The CFPB bulletins serve as a constant reminder that banks will soon need to change the way they look at their service provider partnerships. The regulators are telling banks to “categorize” the third parties that provide services to them in regards to their level of risk and manage the risk appropriate to each category.
Service Provider Risk Level
The level of risk depends on what the service provider does. Third parties could be as low-risk as those who provide lawn maintenance or snow removal to as high-risk as those who provide data services or services that involve the movement of money along with access to the financial operations of banks and customer information. And there are all kinds of people in between who are contingent upon the service that they provide.
Depending upon the size of the institution and the complexity of the relationships, banks could have any number of these low-to-high risk relationships that they have to categorize. The size of the bank doesn’t even matter in this practice. The small institutions with 20 different service providers to the largest institutions in the country with 20,000 service providers have to participate in this classification process.
Taking A Closer Look at Your Third Party Vendors
Once the banks have categorized these service providers according to their levels of risk, banks will also need to take a closer look at the particulars of everything the service providers are doing. They are asking more questions. Are the proper contracts in place? Are the terms of the contract being followed when they are laid out? Are there regular reviews of those contracts? Are all the requirements in those contracts being met? Are the people who are performing those services meeting the criteria of the financial institution? With access to every type of potentially confidential or internal information, these service providers’ internal requirements have to be secure. If they are providing access, is there an opportunity for a hacker to sneak in the backdoor of their service and access the bank?
In the past, these questions were not always asked because the requirements were more lax. It was more relationship-based; the trust was generated from the good ole boy mentality. Looking under the hood, so to speak, of the service providers’ businesses and really making sure that they had all their requirements in place to meet the bank requirements was not necessarily a priority in the past. It’s becoming clearer now to banks that they have to have all these various processes in place and that they’re non-negotiable.
Regulatory Expectations for Vendor Management
The responsibility has always been there, but now regulations have changed and different regulatory bodies are coming out in the last few months with clarification on responsibilities, requirements, processes and ongoing management. Banks are starting to clarify “what needs to be reported,” and in order to collect what needs to be recorded, they’re putting more rigorous processes in place to gather and manage the data. In order to get this data, those good ole boy relationships have changed to I like you, but I’ve got a business and a regulator I have to report to—I don’t just want this information, I need it relationships. Along with all of these scrutinizing questions, banks are also starting to perform on-site visits on an annual basis, audits and other monitoring functions.
Banks are reacting in varying levels of urgency to the CFPB’s bulletins. Some are proactive and have begun implementing strict policies with ongoing supervision to ensure that the requirements are met. Others who have very fragmented, weak policies in place haven’t even begun preparing. However, in the larger institutions especially, operational risk is becoming a greater priority even up to the executive management level.
The banks are ultimately responsible for third party vendors and so they need to categorize all service providers and make sure that the policies are in place.
The service providers are reacting differently to these new processes as well. Some vendors are more willing to participate in the vetting process than others. Some service providers may not have the personnel or willingness to provide such detailed information on an annual basis. If a service provider is unwilling to participate in that kind of rigorous, ongoing vetting, they may have to come to terms with the fact that banks will be unwilling to use them as a service provider.
If you like our blogs, sign up for our newsletter to get monthly updates delivered to your inbox!