Posted by: David Schneier
assessment, Audit, compliance, exam, examinations, GLBA, regulatory, Regulatory Compliance, risk
I do a whole lot of work with vendor management, a fact which most of my regular readers are quite aware of. And while I typically recoil when somebody else says of themselves what I’m about to say, I’m going to say it anyway; I’m really something of an expert on the discipline, particularly as it relates to financial institutions. I designed my very first vendor management program nearly eight years ago (very manual, very spreadsheet oriented) and have progressed with it to the point where my practice now supports well over one hundred institutions who are all users of our automated VM solution. So as you can imagine I put a lot of time and effort into thinking about how to go about identifying and assessing vendors.
Two separate but (very much) related events occurred recently regarding vendor management that sort of has me scratching my heads and so I wanted to share.
First, while conducting some research on FFIEC guidance surrounding vendor management for a client I realized that simply as a force of habit I knew which InfoBase documents to access. There’s one that covers 3rd party service providers and another that’s specific to outsourced relationships. Together they combine to provide solid content on the details related to vendor management. But here’s what I noticed for the first time ever; nowhere on the FFIEC site or in its documentation is anything ever directly referred to as vendor management. Examiners are constantly hammering away at our clients for more and more information regarding their vendor relationships, comments are routinely found on reports addressing the same. And yet nowhere in their core guidance documentation is anything specifically referenced as vendor management? Why is that?
Second, back in May our practice participated in a bankers conference in New York and presented on the subject of vendor management. When the audience was asked “Who’s happy with the guidance you get from your examiners, raise your hand?” nobody raised a hand… nobody. Now to be fair, we didn’t ask how many in the audience ever thought to even ask their examiner for direction which is an other issue altogether. But out of roughly fifty people in attendance no one, not a single soul felt that their examiner was helping them figure out vendor management.
So what exactly is a financial institution to do? You’re not getting specific direction from the examiners themselves and the one source for guidance you’re encouraged to rely upon doesn’t even define it in such a way that you know for sure what to look at. Seriously, it can be remarkably maddening when you get right to it.
And to make things all the more confusing, when you start researching vendor management on the Internet you find that the discipline mushrooms quickly into focuses on procurement, financial accounting and contract management and so you can’t even find a simple or straightforward concept to use as a guide to either build or enhance your current vendor management program. Or at least that’s what you wind up concluding at the end of the day. But really in the end what your examiners are going to hold you accountable for are only those things that you’re required to do. Within the vendor management space that boils down to GLBA and what’s required in order to comply with it. To some that might seem overly simplistic but it’s not, it’s the right answer and the correct strategy.
But here’s the kicker: Since I first started working within the banking sector and helping institutions comply with GLBA I’m amazed by how pitiful few people even know what they’re expected to do. I think the regulation is fairly straightforward (and always have) but when our practice engages current or potential clients that’s not always the case. And so if you don’t understand what compliance looks like how do you add another layer (in this case vendor management) and align it so that it matches up on the key points?
It sure would help though if the people who are responsible for making sure you’re doing what you’re supposed to be doing actually pointed you in the right direction.