New Due Diligence Guidance for Community Bank on FinTech Firms

On August 27, 2021, the Board of Governors of the Federal Reserve, FDIC, and the OCC published new guidance aimed at community banks that are looking to expand their reach and service new customer bases through partnerships with financial technology companies (FinTech). While aimed at community banks, the regulators said the fundamental concepts could also be adopted by other kinds of banks and for other kinds of outsourcing partnerships. The regulators stated that the guidance was recommended but not mandatory and emphasized that it did not cover all types of third-party relationships.

The guide sets out six nonexclusive areas of due diligence that community banks should consider when engaging with FinTechs. The six key due diligence topics are: business experience and qualification, the companies’ financial condition, legal and regulatory compliance issues, risk management and control process, information security, and operational resilience.  The guide then provides direction on potential sources of information under each of the six steps and includes illustrative examples.

Business Experience and Qualifications

  • Business experience
  • Business strategies and plans
  • Qualifications and backgrounds of directors and company principals

Financial Condition

  • Financial analysis and funding
  • Market information

Legal and Regulatory Compliance

  • Legal
  • Regulatory Compliance

Risk Management and Controls

  • Risk management and control process

Information Security

  • Information security program
  • Information systems

Operational Resilience

  • Business continuity planning and incident response
  • Service level agreements
  • Reliance on subcontractors

Given the regulators’ recent and recurring emphasis on vendor management, the board of directors and senior management of all banking organizations should consider whether their vendor management policies and procedures comply with the Proposed Guidance and include the areas addressed in the Guide when engaging FinTechs.

What is a Fourth Party Vendor and Why Should I Care About Their Risk

Fourth-party risk is rising to the top of most auditors and examiners list when it comes to evaluating financial institutions vendor management program.  Fourth parties are your vendor’s third parties and subcontractors.  These vendors you will not have a direct contract; however, your vendor does, and relies on these vendors to produce a product or service for them.  Most of the time these vendors will be visible in your vendor’s SOC reports and should also be easily identified by your vendor as those classified as critical in their own vendor management program.

Financial Institutions should care about fourth-party vendors risk, because they are subject to the same risk as your vendors, which puts you at the same risk without having the same oversight that you have over your own vendors. Financial institutions are ultimately responsible for the protection of their customers data, sometimes a fourth-party vendor can expose the financial institution to reputational, operational or cybersecurity risk.  All it takes is a single opening for a threat to compromise protected information.  Like any risk, there can be serious business implications, from fines to legal issues which can negatively affect a business if the fourth-party risk is unchecked.

The most effective way to manage fourth-party risk is to build a mature, comprehensive vendor risk management program.  If you have the right practices and processes in place, then incorporating fourth parties into those processes should feel manageable and mostly seamless.  Your vendor management program should help you identify your most critical vendors.  Once you do that you can ask them who their vendors are; what products and services do they provide to the vendor that cause them to be classified as critical to their operations; and what due diligence on the fourth-party vendor has your vendor perform on them.

Risk Management Done Right

Strunk is best known for our fee income improvement programs, including Overdraft Privilege, Rewards Checking and Value Checking. Most recently we have expanded our offering to assisting community financial institutions with their risk management and compliance processes using our software.

Strunk offers six comprehensive, easy-to-use and affordable compliance management tools:

Risk Assessor helps you prepare comprehensive risk assessments consistent with regulatory or other requirements, in days, not weeks.

Policy Manager organizes all your policies into a single database, mapped to the relevant standards and control procedures.

Controls Manager schedules tests of policy compliance and tracks test results.

Vendor Manager is a specialized tool for managing vendor risk that standardizes risk assessment methodology and organizes all vendor related documentation.

Issues Manager is a centralized database for tracking all compliance issues and incidents across your entire organization.

Skills Manager provides online testing and training to ensure employees are knowledgeable about your policies.

According to Dan Roderick, CEO, “Strunk’s Risk Manager solution brings efficiency to the process and allows our clients to focus on their highest areas of risk. The solution is comprehensive but simple to use, which is something I wish I’d had access to in my days as a banker.”

All our tools are securely and reliably hosted with Amazon AWS, making them available on a variety of devices from anywhere. Risk Manager facilitates remote work and will greatly enhance your internal control and risk management processes and save time – all for one low annual fee.

If you are paying another vendor an annual fee for any one of these tools today, invest just 30 minutes to review our solution suite. We can add valuable services – and may be able to SAVE you money as well!

3 Common Mistakes in a Vendor Management Program

  1. Not completing a risk assessment on all vendors.

Some companies may decide not to do a risk assessment on a vendor because of the contract value or the type of work that the vendor is performing for the business.  Each vendor that provides a product or service for your business should have a risk assessment completed.  By performing a risk assessment on all vendors, it allows your business to better understand the risks that exist when they use a vendors’ products or services.  Conducting a risk assessment for all vendors is particularly important when a vendor handles a critical business function, accesses sanative customer data, and/or interacts with customers.  It will also help you categorizes your vendors by risk level.  By categorizing your vendors by risk level, it will allow the business more time to focus on those vendors that have a higher risk.

