Vendor Manager Contracts

A significant chunk of an organization’s operations are made possible through connections with third-party vendors, and the strength of these ties has a direct impact on revenue. Contracts with vendors may be just as significant in this system as those with clients. There are many differences in how businesses handle the acquisition of goods and services. While a fragmented and ineffective system might have the opposite and damaging effect, one that centralizes data and streamlines workflows can significantly enhance outcomes and enable more profitable long-term third-party relationships.

With Strunk’s Vendor Manager software and a vendor contract management plan in place you may mitigate potential risks and increase the value of your vendor relationships. Having a central area to store your vendor contract information is crucial for effective vendor management. Having access to this information will make your procurement process more efficient. Using Strunk’s Vendor Manager software has several advantages, including helping you arrange your vendor contracts, summarizing the significance of each contract, and assisting you in producing alerts and notices of Renewals.

Strunk’s Vendor Manager software also provides a place for you to store your vendor’s contract and most importantly their due diligence material. A contract scorecard is also included in the vendor management software from Strunk. This scorecard will assist you in locating any gaps in your contract and provide a space for you to record proposed improvements. The scorecard in Strunk’s vendor management software allows our clients to assign a service score for each provision by using a master service level agreement to include clauses that are common in vendor contracts. Organizations can guarantee that each step of the contract lifecycle takes place automatically based on a set process by automating their vendor contract management and compliance using a contract tracking system like Strunk’s.


How can vendor risk tiering improve vendor risk management?

Understanding which providers represent the greatest “threat criticality” is an essential feature of any effective vendor risk management program, which is necessary to reduce risk and preserve business continuity. Vendor tiering allows for the implementation of this rating system that classifies vendors and doing so also imposes tighter security requirements on them.

You may improve your vendor risk management program, increase security, and build a more resilient business with the aid of vendor tiering. Vendor risk tiering improves vendor security and compliance. It makes it possible for your vendor management team to identify the vendors that offer the most risk and devote more time and effort to enhancing compliance. This enables them to streamline vendor risk management and concentrate on the areas that need the most attention, all the while making sure that any vendors you engage with adhere to the controls that need to be put in place.

Vendor risk tiering will also improve the onboarding process by incorporating vendor risk management in the onboarding process. Vendor risk tiering is essential for achieving your goals because it gives organizational structure and makes it simpler to evaluate vendors and guarantees that an efficient vendor risk management is in place.


How Can Strunk’s Vendor Manager software help you understand which vendors receive customer data and what type of data they receiv

Vendor Management has been a concerning issue for financial institutions for some time.  Regulatory agencies such as the Federal Trade Commission, the Office of Foreign Assets Control, and the Federal Financial Institutions Examination Council are scrutinizing how financial institutions (FIs) manage their outsourced vendors.

The Federal Deposit Insurance Corporation (FDIC) has declared that an institution can “outsource a service, but not the duty,” implying that financial institutions have the responsibility for compliance.  Because of this, it makes proper vendor management a critical duty for financial institutions, which must hold vendors to certain requirements.  It is important to understand which vendors that you engage with will have access to your customers data and what type of data will they have access to.

Risk is always present, recognizing and controlling the hazards associated with the vendor with whom a financial institution does business necessitates regular monitoring and review.  Strunk has created an area to capture what type of data that each one of your vendors collect.  Strunk’s Vendor Manager software also helps you mitigate your exposure by capturing the threat, likelihood of the threat, risk, and what control does the vendor have for that risk.  Monitoring these areas effectively will help prevent from operational disruptions, reputational loss, matters requiring attention, consent orders, litigations, and fines.

Overdraft Privilege Provides a Solution for Charging Multiple NSF Fees

When a merchant transaction is presented for payment from a consumer account and is refused due to the customer’s insufficient funds to cover the transaction, financial institutions typically charge an NSF fee. When a merchant tries to present the same transaction again in order to recover the denied funds, he or she may be charged a re-presentment NSF fee. If a depository institution receives this type of repeated merchant payment transaction more than once, the depository institution may levy multiple NSF fees. If an Automated Clearing House (ACH) or other item is presented for payment and is denied owing to insufficient funds, certain financial institutions will levy an NSF fee for both the original presentment and each subsequent representation.

In recent class action lawsuits against financial institutions, the removal of key clauses pertaining to the assessment of representation fees was considered to be a violation of contract. Some lawsuits have been settled, with customers receiving refunds and legal fees.  Additionally, state, and federal financial regulators are reviewing DDA agreements searching for potential legal, regulatory and UDAP risks. With these potential risks it is important to review your deposit disclosures and contract language to ensure the way NSF fees are charged is being communicated clearly and consistent to what a consumer could reasonably expect.

