How Much Vendor Oversight Is Enough?

While vendor risk management and compliance in general could be perceived as being a cost center, we often hear from clients who ask this one question which causes a pause...how much is enough oversight? It’s a valid question and deserves a thoughtful response. There are a couple of approaches and scenarios we’ll explore.

Scenario 1

I’m a mortgage lender who was recently acquired by a bank. I’m regulated by the CFPB and my parent company follows the OCC guidance. How do I design my oversight program?

• This is a great question and really hinges on the overall risk approach that both financial institutions are taking. Put simply, an approach that takes the best of both worlds offers the most balanced perspective. The examiner must consider best practices from both regulators. A word of caution though, they may be biased based on who they are representing.

Overlap

• It’s worth noting that the CFPB guidance on third party service providers is based on the original guidance set out by the OCC. The OCC guidance is considered the gold standard when it comes to vendor oversight practices. A best practice as you tackle the requirements is to identify what the key components of each regulatory guideline are, then find the commonality and overlap and then use those as what we call your foundation.

Highlights

• When a guideline from one agency seems more stringent than the other then consider those something of a hot topic. Consider how they can be incorporated into your policy and procedures. If another area is discussed and is omitted from the other then perhaps these should be considered as the cherry. From a high-level view, this would appear to be a thoughtful and considerate approach to the vendor oversight requirements which would satisfy both agencies.

Scenario 2

There’s always deregulation chatter. Can’t I just wait for the regulations to change and dodge the oversight bullet?

• This may play out to become a reality. But here is the crux of the issue…if we have learned anything of the financial crisis of 2006-2008 is that consumers went through unprecedented levels of hardship, and in many cases, financial ruin. 

If your organization is truly focused on customer service excellence and creating a customer for life culture, then why as an organization would you cut corners on areas which are instrumental to your success?

Questions to Consider:
If regulations were to be rolled back pertaining to vendor oversight, would that mean:

• Risks to NPPI would diminish?
• Would service levels no longer matter?
• Cybersecurity risks cease?
• The financial viability of your vendor partners is no longer important?
• Does reputational risk, operational risk, financial risk all decrease simply because there is no regulation mandate in place? 

So Where Does That Leave Vendor Oversight?

From this vantage point, vendor risk management has a legitimate role in adding value and minimizing risk for the organization. While regulations may come and go, the risks that we face today are unlikely to fade away. 

Put simply, if a vendor serves as a key component of your operation then they are by all accounts an extension of your operation, meaning that it would be prudent to ensure that they operate and serve your clients as you would wish them to serve and fulfill their obligations in the same manner that your internal operations would serve your customer.

If we return to the original premise, what is enough oversight? The clearest and concise approach is to take the basics of oversight – initial due diligence, ongoing monitoring and annual assessments and scope out what is really important to review for each vendor (SOC, business continuity plan, disaster recovery, financial, regulatory compliance).

In addition, vendor products and services vary. While one vendor may have access to NPPI but aren’t consumer facing, others such as a mortgage servicer not only has access to client information, but is also directly interacting with them. Therefore, oversight should be tailored to address the risks and concerns of each vendor to the organization. 

Adherence to oversight ultimately comes down to your organization’s compliance culture. Am I doing this because I am mandated to or am I implementing these best practices to protect my consumer and the future longevity of my brand?

Build a vendor risk questionnaire based on vendor risk data in 2019. Download the whitepaper.