Banking in the Ninth

Overseeing Compliance Vendors

Consumer Affairs Update - September 2012

Published September 1, 2012  | September 2012 issue

Financial institutions increasingly rely on third-party vendors to provide consumer compliance-related services. Such vendors can provide banks with valuable services. At the same time, community banks can face challenges and costs in effectively overseeing them. Weak oversight of third-party vendors exposes a bank to a number of risks, including legal, reputational and financial, if the provider fails to comply with legal and other requirements.

Based on weaknesses examiners find in vendor management oversight, we offer a few suggestions for how banks can improve their oversight of vendors and limit their compliance-related risks.

  • Assess vendor’s effectiveness. When checking a vendor’s references, a bank should consider the following.
    • How does the vendor handle and respond to individual bank requests?
    • Does the vendor respond in a timely way to such requests?
    • Are there concerns about the quality of the vendor’s products?
    • How effectively and timely does the vendor respond to systemic or other problems?
    • How are disputes or complaints handled? Ongoing monitoring of the vendor’s effectiveness is also important. For example, does the vendor have any outstanding lawsuits or enforcement actions, particularly any that would raise concerns about treatment of consumers or other issues that could subject the bank to reputational and other risks? Also, bank employees can test a vendor’s customer service practices by receiving customer mailings or calling customer service numbers.

  • Monitor regulatory changes. A bank should monitor regulatory changes and ensure that any vendor-provided products comply with new requirements. Reviewing disclosures and testing systems after a regulatory change helps ensure that a vendor has incorporated the change appropriately. Banks are ultimately responsible for ensuring that vendors’ practices comply with applicable regulations and laws and should adopt policies and procedures to ensure that desired outcomes occur. These communications include additional information on compliance vendor management.