Skip to main content

Compliance risk management considerations for vendors

January 22, 2020


Allison Burns Senior Examiner
Compliance risk management considerations for vendors

Banks increasingly rely on third-party vendors to provide consumer compliance-related services. Using vendors allows banks to leverage outside expertise in order to create efficiencies in bank operations or offer additional products and services to customers. While banks receive many benefits by engaging vendors, legal, reputational, and financial risks may arise if vendors do not comply with legal and other requirements. As such, a bank should consider having a program to effectively oversee its vendors, commensurate with its size and the number of vendors. This article highlights areas of potential risk associated with using vendors and identifies several sound practices for the board and management to consider in order to effectively oversee its vendors.

Guidance on managing consumer compliance risks with vendors

Several sources provide information that banks may want to reference in considering how to effectively manage consumer compliance risk related to vendor relationships. First, CA Letter 16-8 includes the FFIEC Guidance on the Uniform Interagency Consumer Compliance Ratings System. This guidance addresses how examiners should assess a bank’s consumer compliance management system for compliance ratings purposes. It notes that the compliance expectations for the bank’s overall compliance management program extend to the bank’s third-party relationships. Even when using vendors to provide bank services, the guidance notes that institutions cannot outsource the responsibility for complying with laws and regulations or managing risks with third-party relationships.

Second, CA Letter 13-21/SR Letter 13-19, Guidance on Managing Outsourcing Risk, highlights the elements of an appropriate vendor risk management program.1 Common compliance-related banking vendor relationships include using an automated disclosure preparation software; outsourcing parts of the compliance function, such as hiring an external auditor; utilizing technology companies to design and host the bank’s website; and engaging with mortgage brokers, auto dealers, credit card companies, companies that provide add-on products (such as identity theft protection), or Fintech companies. It is important for banks to maintain an up-to-date list of their vendors for purposes of effective oversight.

Potential risks related to vendors

CA Letter 13-21 lists a variety of risks that could arise when using vendors. For this article, we focus on compliance, reputational, operational, and legal risks.

Compliance Risk Definition When the services, products, or activities of a vendor fail to comply with applicable U.S. laws and regulations.
Example Violations of consumer compliance rules and regulations occur due to reliance on a vendor to implement disclosure changes, but the changes were not implemented appropriately.
Reputational Risk Definition When actions, or poor performance of a vendor, cause the public to form a negative opinion about a bank.
Example Problems with a vendor’s products or services leads to dissatisfied bank customers.
Operational Risk Definition When a vendor exposes a bank to losses due to inadequate or failed internal processes or systems, or from external events and human error.
Example Problems that arise from fraud, data breaches, or other catastrophic events.
Legal Risk Definition When a vendor exposes a bank to legal expenses and possible lawsuits.
Example Potential fair lending lawsuits arising from a vendor that makes credit decisions based on a prohibited basis.

Sound practices for mitigating outsourcing risk

To mitigate the risks identified above, the board and management should consider creating a vendor management program that ensures that vendors comply with consumer protection laws and regulations. The following sound practices are discussed in CA Letter 13-21.

Risk assessments
Risk assessments help the board and management analyze the benefits and risks of outsourcing an activity. Items to consider include whether qualified and experienced vendors are available and whether the board and management are able to effectively oversee and manage the vendor relationship, which includes having sufficient understanding of the activity and its associated risks.

Due diligence
Conducting due diligence helps the board and management select the appropriate vendor. Actions to consider taking include researching the vendor’s qualifications and reputation and asking for references and financial information. The bank may also want to confirm the vendor’s compensation practices to ensure that these practices do not encourage certain behavior, such as steering consumers to higher-priced products inappropriately.

Contract provisions
A well-written contract helps mitigate the bank’s risks by defining the responsibilities for each party. Banks should consider engaging legal counsel to review vendor contracts to help ensure that the terms of the contract are laid out as the parties intended. As applicable, contracts may address the scope of the relationship, vendor compensation, processes for auditing the vendor, vendor performance standards, and contingency plans for vendor-related services.

Oversight and monitoring of vendors
Oversight and monitoring of vendors ensures that vendors continue to perform as expected. Bank management should consider monitoring vendors using a risk-focused approach, with critical vendors receiving more oversight and monitoring than lower-risk vendors. Evaluating the performance metrics included in the contract and the vendor’s financial condition are ways to monitor the vendor. It is important for the board and management to have procedures to increase oversight levels if vendors do not meet performance, compliance, and other expectations.

Business continuity and contingency plans
When operational failures happen, contingency plans are needed, especially if a vendor provides critical bank services. The board and management should consider verifying that vendors test their contingency plans and reviewing those reports. Banks should also consider having their own contingency plans (such as a backup vendor) in case a critical vendor is unable to perform.


Outsourcing activities can provide many benefits for the bank and its customers. An effective vendor management program can help limit potential outsourcing-related risks by ensuring that the bank’s board and management select appropriate vendors, identify outsourcing-related risks, and manage and monitor those risks effectively.


CA Letter 13-21/SR Letter 13-19, Guidance on Managing Outsourcing Risk

Consumer Compliance Outlook, First Quarter 2011, “Vendor Risk Management”

Outlook Live Webinar, May 2, 2012, “Vendor Risk Management—Compliance Considerations”

CA Letter 16-8, Uniform Interagency Consumer Compliance Rating System


1 The CA Letter uses the term “service provider.” However, for purposes of this article, the term has been replaced with “vendor.”

More On