QUESTION
Our vendor management policy covers a lot of review
criteria to decide if a service provider presents a risk to our company. As the
Chief Compliance Officer, I have thought that we are weak in handling such
risks.
Recently, this issue came to a head when I determined that a vendor’s system was failing and posed a material risk. After considerable review, I decided the relationship must end. Although I thought we were adequately covered for responding to material risks, it seems otherwise.
And I have also gotten a huge amount of pushback from one of our departments since they claim to be dependent on this vendor. They are demanding that I keep the relationship and allow this service provider to stay active.
What type of review is involved in determining material risk?
In the face of substantial material risk, what should I do to keep the relationship active?
ANSWER
I understand the challenge. I really do. You may
have gotten pushback, but compliance and diplomacy are sometimes at odds. There
is a diplomatic way of enforcing compliance. The best way is to present the
evidence in support of your decision. Most people can recognize a threat,
especially a material risk, which could affect the company's overall risk
profile. You can take the position that an explanation is not needed. But that
won’t work in the long run. Your colleagues, both rank and file, are your eyes
and ears, and you want them to keep you informed. You want them to recognize
your total commitment to complying with banking law.
Our Vendors Compliance Group (VCG) gets calls all the time from clients who are confronted with the potential for significant material risk posed by service providers. Our approach to vendor due diligence is hands-on, which means we actually do the actual work of personally reviewing each vendor’s documents and history, and then we issue a report. So, clients intuitively come to us to discuss their concerns, knowing that we are already familiar with their level of risk tolerance. If you want to discuss your vendor due diligence needs, please click here. We will contact you promptly.
I could write a treatise on the definition of “material risk.” Often, the term is defined in the relationship agreements between an organization and the vendor. Let’s keep the definition short for the sake of brevity: “material risk” as a designation in the regulatory context means anything that has a substantive impact on an organization's overall risk profile, such that the risk criteria are significant enough for the source of the risk to be managed deliberatively. Well, I guess that was not so brief, but I did say I could write a treatise on just the definition itself!
From the regulatory point of view, certain kinds of material risks are dauntingly threatening to a financial institution. I think there are at least four ways to respond to this threat level, and especially when a vendor presents high material risk, to wit:
1. Assessing the vendor's capacity
to perform the assigned task in a compliant fashion;
2. Seeking representations and
warranties from the vendor regarding compliance with applicable laws and
regulations;
3. Seeking the right to audit the
vendor's compliance with applicable laws and regulations; and,
4. As
appropriate, engaging in training or other activities designed to inform
vendors about compliance issues of the organization.
I am going to each of these responses in numerical order.
1. Assess the vendor's capacity to perform the assigned task in a compliant fashion.
Outsourcing arrangements, such as vendor relationships, are central to many business activities. While these arrangements can be highly beneficial, they also present significant compliance risks. The vendor's activities may be attributed to the organization, resulting in it being exposed to regulatory sanctions.
Vendors may also have access to nonpublic information (NPI) obtained from an organization, exposing the organization to the risk that the vendor will commit data breaches or violations of privacy requirements.
Sometimes, there are business partnerships involved that are technically vendor relationships too. Valuable as such partnerships can be, they also expose organizations to significant risks of compliance breakdowns caused by the business partner. Accordingly, business partner relationships present critical compliance challenges for organizations.
An essential step in dealing with these challenges is to assess the vendor's capacity to perform the assigned task effectively and reliably. This assessment process involves both a review of the counterparty's potential vulnerabilities and the organization's vulnerabilities. In my experience, a compliance breakdown is most likely when the shortcomings of both parties create gaps in controls that allow violations to occur.
In assessing a proposed vendor in the context of material risk, you can review a variety of information, including on-site due-diligence examinations; checklists and evaluation tools: interviews with a proposed counterparty's key personnel; analysis of the proposed counterparty's information-security plans and procedures; and review of audit reports and certifications maintained by the proposed counterparty. Always maintain records of this vetting process and the reasons for selecting a vendor or business partner.
2. Seek representations and warranties from the vendor regarding compliance with applicable laws and regulations.
Your organization should, as appropriate, seek representations and warranties concerning the vendor's compliance with applicable laws and regulations. These may include representations regarding the vendor's compliance policy and program, internal controls, compliance training programs, and other matters. The representations can include affirmations by the counterparty that it complies with applicable laws and regulations and commitments to notify the organization if the vendor is charged with violations in the future. You may also want to seek an obligation by the counterparty to promptly repair or remediate failures in the vendor's system that may subject the organization to compliance liability.
3. Seek the right to audit the vendor's compliance with applicable laws and regulations.
The organization confronted with significant material risk issues may seek the right to monitor the vendor's compliance with applicable laws and regulations. The subject matter to be observed - and the monitoring methodology - depends on the facts and circumstances and should be designed according to a compliance risk assessment. If you do not have such a risk assessment, my firm provides such assistance. Please click here for information.
In certain cases, it is sufficient for an organization to require the counterparty to keep books and records of services rendered and make these available for review. In other cases, the organization may need to engage in more intensive monitoring, for example, by obtaining the right to receive reports of auditors of the counterparty. And there are cases where an organization may seek the right to perform on-site audits of the provider's internal controls and procedures.
Whether the organization needs and can obtain such contractual commitments depends on factors such as the criticality of the vendor's services, the costs of complying with the contractual terms, the risks to the organization of a breakdown in the vendor's internal controls, the requirements imposed by the organization's regulators, and the size and bargaining power of the organization.
It is possible, though, that difficult questions may arise when your organization discovers shortcomings or failures in the vendor's internal controls that pose a risk of potential compliance exposure to your company. A vendor’s system failures can adversely impact a company’s operations and financial stability and immediately reach regulatory scrutiny. In these cases, an organization may be entitled to treat these failures as a material breach, thus terminating the contract.
But the organization may not be able to terminate the contract, either because the breach is not material or because the vendor's services are critical to the organization's activities and no alternative provider is available. In such cases, the organization may elect to allow the vendor time to repair the problem. Still, it should exercise continual scrutiny to confirm that the repairs are effective and completed quickly.
Furthermore, your company may also determine whether the counterparty has brought the shortcomings or failures to the attention of the counterparty's regulator and, if so, what the regulator has done in response. At the same time, you will want to consider whether your company is obligated to inform your regulator of the issue or, indeed, whether it would be advisable to notify the regulator even if such disclosure is not legally required.
4. As appropriate, engage in training or other activities designed to inform vendors about compliance issues of the organization.
Finally, it may be advisable for the organization to provide training to the vendor's employees. Training by the organization is likely to be more effective than training by the counterparty because it is aware of its risk profile and specific concerns. The costs of such training would be allocated between the parties under the terms of their contract or master agreement.