Did one of your third-party vendors need Paycheck Protection Program (PPP) funds?
This is the question everyone is asking since the Small Business Administration (SBA) released the list of businesses that took PPP loans. (The Washington Post’s PPP searchable database includes companies that borrowed more than $150,000.)
As many financial institutions know after working day and night to serve customers in need of PPP loans, the $660 billion program is not a free government handout for whoever asks. Its goal was to put emergency funds in the hands of businesses that needed immediate relief to survive.
Borrowers had to certify in good faith that:
- Current economic uncertainty made the loan request necessary to support the ongoing operations of the Applicant.
- At least 60 percent of the funds had to be used for payroll and benefits costs and the rest can go to mortgage interest payments, lease payments, and utility payments.
- If the funds are knowingly used for unauthorized purposes, the federal government may hold the borrower legally liable, such as for charges of fraud.
Does It Matter If Your Vendor Needed PPP Funds?
To take out a PPP loan, a business had to be on shaky ground and worried it would be unable to operate without a quick infusion of cash.
While this was a lifeline to many small businesses, it is also a red flag from a vendor management perspective.
Financial risk is a necessary element of vendor due diligence and oversight and specifically mentioned in guidance from the OCC, NCUA, FDIC, and FRB. It doesn’t matter how compliant, effective, or technologically sound a vendor’s product or service is if the company won’t be in business very long. An FI that partners with a financially unsound vendor may find itself suddenly cut off from a product or service that the financial institution depends upon their service.
Needing an emergency loan to ensure ongoing operations says a great deal about a company’s financial condition and strength.
It can also say something about a vendor’s business ethics. Remember the headlines earlier this year when PPP loans went to Shake Shack ($10 million), the L.A. Lakers ($4.6 million), Ruth’s Chris Steakhouse ($20 million), and J. Alexander’s ($15.1 million). Many of these companies are publicly traded with access to the capital markets, but they saw the opportunity to borrow money at 1 percent interest—and maybe even have some of the loan forgiven—and took it, exhausting the first round of funding before many small businesses could get approved.
While there are still PPP funds, there is still the question of companies that took the funds may have committed fraud because they did not need the capital, but they saw a chance for free cash and grabbed it.
It raises a risk management question: Is your financial institution comfortable with the potential reputation risk of a vendor that engages in that kind of conduct?
PPP Shows Why Continuous Vendor Management Is Needed
The COVID-19 pandemic has reminded us that third-party vendor risk, including financial and reputation risk, can change at any time. Continuous vendor management is necessary to catch these changes and allow your FI to adjust its third-party risk exposure, if necessary.
When your vendor management program includes ongoing monitoring of critical and second-tier vendors, it gives you the opportunity to proactively address third-party vendor risk and take action to prevent problems. You may need to research new vendors or revisit your business continuity plan to ensure resilience.
Don’t get caught off guard by changes to the vendor’s risk profile. Make sure you have the tools to stay on top of vendor monitoring and due diligence.
It’s not as simple as it sounds. FIs frequently make mistakes with vendor due diligence documentation that waste resources, delay task completion, and expose the FI to increased vendor risk.
How? Here are eight of the most common due diligence documentation mistakes.
MISTAKE #1: Not classifying vendors correctly. Due diligence is based on risk. Third-party vendors that provide critical bank functions or have access to sensitive data require greater scrutiny and should be identified as critical, significant, or high-risk vendors (terminology depends on the regulator).
When a vendor isn’t properly classified, due diligence efforts may not align with due diligence requirements. There is no foundation for due diligence.
|IF YOU…||YOU MIGHT…|
|Classify a low-risk vendor as a high-risk vendor||Waste valuable time and resources requesting and reviewing unneeded documentation.|
|Classify high-risk vendors as a moderate or low-risk vendor||Fail to ask your vendor for sufficient documentation.|
|Fail to classify vendors||Complete either too much or too little vendor due diligence (and possibly both).|
MISTAKE #2: Assuming you need the same documentation from every vendor. You don’t need a SOC report from every vendor. Critical vendors, like those with access to sensitive data, require in-depth reviews while a property insurance company wouldn’t need that. Classifying your vendors, and doing so correctly, lets you know what level of documentation is needed.
MISTAKE #3: Assuming the vendor will know what you need. If you tell vendors you need due diligence documents, there is no telling what you might get, especially with smaller vendors. They might send you every policy and procedure they have, from data security to vacation request policies. Be specific and focus on areas like information security, business resiliency and disaster recovery, employee training, incident response, regulatory compliance, and independent testing.
MISTAKE #4: Not being able to identify relevant reports. Even when an FI classifies its vendor correctly, it may not be able to identify the exact documentation it needs. Many vendor portals have hundreds or even a thousand different reports, and just a handful of them will be relevant to your needs.
MISTAKE #5: Getting the wrong SOC report. FIs regularly download the wrong SOC reports, not realizing that the product they use is not included within the scope of the report.
MISTAKE #6: Not recognizing outdated or inapplicable documents. Are the vendor due diligence documents you have up-to-date? Do they apply to the products your FI uses? Third-party vendors offer a large range of products and services. Not every document will apply to every offer. Your FI shouldn’t waste time reviewing reports about a data server in India if the vendor is keeping all your data on U.S. servers.
MISTAKE #7: Wasting time on fourth-party documentation. Not every one of your vendor’s critical vendors will impact your institution. Vendors may have documentation on 20 vendors when only a handful of them really matter to your operations. Only spend time on fourth parties that can critically impact your operations.
MISTAKE #8: Expecting all your vendors to complete questionnaires. Requesting that a vendor complete a questionnaire seems like a simple task, but it’s not—especially for larger vendors. Imagine if every one of your customers or members asked you to complete a questionnaire on data security or privacy. It would be an onerous burden. You would most likely just steer those customers to your published policies and procedures. Third-party vendors do the same thing.
Are your vendor monitoring and due diligence processes working efficiently? Now is the time to find out.