This is a great time to make sure that you review your accounts and all of your customers/members that are eligible for Overdraft Privilege should be added to the ODP program unless they have opted out of the program.  By doing this it will minimize your risk for NSF fees being represented, because if your customers/members have an Overdraft limit their items will be considered for payment instead of returned.  Paying the item instead of returning it will ensure that the financial institution minimizes its risk for NSF re-presentments because the item is not returned.  Also, overdraft privilege provides a better service to your customers/members because they will not be faced with potential late fees, retailer fees and damage to their credit from returned items.

The Importance of an Inherent Risk Survey

One of the most crucial and challenging parts of vendor management is managing the risk associated with each of your vendors.  There are numerous risks that may arise from a financial institution’s use of vendors.  Understanding the vendors inherent risk will help your financial institution to categorize and differentiate the risk for each of your vendors.

Inherent Risk represents internal and external risk to which the financial institution is exposed to because of the business activities in which it engages and the external environment in which the activities take place.  Inherent Risk results from the processes, activities, or transactions in which the financial institution is involved, including risk that exists as the financial institution enters new businesses or activities with the vendor.  There are several factors that impact the determination of the inherent risk of the vendor.

Strunk’s Vendor Manager software has compiled these factors into a Vendor Risk Assessment (Inherent Risk Survey), which enables financial institutions to present an accurate portrayal of the overall inherent risk with any vendor.  Having an accurate portrayal of the inherent risk that each of your vendor has, will allow the financial institution to lay a solid foundation for what oversight that will be assigned to the vendor based on the inherent risk rating.  Strunk’s inherent risk rating will classify the financial institutions vendors into four categories based on their inherent risk rating, which is calculated based on the risk exposure the product or service provided may expose to the financial institution.  The inherent risk rating of a vendor will drive the frequency of the ongoing due diligence monitoring of the vendor.  Based on the inherent risk rating the financial institution should determine how effective the vendor has implemented controls to help manage their risk which will mitigate potential risk exposure.  Understanding each of your vendors’ inherent risk is the first step for setting up the proper foundation for your vendor manger program.

What are vendor reviews and why are they important

Vendor review is a process by which a business can evaluate the quality of the vendor performance while also understanding any potential changes that the vendor may have when providing the product or service for the business. A vendor review process will assess a vendor’s capacity to maintain effective and appropriate security practices and other performance elements critical to an organization’s business.

If your business uses vendors for key services, it is important to schedule periodic vendor reviews as part of your vendor management process. When a business entrusts a vendor with the safety and integrity of critical business or customer data, the business must monitor that vendor to verify that the data will be both protected and available. A business can outsource specific activities and functions, but they cannot outsource the responsibility for any risks associated with those actions.

Vendor reviews start by measuring the vendor’s performance, making sure that the vendor is meeting the goals established by key performance indicators (KPIs) and service level agreements (SLAs) in the contract that you have with the vendor. During contracting it’s important to have KPIs and SLAs mutually agreed upon as benchmarks against which to measure the vendor’s performance. It is important to know what kind of professional characteristics that are important in your vendor relationship. You want to make sure that the vendor can respond to the business needs and have the employee capable to supply the service to you and answer questions when needed. Also, you may want to know what changes have taken place at the vendor, how does the vendor monitor their suppliers and make sure that the vendor does not have any compliance issues or defects.

Establishing and maintaining regular vendor review processes will help ensure that a business is effectively monitoring their vendors while also help with reducing risk and liability.

New Due Diligence Guidance for Community Bank on FinTech Firms

On August 27, 2021, the Board of Governors of the Federal Reserve, FDIC, and the OCC published new guidance aimed at community banks that are looking to expand their reach and service new customer bases through partnerships with financial technology companies (FinTech). While aimed at community banks, the regulators said the fundamental concepts could also be adopted by other kinds of banks and for other kinds of outsourcing partnerships. The regulators stated that the guidance was recommended but not mandatory and emphasized that it did not cover all types of third-party relationships.

The guide sets out six nonexclusive areas of due diligence that community banks should consider when engaging with FinTechs. The six key due diligence topics are: business experience and qualification, the companies’ financial condition, legal and regulatory compliance issues, risk management and control process, information security, and operational resilience.  The guide then provides direction on potential sources of information under each of the six steps and includes illustrative examples.

Business Experience and Qualifications

  • Business experience
  • Business strategies and plans
  • Qualifications and backgrounds of directors and company principals

Financial Condition

  • Financial analysis and funding
  • Market information

Legal and Regulatory Compliance

  • Legal
  • Regulatory Compliance

Risk Management and Controls

  • Risk management and control process

Information Security

  • Information security program
  • Information systems

Operational Resilience

  • Business continuity planning and incident response
  • Service level agreements
  • Reliance on subcontractors

Given the regulators’ recent and recurring emphasis on vendor management, the board of directors and senior management of all banking organizations should consider whether their vendor management policies and procedures comply with the Proposed Guidance and include the areas addressed in the Guide when engaging FinTechs.

