New federal guidance for third-party risk management may be on the horizon.
Elevated regulatory expectations for identifying and addressing the risks inherent in vendor relationships are at the heart of proposed guidance recently unveiled by federal banking agencies—a sign that credit unions should also prepare for increased scrutiny.
Enacting this guidance shouldn’t rest solely with compliance officers. Instead, it will require a more rigorous partnership among IT managers, compliance and risk management professionals, and the business owners of vendor-provided services.
These guidelines are intended to respond to ever-widening risks threatening the technology-reliant financial services industry, as demonstrated by real-life emergencies keeping corporate executives and IT teams awake at night. CUs are not immune to cyberattacks like the one that shut down Colonial Pipeline this spring and led to panic-driven gas shortages. Sophisticated ransomware attacks that stretched across supply chains turned software developers SolarWinds and Kaseya into cautionary tales.
Contingency planning today must reach well beyond natural disasters and terrorist attacks. Interconnected systems crashing at the hands of bad actors in the cybersecurity realm amplify the urgency of not only thoroughly vetting vendors but also drilling down to their subcontractors and the systems on which they rely.
Emphasis on Consumer Impact
The “Proposed Interagency Guidance on Third-Party Relationships: Risk Management” was issued in July by the Federal Reserve Board, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency. The 92-page document acknowledges that “banking organizations are forming more numerous and more complex relationships with other entities to remain competitive, expand operations, and help meet customer needs.” At the same time, it emphasizes that this increased reliance on third-party providers poses a variety of risks, from the potential for substantial financial loss to an overreliance on a single vendor for operations and service delivery.
The proposed guidance addresses vendor risk management throughout the life cycle of these relationships: incorporating risk management into strategic planning, enhancing vendor selection due diligence and contract negotiations, stepping up management and board oversight and conducting independent reviews of vendor performance, continually monitoring service delivery, and developing contingency plans for ending relationships without disrupting operations.
A close reading of this guidance uncovers a subtle but potentially profound shift in emphasis. CUs have been operating for years under extensive and well-established regulatory oversight centered on the reliability and resilience of third-party technology, with a heavy focus on data center operations, information security and vendors’ financial health.
The proposed guidance provides a stronger framework for addressing the impact of third-party systems and services on financial consumers. A fundamental aspect directing risk management efforts is how third-party systems “could have significant customer impacts” on service delivery, data confidentiality, security and integrity, and complaint resolution, according to the current draft.
In that respect, the guidance reflects the Biden administration’s stated commitment to an even greater focus on consumer-friendly financial services. That expectation broadens the third-party risk management responsibilities of financial institutions to encompass questions like: Do vendors have strong consumer protections in place? Are the services they deliver consumer-friendly? What fail-safes are in place to protect the privacy and security of consumer information?
In assessing how well their current third-party risk management practices meet these new recommendations, many CUs may identify the need to formalize broader ownership of vendor relationships and enhance their risk analysis. Too often, these responsibilities fall solely on risk management and IT, with little involvement by the business owners who oversee the everyday use of myriad systems. The managers of the CRM system, mortgage origination system, and systems supporting online and mobile service delivery, to name just a few examples, should be more engaged in monitoring the strength and security of those vendor relationships.
This team approach is necessary to move beyond a check-the-box routine based on a view that risk management can be achieved by collecting from vendors the information required to pass regulatory muster. Going forward, examiners will be looking for ongoing, visible analysis of vendor relationships with a keener eye toward the impact on member service of all systems, especially in the areas of information privacy, systems resiliency and contingency planning.
The transition to operating in the cloud, with systems ranging from Microsoft Office to Salesforce to loan origination and core processing, complicates risk analysis and makes it even more necessary. Reliance on cloud-based systems has created a broader network of business partners, which in turn expands the realm of third-party risk management and the difficulties of ensuring business continuity. Failure to ratchet up risk analysis alongside this increasing complexity—and to document those analytical processes and results—may land credit unions in the penalty box with regulators. That’s never a good place to be.