  1. Not conducting vendor reviews.

Vendor reviews help manage your vendor’s performance.  A quality vendor review assesses how the vendor is performing against Service Level Agreements (SLA) and Key Performance Indicators (KPI) that are established in the contract.  It should also show non-contractual performance issues, such as incidents that aren’t measured by a service level.  Understanding the vendors situation, performance and how they handle third parties is crucial for the businesses on-going monitor of their vendors.  Vendor reviews are perfect way to partner with the vendor for a successful relationship and to hold the vendor accountable for their performance.

  1. Storing vendors due diligence material in different places.

Vendors due diligence material assist the business with selecting a vendor, contracting, and ongoing monitoring.  This process can be very difficult for businesses that don’t have a centralized repository to store their vendor documents.  Having a centralized repository for your vendors documents will help streamline and organize your vendor manager program.  With this process in place, it makes it easy for another employee to find the documents that are needed, and the business can also set reminders on when the document needs to be updated.

Residual Risk Explained

Having a well maintained vendor management program will allow you to build relationships with your vendors, while also strengthening your business. Understanding your vendors’ residual risk is a key piece of your vendor management program and it will let you know the amount of risk or danger associated with a vendor’s action after controls are accounted for.

To understand Residual Risk we need to first understand Inherent Risk.  Inherent Risk is typically defined as the amount of risk that the vendor has in the absences of controls.  Any time a financial institution uses a third party to provide a service or product, the financial institution needs to complete a risk assessment so they can understand the criticality of the risk that vendor will have.  Inherent risk is established only after the vendor’s key objectives have been defined, and steps have been taken to identify what could go wrong to prevent the vendor from achieving those objectives.  In addition to impact and likelihood, management must consider the nature of the risk also.

Once the Inherent Risk of the vendor is established and the financial institution recognizes the criticality of the risk, then the financial institution must realize what controls the vendor has in place to help mitigate or reduce the risk that the vendor has.  Once the controls have been assessed they should also be tested to ensure that they are operating efficiently.  Testing the controls provides confidence that they actually reduce risk to a tolerable level.

Finally, we are able to take a look at residual risk.  Residual risk is the amount of risk associated with each vendor remaining after inherent risks have been reduced by controls that the vendor has in place.  When controls are weak, not in place, or not functioning properly then residual risk will be high.  If vendor residual risk is high then a corrective action plan needs to be put in place on how the vendor is going to strengthen those controls or management should seek out other vendors who can provide the product or service to the financial institution.

Strunk at the ABA’s Virtual Risk Management Conference 2021

We’re getting the hang of these virtual events at Strunk!  Strunk attended the ABA’s annual Risk Management conference last week. During the virtual event we hosted a virtual booth, met with many familiar and new faces via Zoom meetings and attended virtual sessions. We enjoyed the opportunity to connect with bankers across the country.

We welcomed the opportunity to discuss with attendees the latest features offered by our Governance, Risk Management and Compliance (GRC) software Risk Manager, which includes six GRC tools – Risk Assessor, Policy Manager, Controls Manager, Skills Manager, Issues Manager and Vendor Manager.

A state of the industry was provided by Dr. Catherine Mann, currently the Global Chief Economist for Citibank. The session included an update on the economy, focusing on pandemic recovery in all key sectors. She also shared thoughts on key economic risks for financial markets and how this impacts risk mitigation efforts. The session also included a keynote address by Rob Nichols, President and CEO of the American Bankers Association.

Attendees had the opportunity to discuss post-pandemic risk management, among many other topics. Bankers were encouraged to reassess and modify risk management frameworks as a result of the pandemic, especially reviewing and adjusting risk appetites and associated metrics.

Congratulations to the winner of Strunk’s giveaway, a $100 gift card to Amazon – Linda Schnitzler of The Canandaigua National Bank and Trust Company!

We hope to see you all in person next year. Until then, stay well.

Do you properly evaluate vendor risk?

Understanding vendor risk is an extremely important part of your vendor management program.  Each vendor that provides a product or service to you may have some inherit risk that your organization may take on.  Knowing the inherit risk for each of your vendors before you go into contract with them will provide insight into whether or not the vendor handles any critical business function, have access to sensitive customer data or if they interact with customers.

Risk assessments will not eliminate the risk associated with the vendor, but the risk assessment can help minimize the impact on your business.  Once the vendor’s risk has been identified then you can decide if those risk can be eliminated by knowing what controls that vendor has in place.  The vendor’s controls should be reviewed to make sure they are effective and also monitored.

