Frequently Asked Bank & Credit Union Vendor Management Questions

Vendor management can be an arduous, time consuming process. Most banks know their critical vendors. However, they are typically missing the proper tools and/or knowledge to accurately document their risk management review and to appropriately obtain the required due diligence information.

During the course of Porter Keadle Moore’s audits, we are typically asked the same questions from our clients regarding the vendor management process. We thought we’d share a few of these questions and our answers.

Questions & Answers

1. “Do I have to evaluate all of my vendors?” Unfortunately, the answer is yes. Until you have weighed each vendor against the various risk categories (more on that in a minute), it is difficult to say which vendors pose a risk to your bank or credit union. By including all of the vendors in this process, you may be able to identify risks and implement appropriate mitigating controls for risks not previously considered. For example, do you know what information your cleaning crew has access to and do you have a clean desk policy (that is enforced) to mitigate the risk?

2. “What should I consider when evaluating the risk of each vendor?” The answer is that each vendor should be evaluated against the various risk categories, which include, at a minimum, strategic, reputational, legal/compliance and operational/transactional risk.

Strategic risk is the risk that the vendor strategy does not align with the bank or credit union's or that the vendor is not capable of assisting the financial institution in achieving its strategic plan. Some questions to think about include:

• Is the vendor quick to market with innovative products and services to provide the bank or credit union with a competitive advantage?
• Does the vendor make it difficult to integrate best-of-breed products and services?
• Will the Bank outgrow the vendor or will the vendor even be around in five years?

Reputational risk is the risk that the vendor does (or doesn’t do) something that harms your bank’s reputation. Some questions to think about include:

• What if the vendor is breached?
• What if the vendor suffers a disaster or is otherwise unavailable?
• Does the vendor have controls in place to minimize the potential for errors that would be evident to your customers?

Legal/compliance risk can stem from a vendor that is not complying (either knowingly or unknowingly) with legal or regulatory requirements that put your bank at risk. Some questions to think about include:

• Does the vendor possess or have access to Gramm-Leach-Bliley Act (GLBA) information?
• Does the vendor maintain its patents?
• Does the vendor provide and maintain forms that the financial analysis relies on for legal and/or compliance disclosures to customers?

Operational/transactional risk is the possibility that the vendor’s internal controls are not designed or working correctly, which may result in financial misstatements, incorrect reports, or errors. These risks to include:

• Does the vendor have a Service Organization Control (SOC) report conducted annually? Does it cover the actual services provided?
• If key applications are supported by the vendor, how are we getting comfortable that those program changes completed by the vendor are correct?
• Does the vendor maintain proper staffing levels and provide cross training to ensure that ongoing operations can be achieved?

3. “How much information do I need to obtain to perform due diligence for my vendors?” The answer becomes easier once you understand what they do for you and what risks they pose. If your vendor risk assessment has concluded that your core processor has various degrees of high risk, then you should at least obtain a SOC 1 report, BCP testing results and financial statements.

For vendors that house or have access to non-public customer information, such as collocation facilities or online data backup providers, a SOC 2 report and financial statements might be sufficient.

For vendors such as your document destruction company, your due diligence may only need to include receiving signed confidentiality documents if you already have compensating controls in place, such as on-site destruction overseen by a member of your management team.

For some vendors, you might not need any formal documentation; rather, you implement (and periodically test) mitigating controls for vendors that have physical access to your facilities. For strategic risk, you may task your IT steering committee with periodically monitoring the vendor in light of the bank’s strategic plan.

In summary, if you know your vendors, understand the risks that they pose, and determine how to best evaluate them, you will be on your way to having a strong vendor management program.