Regulators are taking an increasingly acute interest in the potential for risk in banks’ vendor supply chains and have found in audits that most banks are lacking in risk monitoring and management with their providers, a recently released white paper by Information Services Group (ISG), a research and advisory firm, claimed.
Financial institutions are becoming increasingly reliant on outsourcing services to third-party providers, with 35% of outsourcing contracts coming from the financial services sector, according to ISG’s research. Dodd-Frank and other regulations in recent years have aimed to set standards for those service providers in security practices and protocols for interacting with end-consumers, says Chuck Walker, the director of ISG.
Walker expects that regulators will continue to investigate suppliers’ compliance and security risk as more banks use suppliers for services that lead them to have direct contact with consumers, such as working in the call center. Last summer Capital One bank was fined by regulators after it was found that third-party suppliers working the phones at the bank’s call centers had been using fraudulent means to sell services to customers, showing the potential consequences for not monitoring such interactions between vendors and customers.
As regulators have begun to scrutinize vendor supply chains through audits they have found that most banks are not doing enough to monitor risk in those chains, according to to the white paper. “They [regulators] are looking at - from a risk perspective - how they’re monitoring their suppliers,” Walker says. “In many cases they’re finding there isn’t strict oversight in performance aspects of the contract… Regulators want to make sure the [vendors’] internal processes are compliant.”
As the white paper points out, auditors are increasingly looking for specifics from banks on how vendors are being monitored (often in real-time), and what kind of performance reporting is occurring over time. But many banks don’t have answers for the auditors as most of the analysis that they have done of their vendor partners was done upfront to qualify them for the contract. “Clients often don’t look at governance [with their vendors], especially performance governance, until it is time for contract renewal,” Walker adds. That analysis is often outdated after a few months as technology, market and regulatory changes force those vendors to make changes to their processes and protocols, the white paper says.
Most banks, therefore, don’t have the ongoing monitoring of their supply chains that regulators are looking for. Those banks open themselves up to potential risk and non-compliance that can lead to fines like Capital One’s episode last year.
Auditors have been mostly targeting larger institutions so far, Walker relates, but the attention being paid to the issue is starting to trickle down. “There’s been a lag because the bigger banks get the attention first, but regional banks are starting to get wind of it,” he says. Several of those larger banks have had to reform their monitoring processes after failing audits, Walker adds, in some cases even having to take immediate action or bring in outside help to get compliant.
The white paper lays out a step-by-step process for banks to analyze their supply chain for risks and come up with monitoring processes that will keep them in good stead with regulators. That process begins with a risk assessment that should prioritize the most critical areas of risk and how to correct them. Walker says that assessment can take anywhere from two to six weeks depending on the size of the banks and the complexity of its supply chain.
Banks should then seek to facilitate discussion with their vendors to point out areas of weakness and create monitoring processes to address those weaknesses. This exercise should help banks and vendors gain a more holistic view of the service chain and the risks in that chain, the white paper says. This in turn makes it possible to define standards for responsibilities in addressing specific risks and making any contractual adjustments that may be required. Over time, the white paper says, banks need to define a standard set of roles, process owners and sources of real-time data for their first-tier suppliers, as well as their second-, third-, and fourth-tier suppliers.