Posted by: David Schneier
assess, examination, examiner, GLBA, NCUA, periodic review, regulations, regulatory, Regulatory Compliance, risk, risk rating, third party management, third party oversight, vendor, Vendor Management, vendor risk rating
Early last week I downloaded some fresh content covering vendor management. It turned out that the new information wasn’t really new, it’s guidance that’s been circulating in one form or another for years and tracks closely with guidance ripped from the pages of the Sante Fe Group/BITS Shared Assessment methodology and generally tied back to FFIEC guidance. It’s an approach that turns out to be a recipe for “boiling the ocean” – it makes the work seem too big and unwieldy for all but the largest organizations to tackle, and tends to scare the small and midsized institutions into a state of paralysis But there’s more than one way to skin this particular cat and not enough practitioners bring that to the surface.
One of the files I downloaded reminded me of an exercise I participated in two years ago focused on vendor management. I was asked to develop a “how to” webinar on establishing a new program and created a Power Point stack that encapsulated the approach I’ve been using successfully for years. Much like everything I’ve had a hand in developing, I spend considerable time up front firming up on what’s required minimally, what makes sense for the organization, and designing the various tasks so that it reflects on the capabilities of the staff. Telling a community bank that they need to conduct an on-site audit of their hosted platform provider or review a software vendor’s SDLC methodology is both irresponsible and unrealistic; they typically don’t have the staff or expertise to do so. And so my presentation didn’t attempt to boil the ocean but rather boil vendor management down to something effective and manageable. The owner of the sponsoring website rejected my final draft because he felt it wasn’t detailed enough and would fall short of audience expectations. He wanted the Shared Assessment rehash; I provided something simpler and realistic that was much more likely to appeal to the audience and was unwilling to compromise my standards, so I decided to separate from the project.
Popular vendor management rhetoric tends to inspire inertia for too many financial institutions. Some admit that they’re delaying pursuing vendor management activities for sizable periods of time (anywhere from six months to five years – no joking). Some claim they’re only managing their critical vendors and are using spreadsheets or hard-copy documentation to prove compliance (possible but unlikely). And a frighteningly high number simply defer making any plans or decisions at all because their examiners don’t pay it any attention at all. Let me run that last one by you again: Their examiners don’t actually examine their vendor management programs (you know, the ones that don’t exist).
So on one hand we have a group of regulatory industry leaders shouting from the roof tops that third-party oversight is critical and needs to address a suffocating amount of information, and on the other hand no one really seems to care if anything is being done. Anyone else see the problem with all of this?
As with all compliance initiatives, only your organization can determine what makes sense. Almost all FFIEC guidance specifies that your program needs to take into consideration the size and complexity of your institution. So what might work for Citigroup or Bank of America would never make sense for 1st Community National Bank with its two branches and $100 million in assets. There will certainly be commonalities – you still need to risk rate each vendor, you still need to perform a periodic review – but the depth and breadth of the program will vary wildly. However, one thing is certain: You have a fiduciary responsibility to protect your customers’ personal data and that extends to any business relationship you maintain in which it’s exposed. Doing nothing isn’t an option as is doing too little not just because it’s the law but because it’s the right thing to do.
The industry pundits are right that the threats in conducting business with third-party vendors are real and increasing every day. Where they go wrong is in not educating you on the many options available to manage those threats. One size does not fit all in the regulatory space and that’s a concept you need to hear more frequently.
But trust me on this: Doing nothing is not an option. Waiting until the examiners force the issue is not a strategy, and being caught without a viable program in place after your institution has been involved in a breech is a train wreck waiting to happen. Don’t be scared off by what you don’t know or can’t manage; start simple and move from there. No matter what, do something and do it now!