Third-Party Risk Management - How Does the Vendor Perceive It?

As part of our Venminder Thought Leadership interview series where we speak to experts in-housing finance and vendor service providers, we recently had the opportunity to sit down with Suresh Ramakrishnan of Ascendum Solutions.

Ascendum is a mortgage fulfillment provider of IT technical expertise along with specific mortgage process outsourcing services. Venminder has spoken at length regarding the regulatory requirements of third-party risk management, so we thought it would be interesting to go deeper into the subject and explore third-party risk management from the vendor perspective who not only provides services to financial institutions but also must manage the numerous and varied vendor management requests. You can listen to the full interview here.

Suresh Ramakrishnan Interview Highlights

During our time, we covered:

• Outsourcing opportunities and benefits
• Outsourcing risk
• The perception of outsourcing to offshore vendors
• Due diligence and the differences between maturity levels

Outsourcing Opportunities, Benefits and Risk

Suresh shared that not every executive will see the outsourcing solution as a valuable addition to the organization, but he's beginning to see a shift in opinion. As interest rates appear to be on the rise and we approach the historically robust housing season, you might experience a seesaw of having to quickly ramp up the full-time employee (FTE) headcount and manage the volume through turn-time service levels while not impacting efficiencies. Outsourcing can certainly help manage those risks by helping to control costs and leverage different labor markets.

As with anything, early adopters of technology or services see the value add for the long term and for the late adopters of the outsource mentality, there remains challenges that need to be overcome such as:

1. A loss of control and disconnect between the client/provider relationship
2. A fear of a lack of data security

Both are valid concerns, but as part of the pillars of third-party risk management, the first line of defense is managing Service Level Agreements (SLAs) and frequent, regular communication and robust due diligence, which helps address these concerns. While outsourcing provides numerous value adds, no one is suggesting that it doesn’t require oversight.

As reflected in our Venminder survey and whitepaper, The State of Vendor Management, which can be found here, there are many different sized institutions who all have various levels of maturity in their approach to third-party risk management. Suresh also validated this information with his own observations. He noted that raising awareness was a key factor in helping clients mature their vendor management process and practices and highlighted that in terms specific to the vendor oversight process, which includes assessments of financials, SOC, BCP and DR plans, he sees a mix of the third-party risk management outsourced and managed internally.

This wasn’t a surprise, but what was a cautionary note was that some institutions may still have an adhoc approach and may only focus on a primary vendor, such as a loan origination system. I've certainly seen this approach in my early career, but given the intensity that regulatory agencies have highlighted, these days may be numbered. The importance of validating information cannot be overstated here. Bottom line is if you have an adhoc approach to third-party risk management and discount other vendor services, you will unlikely pass muster with the OCC, SEC, CFPB and your state regulator come examination time. And make no mistake, the examiners are coming.

Outsourcing to Offshore Vendors

Ascendum operates both from within the US and offshore in India, so this was an appropriate time to ask about offshoring. Specifically, does the offshoring of a service get a bad rap? Suresh offered up some crucial factors which are often overlooked by US firms who outsource. We’ve participated in many onsite audits of vendors and to this day we have only witnessed one vendor in the US which had similar security protocols that Suresh described.

These data security protocols included:

• A true paperless environment.
• No pens or pencils. After all, there’s no paper!
• USB ports removed on computers. No downloading.
• Cell phones are required to be stored in lockers outside of the main working area. Social media scrolling can wait.

If you take a minute to look at your own institution or vendor service, consider if you have these controls in place. The concept of BYOD (Bring Your Own Device) certainly raises an additional concern where staff may have access to NPPI and snap a picture to capture data. Verifying this type of security control is a good practice to add to your assessment.

Trust But Verify - Why Is This So Important?

Traditionally, due diligence has been an annual assessment activity but, increasingly, we are seeing a lot of institutions request a vetting of a potential new vendor up front. Finally, it would seem that before you commit to a legally binding contract, you may want to confirm if the vendor is your perfect match.

Suresh expressed the same perspective as he's seeing an increase in this type of request both from potential clients and vendor management firms who perform this service. A key takeaway was the concept of trust but verify.

Collecting due diligence documents is often reported as one of the most difficult and time-consuming activities faced by a vendor management department. It struck us as odd that after such a colossal effort that simple items such as a reference check, by calling other clients who currently use the vendor to confirm their experience, hear potential concerns and any other feedback they’d like to share, would be an activity which is put on the back burner. Remember to always verify, verify, verify!

Outsourcing, if managed correctly, can provide strategic advantages and greater efficiencies to your organization. Thank you to Suresh Ramakrishnan of Ascendum Solutions for sharing his insight and expertise with Venminder.

A way to protect yourself in the contract phase of a vendor relationship is by using SLAs. Learn more by downloading our infographic.