Vendor ongoing monitoring is required by all of the major regulators as a fundamental practice in third party risk management. So, why is it often overlooked? What happens if you fail to monitor one of your vendors? And, what does successful ongoing monitoring look like?
What Third Party Risk Regulation States
The OCC Bulletin 2013-29 on managing third party risk clearly states:
“Ongoing monitoring for the duration of the third party relationship is an essential component of the bank’s risk management process. More comprehensive monitoring is necessary when the third party relationship involves critical activities. Senior management should periodically assess existing third party relationships to determine whether the nature of the activity performed now constitutes a critical activity.”
In January 2017, the OCC released Bulletin 2017-7, which restated and hammered into place the examination procedures associated with Bulletin 2013-29, as well as introducing new third parties which should be considered.
Yet, time and time again, you will find institutions lose interest or perspective after completing due diligence and doing the risk assessment.
I say that not as a casual assertion but if you review the numerous violations of UDAAP (Unfair, Deceptive or Abusive Acts or Practices), you’ll often see that the institution is cited for failing to appropriately oversee the actions of a third party.
What Happens If You Fail at It
Easy to understand but tough to do consistently, ongoing monitoring must be consistent, lest you miss a significant problem at a third party that gives rise to a UDAAP claim, such as the introduction of a new product without your institution's approval.
How to NOT Fail at It
Ongoing monitoring can take many forms and should be both risk-based and appropriate for the activity the third party conducts. For example:
- Customer listening might be appropriate for a call center, while retail mystery shopping would be more appropriate for a distributor of a prepaid card product.
- For your statement production company, you should have standards around accuracy and periodic testing to ensure they deliver.
- For your core processor, you need to look into system availability, reliable business processes and requirements to notify you of any outages.
Overall, monitoring must work seamlessly with the other pillars of third party risk.
- Make sure you're collecting the right due diligence documents
- Make sure there are applicable controls and reports
- Report ongoing monitoring results to senior management and board
- Any identified weaknesses should be documented and promptly addressed
Successful monitoring includes documentation, adequate staff and board and senior management support. It doesn’t have to be overly complicated, but it should be carefully documented and any concerns MUST be adequately addressed.
Don’t let your guard slip – keep monitoring those third parties. To learn more on oversight and ongoing monitoring, download our free infographic.