Formalizing vendor relationship management across the CU will necessitate professional development for many managers and executives. Today, every manager must be a project manager, a risk manager, a talent manager and a process improvement manager.
Stronger vendor management also involves front- and back-office staff working toward the goal of making processes more scalable. Striving for process maturity simplifies risk assessment compliance by reducing or eliminating information moving about manually. It’s time to replace information sharing through email attachments and Excel files. CUs are less subject to human error when they rely on repeatable processes supported by secure technology.
Vendor risk management falls short when credit union leaders assign this responsibility to only the risk management group and IT. The evolving regulatory expectation is for a three-way partnership among business owners, IT and risk management involving regular interactions around major vendor relationships and risk assessment workshops. And documentation of this new operating cadence is critical, so CUs can demonstrate that these discussions and analysis are happening. Examiners want to see that financial institutions are doing the hard work and thinking required to manage the risks presented by third-party relationships.
Challenges Across the Movement
Operationalizing this new regulatory regimen will pose challenges for credit unions across the spectrum of asset size and organizational complexity. More financial cooperatives will be crossing the $10 billion threshold over the next five years, which will expose them to a harder grading curve for regulatory compliance in terms of the quality and scope of their vendor risk assessments. The expectations from the National Credit Union Administration’s Office of National Examinations and Supervision for risk assessments by the largest CUs are quite rigorous.
As credit unions grow in asset size, so does the regulatory expectation for their commitment to third-party risk assessment and management. The larger the institution, the better it can afford the costs of staffing an experienced risk management team. But even in those larger organizations, the business units working most closely with vendors should form the first line of defense against cybersecurity, business continuity, service delivery and financial risks—with support from the risk management group and auditors as, respectively, the second and third lines of defense.
Vendor risk management is proportionally more difficult for the nation’s largest CUs, given the scope and complexity of their business partner arrangements. According to NCUA data, the number of federally insured credit unions in the U.S. with $1 billion-plus in assets is approaching 400.
At the other end of the size spectrum, though, many credit unions will struggle to meet heightened expectations for vendor oversight. Given their limited resources, most are already burdened with the costs of regulatory compliance. To comply with the anticipated next round of guidance, smaller CUs will either need to tap into outside resources or invest in internal staff development. Either way, this is yet another fixed cost of running a regulated financial institution in the 2020s that will continue to put pressure on achieving the necessary scale to survive and thrive—one more marker of the difficulty of being a relatively small player in a complex, tech-driven, heavily regulated industry.
Enhancing Vendor Management
Beyond the primary stated goal of threat reduction, enacting the letter and spirit of the anticipated regulatory guidance should offer a business benefit to credit unions in their vendor relationships.
Third-party risk management doesn’t need to be antithetical to financial performance and cost-reduction goals. Among the gains of effective vendor management should be closer relationships with major business partners that open the door to improve quality of delivery, costs and contract management and to dig into their future road map of services and commitment to continued innovation.
In short, risk management should not be viewed solely as a cost. A significant benefit of working more closely with vendors to alleviate threats should be opportunities to engage on the level of service they’re providing now and on what their development plans will be mean for the credit union in the future.
These regular interactions monitoring the health and compliance of vendor relationships should ultimately roll up to the executive level. Credit union leaders regularly review budget reporting and loan growth and delinquency snapshots, but very few executive teams receive updates on vendor performance. They should.
Do the CFO, the COO and the HR leader at your credit union know which business partners are delivering on expectations and which are not? Do they know how much various vendor relationships cost? Which third-party systems and services are central to the strategic road map and need to dial into the organization’s development? Is the executive team discussing to what extent the credit union is optimizing all the capabilities supported by its vendor systems? The byproduct of enhanced third-party oversight can be better vendor relationship management to drive business goals while simultaneously meeting regulatory requirements. cues icon
Steve Williams, CIE, is president of and partner in CUES Supplier member and strategic provider Cornerstone Advisors, Scottsdale, Arizona.