BID® Daily Newsletter
May 6, 2016

BID® Daily Newsletter

May 6, 2016

Vendor Risk May Not Be What It Seems


Charley Parkhurst was an unlikely stagecoach driver if ever there was one. Having grown up in an orphanage in VT, Charley ran away at the age of 12. He took a position as a stable hand, learned about horses and how to drive stagecoaches led by teams of up to six horses. He eventually moved to CA at the height of the gold rush and took a position as a stagecoach driver. He landed the nickname "One Eyed Charley" after a kick from a horse resulted in blindness in one eye. Old One Eyed Charley eventually became one of the best stage coach drivers in the country and it wasn't until he died that it was discovered he was actually a woman--now that is a Wild West story if ever there was one.
The story of Charley reminded us of the fact that things aren't always as straightforward as they seem in banking either. For community banks, personnel and resources are limited so outsourcing is common. This is particularly true around IT departments and tasks. Not only is outsourcing often cheaper than bringing on a full time in-house specialist, it also gives community banks the opportunity be more nimble when it comes to adopting newer technologies perhaps (although these are very contingent on core systems which may not be flexible).
Banks know that when it comes to such IT outsourcing (and really any outsourcing activity), your partner is critical because they are a vendor and that means they fall under vendor risk regulatory guidance.
Contracting with just any third party service provider can also expose your bank to unintended risks and leave you open to potential problems down the road. Because of this possibility, it is important to do significant due diligence on any potential third party providers your teams may be considering before you hire.
One of the most important things to know is whether or not any vendor you may work with is financially viable. As a bank you are expected by regulators and shareholders to review the financial statements of anyone you may do business with. Shockingly, many banks we know skip this step when outsourcing certain tasks only to find out later that firms they are working with may have very little capital or viability. The simple thing to do here is to ask your credit team to look at the financials and answer the question--would I make a loan to this company? If not, move on and if so, then move on to the next part of the due diligence.
It is also important to understand the risk to your bank of any sort of vendor relationship, including outsourced activities. Ranking vendors based on risk to your bank is mandatory. This doesn't have to be complex, but it should be done and then periodically updated as time goes by.
Another off the path area you might want to consider is what kind of training the employees of said third party IT provider may receive in regards to the requirements that banks must adhere to. Here you want to know how frequently that training is updated and ensure it covers such areas as privacy controls for customers, cybersecurity, database management, documentation and even storage. If your vendors are up to speed then they should help keep your bank up to speed, in theory.
Yet another area to consider is whether or not a third party provider has adequate infrastructure in place to provide ongoing, uninterrupted support and what kind of plan and backup services are in place to deal with any potential failures. While any service interruptions, delays or problems may be the fault of your service provider, in the eyes of your customers the problem lies with your bank. Be sure you know whether vendors conduct background checks on employees and whether they sub-contract work that could potentially expose your bank.
There is a lot more you can do when conducting due diligence on vendors and outsourcing, and community banks must embrace such options to keep costs contained and roll out new services. However, as beneficial as outsourcing can be, it makes sense to spend more time up front doing proper due diligence than ending up with the wrong service provider and potentially harming your bank and its reputation. As we found out with Charley, things are not always the way they appear.
Subscribe to the BID Daily Newsletter to have it delivered by email daily.

Related Articles:

Protecting Your Website Domain from Common Cyberattacks
Attacks on Domain Name Systems are rampant and can result in major problems. A compromised domain name can cause myriad headaches for both the company and its customers.
Using Regtech To Streamline New Regulatory Requirements
As regulatory requirements increase, regtech can help you stay compliant while also lowering costs and increasing efficiency. We discuss possible use cases.