When considering the outsourcing of significant bank functions to a third-party vendor, the bank’s board of directors and senior management should ensure that the outsourcing of a particular function is consistent with the institution’s strategic plans and evaluate proposals against well-developed and specific criteria.
Risk Assessments, Due Diligence, and Selection Business continuity and contingency plans.
Incentive compensation review and service-level agreements (SLAs).Risk assessments, due diligence, and selection.
While the components of an effective vendor risk management program may vary based on the scope and nature of an institution’s outsourced activities, effective programs usually include the following elements: These policies should address third-party vendor relationships from an end-to-end perspective and should include procedures for establishing servicing requirements and strategies selecting a third-party vendor negotiating the contract and monitoring, changing, and discontinuing the outsourced relationship. The bank’s senior management should develop and implement enterprisewide policies to consistently govern outsourcing processes. Because the responsibility for properly overseeing these relationships remains with the institution’s board of directors and senior management, an effective vendor risk management program should provide the framework for management to identify, measure, monitor, and mitigate the risks associated with outsourcing arrangements. As a result, community banks are increasingly relying on third-party vendors for a variety of technology-related services. Technological advances enable community banks to provide customers with an assortment of products, services, and delivery channels. It should focus on outsourced activities that have a substantial impact on a financial institution’s financial condition, are critical to the institution’s ongoing operations, involve sensitive customer information or new bank products or services, or pose material compliance risk.” 1 Therefore, it should be no surprise to anyone that the adequacy of vendor risk management is a top concern for community bankers and regulators.įederal Reserve Supervision and Regulation (SR) letter 13-19, “Guidance on Managing Outsourcing Risk,” states that “a financial institution’s service provider risk management program should be risk-focused and provide oversight and controls commensurate with the level of risk presented by the outsourcing arrangements in which the financial institution is engaged. As a result, bankers have devoted more resources to vendor risk management, integrating vendor management oversight into their critical processes. On a daily basis, cyber-related incidents and contingency plan failures occur, involving serious to sometimes critical incidents that may have significant impact on community banks. Over the past several years, managing third-party vendor risk has required greater attention from community bankers. The increased use of outsourcing to third-party vendors and the importance of the relationships between banks and those vendors intensify the need for community banks to have highly effective third-party vendor risk management programs in place. In addition to traditional core bank processing and information technology services, banks outsource operational activities such as accounting, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement, and loan servicing. As the scale, scope, and complexity of these relationships and services increase, the related risks and the importance of effective vendor management should proportionately increase. Significant effort is required from both the institution and the third-party vendor to maximize the benefits received from the relationship, service, or product, while simultaneously minimizing associated risks. Vendor management comprises all of the processes required to manage third-party vendors that deliver services and products to financial institutions. The Importance of Third-Party Vendor Risk Management Programsīy Tony DaSilva, S&R Subject Matter Expert, Federal Reserve Bank of Atlanta
0 kommentar(er)
