INSIGHTS for Financial Institutions Winter 2015 | Page 2

Vendor Management How to Ensure Compliance while Following a Growing Trend Outsourcing helps to lower costs and improve the quality of specialized services, such as application development, back-office activities and processing, call centers, etc. With banks outsourcing a majority of their applications and systems, using a third-party vendor naturally subjects them to risks outside of their control. Functions can be outsourced to third parties, but responsibility and liability cannot. It is important to treat third-party providers as an integral part of the business function. Outsourcing has increased for several reasons: • Technical expertise and skills are required to follow the latest technological trends. • Costs to license software or purchase services can be lower than developing and maintaining a proprietary system. • Ability to concentrate on core functions. • Better control of budgets. • Less dependency on internal resources. 1 – Initial Risk Assessment It is important to understand not only the benefits that outsourcing provides, but also the risks associated with it. To understand the risk exposure and put proper monitoring controls in place, a risk assessment should be performed for each activity outsourced to a vendor. How to improve the vendor management process and increase vendor oversight 2 – Due Diligence Review A due diligence review should consider the following areas to ensure the bank has fully evaluated the potential vendor and is knowledgeable of risks associated with the vendor: Why has vendor management become an important aspect of sound and safe banking practices? Dependence on third parties increases risk in regards to data privacy and security. Data breaches quickly become public information resulting in negative publicity, costly clean ups and lost customer trust. Dependency on a service provider also increases reliance risks because services typically cannot be brought in-house as quickly if the provider’s quality of services is not as expected or if the provider goes out of business. • Operations • Compliance • Financial Stability • Reputation • Strategy • Information Security 3 – Contract Design and Enforcement Contracts should be designed with business requirements and key risk factors in mind. This ensures that sufficient “oversight rights” by the bank, such as audit and report requirements, are in place. 4 – Ongoing Oversight An oversight program to monitor the vendor’s compliance with contractual agreements and internal control requirements should be implemented to monitor actual performance and compliance. Personnel with appropriate expertise in the outsourced area should have responsibility to monitor and manage the relationship. Functions can be outsourced to third parties, but responsibility and liability cannot. INSIGHTS for Financial Institutions 1 2 bswllc.com