Regulatory guidance and sound business practices dictate that your financial institution should thoroughly analyze a vendor's operational and compliance standards. This step is essential to ensure that they have the proper controls in place to protect the interests of your financial institution and your customers. These should include appropriate risk-based safeguards to ensure sufficient regulatory compliance specific to the product or service provided.
Our experienced third party risk management team can review your vendor’s policies to ensure they are in compliance with both the regulatory guidance and best industry practices. This service is designed for your critical and/or high risk vendors.
If you are not a subject matter expert on operational standards or regulatory compliance requirements for the many types of vendor services currently available in the market it can be a bit daunting when trying to assess the different vendor operational requirements. Vendors are not created equally and therefore it is important that the assessment approach is based on the specific vendor product or service. For example,. A credit reporting company offers different products compared to that of an Appraisal Management Company and also works to a different regulatory compliance standard.
At Venminder, we have a highly trained and qualified staff of Vendor Managers who not only have audited many types of vendor services but have sat on your side of the business and have used many of the same vendor products and services.
One of the real advantages of having our team involved is the visibility into best practices we’ve learned across multiple banks and credit unions, through our work with a wide variety of clients, our years of “inside the institution” experience, and participation as invited expert speakers at industry conferences.
The guidance requires you to collect due diligence documentation and one of the important pieces is to be able to provide documentation supporting the operational health of your vendors operating environment.
What will the examiners want to see?
The OCC guidance, specifically Bulletin 2013-29, is considered to be the gold standard and the most informative – here’s the appropriate excerpt from the due diligence section of OCC Bulletin 2013-29
"A bank should conduct due diligence on all potential third parties before selecting and entering into contracts or relationships. A bank should not rely solely on experience with or prior knowledge of the third party as a proxy for an objective, in-depth assessment of the third party’s ability to perform the activity in compliance with all applicable laws and regulations and in a safe and sound manner.
The degree of due diligence should be commensurate with the level of risk and complexity of the third-party relationship. More extensive due diligence is necessary when a third-party relationship involves critical activities. If the bank uncovers information that warrants additional scrutiny, it should broaden the scope or assessment methods of the due diligence as needed."
Save Time: We do the tactical work of reviewing the many different policy and procedures regarding a vendors operational and regulatory compliance standard. Leaving you time to focus on the strategic decisions required based on those results.
Cost Effective: Adding qualified Full Time Employee's (FTEs) is expensive. Existing qualified FTE's are stretched thin. Our staff can fill your resource gaps at a fraction of the cost.
Experience: Our reviews are performed by trusted Vendor Management professionals who take deep dives into your vendor's policy and procedures documents to call out findings and concerns. To identify risks you must be able to identify what is omitted from a policy and procedure manual. We have the expertise to join up the gaps.
Confidence: Policy and Procedure files can be complex and voluminous. It's imperative to understand the contents and any risks identified. Our reviews ensure you never miss anything important regarding the security and safety of your (and your customers or members) data.