What is a Fourth Party Vendor and Why Should I Care About Their Risk

Fourth-party risk is rising to the top of most auditors and examiners list when it comes to evaluating financial institutions vendor management program.  Fourth parties are your vendor’s third parties and subcontractors.  These vendors you will not have a direct contract; however, your vendor does, and relies on these vendors to produce a product or service for them.  Most of the time these vendors will be visible in your vendor’s SOC reports and should also be easily identified by your vendor as those classified as critical in their own vendor management program.

Financial Institutions should care about fourth-party vendors risk, because they are subject to the same risk as your vendors, which puts you at the same risk without having the same oversight that you have over your own vendors. Financial institutions are ultimately responsible for the protection of their customers data, sometimes a fourth-party vendor can expose the financial institution to reputational, operational or cybersecurity risk.  All it takes is a single opening for a threat to compromise protected information.  Like any risk, there can be serious business implications, from fines to legal issues which can negatively affect a business if the fourth-party risk is unchecked.

The most effective way to manage fourth-party risk is to build a mature, comprehensive vendor risk management program.  If you have the right practices and processes in place, then incorporating fourth parties into those processes should feel manageable and mostly seamless.  Your vendor management program should help you identify your most critical vendors.  Once you do that you can ask them who their vendors are; what products and services do they provide to the vendor that cause them to be classified as critical to their operations; and what due diligence on the fourth-party vendor has your vendor perform on them.

Risk Management Done Right

Strunk is best known for our fee income improvement programs, including Overdraft Privilege, Rewards Checking and Value Checking. Most recently we have expanded our offering to assisting community financial institutions with their risk management and compliance processes using our software.

Strunk offers six comprehensive, easy-to-use and affordable compliance management tools:

Risk Assessor helps you prepare comprehensive risk assessments consistent with regulatory or other requirements, in days, not weeks.

Policy Manager organizes all your policies into a single database, mapped to the relevant standards and control procedures.

Controls Manager schedules tests of policy compliance and tracks test results.

Vendor Manager is a specialized tool for managing vendor risk that standardizes risk assessment methodology and organizes all vendor related documentation.

Issues Manager is a centralized database for tracking all compliance issues and incidents across your entire organization.

Skills Manager provides online testing and training to ensure employees are knowledgeable about your policies.

According to Dan Roderick, CEO, “Strunk’s Risk Manager solution brings efficiency to the process and allows our clients to focus on their highest areas of risk. The solution is comprehensive but simple to use, which is something I wish I’d had access to in my days as a banker.”

All our tools are securely and reliably hosted with Amazon AWS, making them available on a variety of devices from anywhere. Risk Manager facilitates remote work and will greatly enhance your internal control and risk management processes and save time – all for one low annual fee.

If you are paying another vendor an annual fee for any one of these tools today, invest just 30 minutes to review our solution suite. We can add valuable services – and may be able to SAVE you money as well!

3 Common Mistakes in a Vendor Management Program

  1. Not completing a risk assessment on all vendors.

Some companies may decide not to do a risk assessment on a vendor because of the contract value or the type of work that the vendor is performing for the business.  Each vendor that provides a product or service for your business should have a risk assessment completed.  By performing a risk assessment on all vendors, it allows your business to better understand the risks that exist when they use a vendors’ products or services.  Conducting a risk assessment for all vendors is particularly important when a vendor handles a critical business function, accesses sanative customer data, and/or interacts with customers.  It will also help you categorizes your vendors by risk level.  By categorizing your vendors by risk level, it will allow the business more time to focus on those vendors that have a higher risk.

  1. Not conducting vendor reviews.

Vendor reviews help manage your vendor’s performance.  A quality vendor review assesses how the vendor is performing against Service Level Agreements (SLA) and Key Performance Indicators (KPI) that are established in the contract.  It should also show non-contractual performance issues, such as incidents that aren’t measured by a service level.  Understanding the vendors situation, performance and how they handle third parties is crucial for the businesses on-going monitor of their vendors.  Vendor reviews are perfect way to partner with the vendor for a successful relationship and to hold the vendor accountable for their performance.

  1. Storing vendors due diligence material in different places.

Vendors due diligence material assist the business with selecting a vendor, contracting, and ongoing monitoring.  This process can be very difficult for businesses that don’t have a centralized repository to store their vendor documents.  Having a centralized repository for your vendors documents will help streamline and organize your vendor manager program.  With this process in place, it makes it easy for another employee to find the documents that are needed, and the business can also set reminders on when the document needs to be updated.