Vendor management is a hot button issue for banks prompted by and in the face of regulatory pressure. Regulations are constantly changing, and regulatory enforcement continues to increase in its intensity and frequency. There are three primary reasons why bank regulators have a heightened interest in vendor management:
• A greater reliance on third parties by banks;
• Regulations regarding data privacy and security; and,
• Increased focus on data safety due to publicized data breaches.
Regulatory compliance raises the importance of vendor management concerns since members of the board of directors can be held personally liable for non-compliance situations.
According to the FDIC statement dated June 6, 2008, the board of directors and senior management are ultimately responsible for identifying and controlling the risks associated with third-party relationships, including the potential for misuse of confidential customer information or violations of rights to privacy of bank customers.
An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, “to the same extent as if the activity were handled within the institution.”
The first step is to develop and adopt a formal vendor compliance management policy. The development and adoption of a policy will bring the issue to the Board’s attention, which is ultimately responsible for the process, and highlight the importance of the program to all levels of management.
There are several firms that offer viable software to assist in the development of an appropriate bank policy. We recommend that bank management contact several of these companies and seek proposals for consideration.
A bank’s management is obviously conscious of the critical role they play in protecting their customer’s confidential information and the importance of public confidence in order to attract and maintain relationships with consumers. Every institution that’s been involved in a compromise of confidential customer information has also experienced some loss of public confidence, affecting not only the existing customers of the institution but potential customers and an array of others that are directly or indirectly involved with it.
Gramm-Leach-Bliley crystallized the financial services industry’s responsibility in protecting personal financial information. Once this information is compromised, in addition to the potential for loss of customer confidence, the institution also is subject to liabilities to those whose information was compromised. This is true of information in the care and custody of a bank and of any third party vendors used by the bank that must have access to this information.
These liabilities can result in a substantial financial loss to the institution potentially affecting its profitability and capital structure. It is critical therefore, that management institution appropriate policies and procedures in accordance with the FDIC and other federal or state banking authority mandates.