Establishing Effective Management of Vendors

In any industry, particularly in regulated industries, there is a substantial need for oversight of vendors. Often vendors do not have direct oversight by regulators, but there is pass-through responsibility for such oversight to the company. In the case of financial services, for example, the Consumer Financial Protection Bureau looks to the lender for such oversight.

While vendors can provide expertise, allow for scalability and provide the most up-to-date methodologies and technologies, it is the responsibility of the supervising company (particularly the regulated entity, such as a lender) to ensure that the vendor adheres to the law and any regulatory requirements. Therefore, it is critical for those entities to have an effective management plat to mitigate risk and comply with federal, state and local laws.

In financial services, some guidance is provided by the CFPB and OCC, but there are not always clear and solidified rules as to what exactly constitutes vendor oversight.

Initial Steps

When a company enters into a business relationship with a service provider or third party, the company is responsible for complying with laws aimed to avoid harm to the customer or consumer. Lack of oversight of critical activities or shared services could cause the company to face significant risk, have weighty customer impact, require investment or have a major negative impact upon the company's operations and financials. The company must determine the types of service providers it works with, each having a varied level of risk, and then the company must build an oversight structure around them.

The vendor management program should be proportionate to the degree of risk and complexity of the relationship with the vendors. Such a program should initially identify key stakeholders, define roles and have an understanding around the amount of risk that corresponds with each vendor. A company may designate two or three levels of risk, depending upon the level posed by their vendors.

Likewise, the vendor should understand and have the capability, capital and commitment to successfully company with the requirements. The contract between the company and the vendor must outline clear expectations around compliance, who will bear the cost of such compliance and appropriate consequences for non-compliance.

In addition to contractual obligations, the company should have a system in place to evaluate the vendor on a semi-annual or annual basis. The system should thoroughly review the vendor's policies, procedures, internal controls, insurance, cyber security, and training materials to verify that the vendor's continuous oversight of employee and agents continues, especially where there is risk to consumers and/or regulatory requirements.

Open and transparent communication between the parties is critical. With mutual cooperation between the parties, the company and the vendor can have oversight, identify issues and address potential regulatory concerns head-on, allowing timely execution of solutions.

Implementing an Effective Vendor Management Program

An effective program must allow for a consistent, sustainable plan, and should permit the flexibility to reduce or terminate services should the provider fail to meet necessary standards of care and compliance. The program must set clear, definitive criteria regarding expectations of the vendor, including industry standards, regulatory minimums or specific deadlines.

The program's standards and measurements should have many elements of evaluations, including the status and changes to business strategy, financial condition, insurance, security and leadership. It should also address key personnel, level of consumer satisfaction, and other contractual arrangements that could post a conflict. Thought the lifecycle of the vendor, the company must properly document aspects pertaining to the vendor including an inventory of these vendor relationships, approved plans, due diligence results, executed contracts and a regular cadence of risk management reports.

The company's program should have quantifiable metrics and data evaluating each service provider and comparing groups. Metrics should be made anonymous when shared with vendors so that they understand how they are tracking against other service providers. Such tracking can identify vendors with higher risks resulting from poor performance, allowing for vendors to pan a remediation program.

If a vendor continuously performs poorly, there should be a formal rebuttal process in which the vendor may challenge deficiencies and offer to cure within a specific time period. If there is a continuous performance below acceptable standards, without proper cure, the contract must allow for a termination of the vendor relationship.

The company should have a process to periodically review its vendor management program, assessing its ability to oversee and manage the relationship, as well as its process for identifying, assessing and reporting vendor risks. It should also evaluate its process for responding to material breaches, security and/or privacy breaches, ensuring proper staffing, indicting conflicts of interest and remediation of deficiencies.

The Vendor Perspective

Vendors of regulated companies often receive their own audits (both written and on-site) which may involve executives, management and staff members. Notice of an impending audit can range, usually from 48 hours to two weeks, and audits can last for as little as one day to as long as a month, with an average of two to three days.

Ideally a line of business leaders spearheads the effort and has dedicated team members from various groups available for the adult, Vendors must comply with all auditor requests (whether director or via the audit of the company). There are very limited situations in which a vendor may have an excuse for not providing requested information.

Audits are most often a collaborative process between the vendor and the company as it is key that both identify any deficiencies and agree to correct issues. The vendor's technology and compliance systems must pair well with the company's technology and there should be a fairly seamless process to reconcile the difference in each parties technological capabilities.

Vendors may wish to seek tools to help with these audits. Some tools available in the market are overlay's to company systems that help with reporting and clear audit trails. These tools and effective use of technology enable the vendor to adjust and adapt to changing regulations and allow for updating of changes directly to their programs. Tool names and companies vary depending on the type of entity and regulatory oversight, and are particular to specific industries.

The themes of an ideal vendor management program are clear: transparency, communication and cooperation. The parties should have the ability to have the management, oversight and constant evaluation needed to maintain a consistent and reliable program, which will ultimately reduce the risk exposure of both the company and vendor.