Third-Party Vendors & Compliance Risk: 10 High-Risk Compliance Situations & the Due Diligence Documentation Mistakes That Make Them Hard to Discover
The only thing worse than getting in trouble for making a mistake is getting in trouble when somebody else makes a mistake. That’s the situation financial institutions face when a third-party vendor acting on behalf of the bank doesn’t comply with laws and regulations.
Your bank may think its compliance game is strong, but if it doesn’t have a good vendor management program that risk assesses vendors, provides enhanced oversight of critical vendors, and actively monitors vendors for compliance, it’s got a gaping hole.
How can you tell if you need to be extra worried about third-party vendor compliance risk? Here are 10 situations where compliance risk is elevated:
- You aren’t reviewing third-party vendors and their products, services, and systems for compliance. When it comes to vendor compliance, ignorance isn’t bliss. Regulators will hold you accountable for your vendor’s actions. You need to know if what vendors are doing for you, or on your behalf, is compliant.
- Your third-party isn’t following applicable laws, regulations, ethical standards, or your own bank’s policies and procedures. When it comes to compliance, there is no such thing as an unimportant rule. If you find any evidence that your third-party vendor isn’t following every compliance rule or policy, that’s a sign there may be a bigger problem. Increased vigilance is a must.
- Evidence of unfair, deceptive, or abusive products or services. This is a compliance violation, so technically it falls under bullet point #2. But this is one area that deserves a line item of its own. UDAAP violations are one of the most common—and costliest—sources of enforcement actions. The regulatory agencies are on the lookout for UDAAP violations. You need to be too.
- Non-compliance with BSA and OFAC. Just like UDAAP, Bank Secrecy Act and anti-money launder regulations are a common source of enforcement actions. If there’s a possibility that your vendor isn’t following BSA/AML rules to the letter of the law, there’s increased risk. Transactions must be monitored for compliance risk.
- Violating intellectual property rights. If your bank is licensing or using technology that later is subject to a lawsuit for an intellectual property rights violation, you could find yourself as a defendant in the lawsuit even though you didn’t know. Make it your point to know. If there’s a possibility that your vendor doesn’t have the right to use or sell a technology or service, there’s an increased risk.
- Your bank lacks the resources needed for vendor audits and oversight. From a strong contract to expertise and personnel, your bank needs both the controls and the bandwidth to oversee and monitor your vendor relationships. If your bank doesn’t have the resources to dedicate to vendor management, especially of critical vendors, your compliance risk is elevated. This is especially true when entering new business activities or expanding existing ones.
- Your vendor outsources to subcontractors. Fourth-party risk is a real concern. Not only do you have to trust that your vendor is doing the right thing, but you also have to trust that it has a strong enough vendor management program to ensure its vendors are also doing the right thing—and that its vendors’ vendors are behaving too. The further critical activities are subcontracted, the greater the risk.
- Business is being conducted in foreign countries. If the vendor is conducting business activities in a foreign country on your behalf or customer and employee data is transmitted to foreign countries, your bank faces greater compliance risk. Foreign countries may have different economic, social, and political conditions that could result in vendor non-performance or data loss. This increased risk (known as country risk) means your bank will have to monitor the government policies and legal and social conditions as part of its due diligence.
- Conflicts of interest aren’t appropriately managed. You need to be sure your vendor is giving you objective advice and performing to the best of its abilities. You want it to look out for your interests, not just its own. Be on the lookout for signs that your bank’s best interests may not be the top priority. Is the contract written in a way that financially penalizes your bank for leaving but creates no accountability for vendor non-performance? Will your proprietary information be held in confidence? Is the CEO of a critical vendor married to the CEO of your biggest competitor? Does its board have a financial interest in a competitor? Does the vendor prioritize larger clients or industries over others? Make sure your vendor has and adheres to an ethics program.
- There aren’t sufficient data security controls to protect sensitive data. There’s no faster way to end up on the front page of the local paper than being the victim of a data breach that releases consumers’ sensitive information. If you find weaknesses in your vendor’s data security controls, you’re exposed to a lot of risk.
How do you know if your vendor’s are exposing you to elevated compliance risk? The answer is engaging in vendor due diligence, including collecting and reviewing due diligence documentation before signing a contract and throughout the duration of the third-party vendor relationship.
But it’s not as simple as it sounds. Banks frequently make mistakes with vendor due diligence documentation that waste resources, delay task completion, and expose the bank to increased vendor risk.
How? Here are nine of the most common due diligence documentation mistakes.
MISTAKE #1: Not classifying vendors correctly. Due diligence is based on risk. Third-party vendors that provide critical bank functions or have access to sensitive data require greater scrutiny and should be identified as critical, significant, or high-risk vendors (terminology depends on the regulator).
When a vendor isn’t properly classified, due diligence efforts may not align with due diligence requirements. There is no foundation for due diligence.
| IF YOU… | YOU MIGHT… |
|---|---|
| Classify a low-risk vendor as a high-risk vendor | Waste valuable time and resources requesting and reviewing unneeded documentation. |
| Classify high-risk vendors as a moderate or low-risk vendor | Fail to ask your vendor for sufficient documentation. |
| Fail to classify vendors | Complete either too much or too little vendor due diligence (and possibly both). |
MISTAKE #2: Assuming you need the same documentation from every vendor. You don’t need a SOC report from every vendor. Critical vendors, like those with access to sensitive data, require in-depth reviews while a property insurance company wouldn’t need that. Classifying your vendors, and doing so correctly, lets you know what level of documentation is needed.
MISTAKE #3: Assuming the vendor will know what you need. If you tell vendors you need due diligence documents, there is no telling what you might get, especially with smaller vendors. They might send you every policy and procedure they have, from data security to vacation request policies. Be specific and focus on areas like information security, business resiliency and disaster recovery, employee training, incident response, regulatory compliance, and independent testing.
MISTAKE #4: Not being able to identify relevant reports. Even when a bank classifies its vendor correctly, it may not be able to identify the exact documentation it needs. Many vendor portals have hundreds or even a thousand different reports, and just a handful of them will be relevant to your needs.
MISTAKE #5: Getting the wrong SOC report. Banks regularly download the wrong SOC reports, not realizing that the product they use isn’t included within the scope of the report.
MISTAKE #6: Not recognizing outdated or inapplicable documents. Are the vendor due diligence documents you have up-to-date? Do they apply to the products your bank uses? Third-party vendors offer a large range of products and services. Not every document will apply to every offer. Your bank shouldn’t waste time reviewing reports about a data server in India if the vendor is keeping all your data on U.S. servers.
MISTAKE #7: Wasting time on fourth-party documentation. Not every one of your vendor’s critical vendors will impact your institution. Vendors may have documentation on 20 vendors when only a handful of them really matter to your operations. Only spend time on fourth parties that can critically impact your operations.
MISTAKE #8: Expecting vendors to complete questionnaires. Requesting that a vendor complete a questionnaire seems like a simple task, but it’s not—especially for larger vendors. Imagine if every one of your customers or members asked you to complete a questionnaire on data security or privacy. It would be an onerous burden. You’d most likely just steer those customers to your published policies and procedures. Third-party vendors do the same thing.
MISTAKE #9: Expecting a quick turnaround from vendors. Some large vendors have thousands of clients. It can take them weeks to respond to requests for due diligence documentation. Be realistic when making requests and know that it may take a few months. It might even require asking more than once. Don’t save due diligence for the last minute.
Don’t let vendor due diligence documentation errors inadvertently expose your bank to increase third-party vendor compliance risk. Make sure you have the documents you need to uncover potential issues.