Fintech adoption will vary but the need to either staff a vendor risk management team with tech savvy expertise or engage the technical lines of business is important, as there is an increase in the use of tech heavy vendors.
It’s worth reviewing how tech will be monitored and the role which vendor risk management will play in the oversight. But if it comes out of the direct supervision of vendor management, then other areas of the business must pick up this responsibility.
The OCC and CFPB acknowledges that outsourcing to a third party is sometimes an efficient piece of the lending process. Careful consideration should be given on how vendor management will implement their standard oversight procedures on any offshore vendors. BCP, DR, Protection of NPPI are all magnified risks due to the simple fact that the vendor’s operation may not be easily or readily accessible.
The CFPB has made it obvious how to build a good oversight program. We know that merely performing an annual audit is very much like closing the door after the horse has bolted. A lot can happen during a year. Litigation, bankruptcy, data breaches, mergers and acquisitions can be expected to pop up during oversight reviews.
So, here are some vendor management best practices that remain consistent and should be used:
- Oversight begins at pre-contract. Get to know your vendor.
- Develop ongoing monitoring - this can be achieved by scorecard calls or online services monitoring the vendor.
- Transition to the annual audit function.
- Use common sense, if a vendor appears to be presenting a heightened level of risk to the organization, increase the level of oversight, moving it from an annual to quarterly or bi-yearly review.
- Monthly check ups will go a long way to keep the vendor in check.
- Escalate. This is often an oversight in vendor management. Engage senior leadership when your current vendor relationship or performance is not meeting your requirements.
- Vendor managers should be familiar with the product and service.
- Adopt a regular review of CFPB complaints and Enforcement Actions. The key here is to take a holistic approach to oversight.
- For an enforcement action to come about, there’s usually a number or a pattern going back to complaints or findings which were identified during an audit. Investigate to stay ahead.
There’s no doubt that the importance of vendor risk management in the non-bank lending space will increase. Make sure to implement these best practices into your vendor risk management program.