A successful vendor risk assessment can assist with:

  • Rating each vendor according to risk
  • Assessing each vendor relationship at the service or product level.
  • Determine which vendors need to complete vendor surveys to determine what controls they have in place for their risk.
  • Determine the due diligence requirements and the frequency.

Even though risk assessments are a prevented step in the vendor management process, organizations should always perform periodic vendor risk assessments to ensure its vendors are keeping up with its quality standards and not introduction risks to the company, its customers, and investors. https://strunkaccess.com/vendor-manager/

Strunk at the ABA’s Virtual Conference for Community Bankers 2021

For the first time, Strunk attended the ABA’s annual Conference for Community Bankers virtually. During the virtual event we hosted a virtual booth, met with many familiar and new faces via Zoom meetings and attended virtual sessions. While a bit different than being together, it remains one of the most anticipated events of the year and we made the most of the connections with bankers and enjoyed seeing everyone.

We welcomed the opportunity to discuss with attendees the latest features offered by our Governance, Risk Management and Compliance (GRC) software Risk Manager, which includes six GRC tools – Risk Assessor, Policy Manager, Controls Manager, Skills Manager, Issues Manager and Vendor Manager. Strunk’s Overdraft Program is always a hot topic of conversation and we were glad to discuss our approach with long-time clients and potential clients.

Attendees had the opportunity to hear from keynote speaker, former NBA star Earvin ‘Magic’ Johnson in his session ‘The Power of Magic’. On top of his athletic notoriety, Magic is a driven and successful entrepreneur who shared what it takes to truly make an impact.

Another interesting session was hosted by Ron Shevlin of Cornerstone Advisors on the five forces shaping the banking industry today. He detailed how challenger banks, big tech, embedded finance, artificial intelligence, and cryptocurrency are affecting our banks and provided areas of focus for community FIs.

Congratulations to the winner of Strunk’s giveaway, a $100 gift card to Amazon – Mayra Rinaldi of Columbia Bank!

We hope to see you all in person next year and to once again host the conference t-shirt station. Until then, stay well.

5 Things you should do to build an Effective Vendor Management Structure

Managing your vendor manager program can be troubling and time consuming. With the increase numbers of vendors that companies are depending on each year, companies need to make sure they are monitoring vendors and contracts more efficiency to help prevent problems before they start.

1. Identify your vendors and understand what services that they are providing you.
Creating a list of your existing vendors and understanding the nature of their service is key in your vendor manager structure. Being able to have access to your vendors list and their information will lead to both effectiveness and efficiency inside of your organization. Effective vendor management entails a detailed grouping of vendors based on criticality and service.

2. Contract Review
Storing your vendor contract in a central location will provide insights into the current stage of the vendor, for example, vendors with contract in place, vendors that require renewals, etc.. Having a centralized view of the current status of all contracts will help achieve better decision-making capabilities and save valuable time. Understanding and scoring what provisions should be in the contract will help provide the correct terms of the contract between you and the vendor.

3. Risk Assessment
Completing a risk assessment on your vendors to better understand the risks posed by its third-party relationship is critical to each vendor relationship. Identify any risks that the vendor poses with help your company evaluate whether the vendor can eliminate those risks or determine whether your company can accept those outstanding risks for that vendor.

4. Vendor Reviews
Not all vendors may perform as per your standards. It is important to choose the right vendor from multiple vendors, who meet your organizational standards and criteria while promising excellent performance. Performing periodic vendor reviews will give you a better understanding of the vendor’s performance and make sure they are providing quality product or service to your company.

5. Document Storage
As your company grows, it becomes essential to have a vendor data storage solution in place. In the absence of a vendor management system, storing and retrieving data might prove to be really tough, considering the fact that you may be dealing with multiple vendors for multiple projects at the same time. Having a centralized repository for your vendors data will help streamline and organize your vendor manager program.

Who Handles your Vendor Management?

Managing the vendors your financial institution does business with is important but it can be time consuming and a stressful project. Some institutions have decided to let third parties manage the risk assessment and vendor due diligence process rather than do it on their own. Strunk’s Vendor Manager solution makes it easy to do risk assessments, manage contracts and other vendor documents and to obtain necessary annual information to ensure risks associated with vendors you do business with is managed appropriately.

Our program provides: 1) A repository of information on each vendor you do business with and 2) The ability to do consistent risk assessments for each vendor. Maintaining a list of key vendor relationships, contracts, insurance certificates, security policies, and other documentation is critical to vendor management. The tickler system notifies the individual assigned to the vendor when contracts come up for renewal or when other documents are due.

Vendor risk assessments can be a hassle and our solution takes a standard approach to ensure the process is consistent and thorough based on the risk (critical, high, moderate or low) per regulatory guidelines. For critical and high risk vendors additional information is obtained from those vendors to complete the risk assessment.

Vendor Management is imperative at all financial institutions and Strunk’s Vendor Manager Solution may be just what you are looking for. Take back the process from outside vendors or make internal vendor due diligence easy and consistent to manage.