common deficiency of most vendor due diligence programs. Key vendors for crucial daily processes and functions may only be reviewed once a year. A vendor with financial difficulties or other issues that may affect its ability to perform as expected will likely not disclose such information until it absolutely has to as it almost guarantees some or all of its customers switching to their competitors and accelerating their demise. Having stale information limits your effectiveness in making a good decision today. You also want to have timely data and information to be proactive and not reactive in your decision making process. Objectivity Your vendor due diligence process and program should be able to withstand the scrutiny and review of a third party such as regulators, customers, or any other stakeholders. The assessment, evaluation, prioritization and choice of vendors should make sense to anyone if they were to review your vendor program. By what standards and criteria are you evaluating your vendors? While price should be a consideration, value is more important as well as mitigation of risks. Would an objective third party agree with your internal assessment and process for vendors? Would they assign the same risk judgment? Have you mostly focused on vendor cost when there is much more at stake and at risk? Have you confirmed the vendor data for accuracy and validity? Do you have all the quantitative information and data necessary to make the appropriate decision about using this vendor?

6 Conclusion Essential Elements of FFIEC Vendor Due Diligence Your vendor due diligence process is no longer something that you can ignore, defer, or disregard. Your customers, shareholders, regulators, community and all other stakeholders of your organization are relying on you to perform your fiduciary duty, mitigate risks, and be a safe and sound financial institution that they can trust and depend upon. Whenever a product, service or process is performed by a vendor or third party you must make sure that you have subjected them to an appropriate vendor due diligence process that incorporates the essential elements of the FFIEC guidelines to ensure that they will perform as expected and will not subject your institution to any unnecessary risks or peril. The benefits of a dynamic and robust vendor due diligence process will bring increased efficiencies, reduction of multiple risks, and greater business resiliency. While your initial goal for your vendor due diligence process should be to meet the FFIEC guidelines your long-term goal should be to exceed the guidelines and make this a strategic and competitive advantage for your organization. References and Resources FFIEC Website: FFIEC InfoBase: FFIEC Booklet Outsourcing Technology Services June 2004 FFIEC Booklet Operations July 2004 FFIEC Booklet Business Continuity Planning March 2008 FFIEC Booklet Supervision of Technology Service Providers October 2012