Financial institutions increasingly rely on third-party vendors to provide consumer compliance-related
services. Such vendors can provide banks with valuable services. At the same time, community banks
can face challenges and costs in effectively overseeing them. Weak oversight of third-party vendors
exposes a bank to a number of risks, including legal, reputational and financial, if the provider fails to
comply with legal and other requirements.
Based on weaknesses examiners find in vendor management oversight, we offer a few suggestions
for how banks can improve their oversight of vendors and limit their compliance-related risks.
- Assess vendor’s effectiveness. When checking a vendor’s references, a bank should consider the following.
- How does the vendor handle and respond to individual bank requests?
- Does the vendor respond in a timely way to such requests?
- Are there concerns about the quality of the vendor’s products?
- How effectively and timely does the vendor respond to systemic or other problems?
- How are disputes or complaints handled?
Ongoing monitoring of the vendor’s effectiveness is also important. For example, does the vendor
have any outstanding lawsuits or enforcement actions, particularly any that would raise concerns
about treatment of consumers or other issues that could subject the bank to reputational and other
risks? Also, bank employees can test a vendor’s customer service practices by receiving customer
mailings or calling customer service numbers.
- Monitor regulatory changes. A bank should monitor regulatory changes and ensure that any vendor-provided
products comply with new requirements. Reviewing disclosures and testing systems after a
regulatory change helps ensure that a vendor has incorporated the change appropriately. Banks are
ultimately responsible for ensuring that vendors’ practices comply with applicable regulations and
laws and should adopt policies and procedures to ensure that desired outcomes occur. These communications
include additional information on compliance vendor management.