Inside a Big Bank’s $60 Million Fine for Vendor Mismanagement

Earlier this year the Office of the Comptroller of the Currency hit Morgan Stanley with a $60 million civil money penalty for faulty vendor management practices that potentially exposed sensitive customer data. The bank also faces seven class-action lawsuits accusing it of negligence.

What went wrong and how do you avoid the same fate? Read on to find out.

What Went Wrong?

In 2016 Morgan Stanley closed two data centers. The bank hired a vendor to remove its data from the decommissioned computer equipment. Morgan Stanley later learned that some of the machines still contained some unencrypted data—a fact the OCC made the bank share with customers in a letter earlier this summer.

The OCC says Morgan Stanley failed to oversee the decommissioning process, neglecting many steps of the vendor management lifecycle. More specifically, the bank failed to:

• Effectively assess or address the risks associated with the decommissioning of its hardware
• Adequately assess the risk of using third-party vendors, including subcontractors
• Maintain an appropriate inventory of customer data stored on the devices
• Exercise adequate due diligence in selecting the third-party vendor
• Adequately monitor the vendor’s performance

If that weren’t enough, Morgan Stanley did it again. In 2019 the bank “experienced similar vendor management control deficiencies” when decommissioning devices, the OCC says.

Breakdowns in the Vendor Management Lifecycle

Let’s take a closer look at where the vendor management lifecycle broke down.

Risk Assessment

Bankers know they need to identify critical vendors. These are vendors that present a high level of risk because they have access to sensitive data or could have a major impact on consumers or bank operations if it failed.

But what Morgan Stanley forgot is that it’s also required to identify and assess the risks of outsourcing an activity before selecting a vendor. A financial institution needs to know its risk appetite and assess whether the costs, benefits, and risks of outsourcing an activity align with its overall strategic goals and objectives. It’s basic enterprise risk management (ERM). In this case, the activity outsourced involves protected data, making it a high-risk activity.

It’s also a question of resources. A financial institution needs to assess whether it has the systems and staffing in place to ensure appropriate oversight of vendor relationships. In the case of Morgan Stanley, its large size and deep pockets might have given it a false sense of security. Despite its vast resources, its vendor management failed.

Due Diligence

Is the third-party vendor you’re considering hiring capable of doing the job safely and reliably while remaining compliant with all applicable laws, regulations, and policies? These are the questions due diligence should answer. The more risk a vendor presents (i.e. critical vendors), the deeper the diligence should go.

Areas to review include the vendor’s financials, experience, legal and regulatory knowledge, reputation, operations, and internal controls. The results should be reported to the board to inform their decision making.

While Morgan Stanley’s consent order doesn’t go into great detail on what happened, it’s clear that the third-party vendor they hired to help with the decommissioning had less-than-satisfactory internal controls. Maintaining an inventory of machines in their custody and ensuring all data was a basic duty. This means the mistake was not a small oversight. It’s a fundamental flaw.

Contract Negotiation

Contracts should outline the rights and responsibilities of both the vendor and the financial institution, yet the consent order suggests at least one key area of contract management was overlooked: outsourcing.

Unless a contract specifically prohibits outsourcing or requires the vendor to inform the financial institution of any outsourcing arrangements, vendors are free to outsource to other vendors. The fact that the OCC specifically calls out Morgan Stanley for not assessing the risk of using third-party vendors, including subcontractors, suggests that this problem may have stemmed from a fourth-party vendor.

A contract should also include specific information about reporting, including audits and performance. Failure to include these may have led to problems with vendor oversight and ongoing monitoring.

Ongoing Monitoring

Initial due diligence is not enough. Financial institutions must also engage in ongoing monitoring. This includes the strength of the vendor’s internal controls, complying with legal and regulatory requirements, and fulfilling service-level agreements, performance metrics, and other contractual terms. Controls should be regularly tested and significant findings should be documented and reported. Critical vendors should be risk assessed at least annually.

