Posted by: David Schneier
Audit, bcp, business continuity planning, compliance, exam, examiner, FDIC, NCUA, Regulatory Compliance, vendor, Vendor Management
If I haven’t already shared this with you, I’m a partner in a regulatory compliance advisory firm. We offer services to the banking sector that pretty much cover the entirety of the information security spectrum. And as you might imagine, there’s a fair amount of sales and marketing that go along with the job with which I’m typically involved.
It’s important to develop a relatively thick skin when participating in the sales cycle because an unfortunate part of its process is rejection. Despite the fact that we’ve built a successful practice during arguably the worst economy any of us working folk can ever recall, we still don’t close every deal we pursue. But every now and again I hear something new as a reason why we lost out on a deal that just flat out catches me off guard and knocks me for a loop. Last week was one of those times.
We’ve been enjoying a great deal of success over the past year in selling an automated vendor management product that aligns quite nicely against both FDIC and NCUA requirements. Along the way just about every client and prospective client we’ve talked to has shared their concerns and frustrations in struggling to come up with something that would satisfy their examiners but not add considerably to their workload. In the end, their decision to purchase or not purchase has fallen into somewhat traditional categories until last week when someone threw us a curve ball.
We had followed up with a prospective client that recently demoed the software and indicated interest in proceeding with us. They told us that they’ve decided to delay doing anything with vendor management at this time.
Was it because of financial constraints on their part? No. Was it because of resource constraints on their end? No. Was it because they were going to develop something internally? Again, no.
Their reason for not proceeding with us came down to this very simple and scary fact: They had just completed an exam with their regulator and vendor management wasn’t covered during the fieldwork.
Their management had made a conscious decision that if the examiners aren’t looking at something they’re required to do they’re simply not going to do it; just like that.
First of all, does that logic freak you out anywhere nearly as much as it does me? Is this really how a financial institution being trusted with people’s money is conducting business? My first thought was “what else aren’t they doing because their examiner ran out of hours and never looked into it?”
I mean, there’s a reason why the FDIC and NCUA came up with a set of rules by which you’re supposed to comply if you’re a bank or credit union. These are things that are intended to protect the depositors who trust you with their money and personal information. I’ve yet to come across anything a banking client is required to do that I thought of as being “made work.” One of the simplest reasons I moved exclusively into the banking sector was because after several years of working on SOX projects I wanted to focus on something where the required activities actually made sense.
I’m not naive, far from it as a matter of fact. I know that our clients activity is driven in large part by what they’re expecting their examiners to be most interested in during the next exam. But even though money will be spent accordingly, each client typically makes an attempt to address all of the key compliance requirements. For example, not everyone has the time or bandwidth to test their business continuity plan but they all make sure they have something in place and try to update it with some frequency. I can’t think of even one client who knew they had a deficiency in a key area and decided to leave it alone until the examiners made them do so. Quite frankly it’s a horrible strategy.
In an ideal world you have all of your required controls in place, functioning and routinely tested. However in the real world that’s not always possible. And so I advise my clients that they need to at least have a plan in place on how and when they’ll be in compliance; don’t ever let an examiner find a deficiency on their own, it’s just a bad, bad idea.
So I wonder what this one institution will have to say next year when their examiner rolls around again and they still don’t have a vendor management program in place. Because rest assured, if they avoided discussing it this year it’s not likely it will be missed the next time around (vendor management is about as hot a topic with the examiners as there is). I can only hope that they come to their senses along the way and realize there’s a reason these things are called “requirements.”