The OCC says Morgan Stanley failed to adequately monitor the vendor’s performance.

The vendor management lifecycle is supposed to ensure strong vendor management. When conducted properly, it provides many opportunities to uncover and mitigate risk. Yet it appears no one was watching this vendor. No one used a vendor management process. Instead, this task was handled carelessly—as though the bank were taking out last week’s leftovers instead of disposing of critical data.

How strong is your financial institution’s vendor management program? Do you have a centralized approach to vendor management? Is your staff—including IT and operations—aware that hiring a vendor is about more than cost and that there is a process to follow to ensure the safety of your institution?

Don’t wait for an examiner to uncover vendor management deficiencies. Make sure your financial institution is consistently applying vendor management across your institution.

8 Vendor Management Practices Examiners Are Looking for

How do you know you’re doing enough to manage third-party vendors compliantly? Here are eight vendor management practices examiners are looking for.

1. Documented processes. Vendor management isn’t an ad hoc activity. It’s a thoughtful, strategic exercise in keeping your financial institution and the customers, members, and consumers it serves safe. Examiners expect to see a documented plan for managing vendors and ensuring they remain compliant.
2. Identification of compliance risks. It’s hard to guard against a risk if you don’t know it exists.
3. Ongoing vendor management and compliance risk management. Just because a vendor is compliant today doesn’t mean it will be compliant tomorrow. There needs to be ongoing monitoring of vendors to determine if anything has changed that would impact its ability to remain compliant—including keeping up with regulatory change.
4. Justification for decisions, including how risk is identified, managed, and mitigated. Why did the FI decide to outsource? Why are vendor management and the compliance management system structured the way they are? It’s not enough to simply have policies and procedures. Examiners want to see the logic behind it. If you can’t make a good business case for your decisions, it can call your whole program into question.
5. Resources to analyze reports and carefully negotiate and track contracts. One of the reasons FIs outsource to vendors is because they don’t have the internal resources to accomplish a task—but that doesn’t mean an FI won’t need to expend any resources on that activity. When calculating the costs and benefits of outsourcing to a third-party vendor, don’t forget to include the resources necessary to oversee the vendor and analyze reports as well as contract management. These resources are essential to a compliant vendor relationship.
6. Vendor management ties into the CMS. Vendor management and the compliance management system work best as a pair. Compliance wants to be certain that vendors are compliant. Vendor management wants to know the rules and regulations vendors need to be following. If the two areas aren’t linked, they can end up duplicating each other’s work—or an important element may get lost in the shuffle.
7. Evidence of board and management oversight. Vendor management is such an important issue that the board and management need to be involved, especially when it comes to critical vendors. Make sure you document board meetings, minutes, and reports dealing with vendor management.
8. Understanding of how vendor selection ties into ERM. Outsourcing to a vendor isn’t just a question of resources and convenience. It’s about strategy. Risk plays an important role in ensuring that an institution’s mission, vision, and values influence an institution’s strategy, strategic plan, and ultimately its strategic success. Selecting a vendor is about aligning the benefits of the vendor relationship with the FI’s risk tolerance.

Want more insights into vendor management and compliance best practices? Download our whitepaper Vendor’s Keeper: Top Tips for Making Sure Your Third-Party Vendors Aren’t Creating a Compliance Nightmare.

Michael Berman is the founder and CEO of Ncontracts, a leading provider of risk management solutions. His extensive background in legal and regulatory matters has afforded him unique insights into solving operational risk management challenges and drives Ncontracts’ mission to efficiently and effectively manage operational risk. During his legal career, Mr. Berman was involved in numerous regulatory, compliance, and contract management challenges and assisted in the development of information systems to better manage these efforts. Prior to founding Ncontracts, he was General Counsel for Goldleaf Financial Solutions, Tecniflex, Inc. and Imagic Corporation. Mr. Berman is a wellregarded speaker at financial institution conferences on risk management. He received his undergraduate degree from Cornell University and holds a J.D. degree from the University of Tennessee.