Why is vendor management a hot topic in world of financial institutions today? It is because regulatory bodies like the Federal Trade Commission, Office of Foreign Assets Control and the Federal Financial Institutions Examination Council are placing the spotlight on how financial institutions (FIs) are managing their vendors they outsource to. The FDIC (Federal Deposit Insurance Corporation) has stated that an institution can “outsource a service, but cannot outsource the responsibility”, clearly telling financial institutions that the burden of compliance is with them. In addition, the Federal Reserve recently released SR 13/19, their guidance on managing outsourcing risk:

A financial institution’s service provider risk management program should be risk-focused and provide oversight and controls commensurate with the level of risk presented by the outsourcing arrangements in which the financial institution is engaged. It should focus on outsourced activities that have a substantial impact on a financial institution’s financial condition, are critical to the institution’s ongoing operations, involve sensitive customer information or new bank products or services, or pose material compliance risk.”

This makes proper vendor management an important task for FIs, who must uphold vendors to stringent standards of security. After all, vendors you outsource to will gain access and control over yours and your customers’ data. Risk is ever-present and understanding the risks involved with the person/company a financial institution is doing business with and controlling that risk requires constant monitoring and evaluation. We also have to factor in that there is a certain level of risk that must be rationally accepted. In addition to compliance, ineffective vendor management can leave an organization susceptible to reputational loss, operational disruption, cyber-attacks, Matters Requiring Attention (MRA), consent orders, litigation, or fines.

Components of an effective vendor management program

• Risk assessments, due diligence, and selection: Even before entering into an agreement with a vendor, the financial institution must assess the risk level of the activity to be performed to inform what needs to be done from a due diligence perspective to select the best vendor, and whether said vendor can meet the FI’s needs, both operationally and financially. Having a comprehensive plan and policy around how the organization will handle vendor risk management and how the relationship with the provider should be managed are also key.
• Contract provisions and considerations: Once the vendor has been finalized, contracts should outline the activities as well as the risk and expressly speak to vendor commitment to mitigating risk. SLAs, NDA, due diligence documents are all essential and should be kept up to date.
• Service-level agreements (SLAs) and incentive compensation review: SLAs are obviously important, but it is also essential to look at the risk in incentivizing certain behavior – could it lead to fraudulent activity or the vendor not sticking to the spirit of the agreement?
• Regular oversight and monitoring: Once the vendor is onboarded, institute and document scheduled meetings, reporting and independent testing. Reevaluation of risks and identification of concerns must be on-going.
• Business continuity and contingency plans: These should be in place for the vendor to perform their duties in the event of a disaster or emergency, so you can do the same for your clients. Another aspect here is maintaining documentation so there are no expired contracts that could impede business continuity.

How CPRS handles collections as a vendor

The criticality of risk management is top of mind to us, just as it is to the FIs we serve. We pride ourselves in providing services that allow our clients to deliver secure, cutting edge services to their customers and members. Our FI clients want us to commit to and demonstrate that we will comply with all the legislation (FDCPA, TCPA, UDAAP) around collections and that there are no regulatory actions against us. And understand what SLAs we provide so they know we are capable of doing our job successfully.

Here’s how we ensure this:

• Rigorous background checks to ensure we hire trustworthy and competent teams
• New hire training and certification – regulatory and quality assurance trainings that must be passed in a certain timeframe
• Recertification twice a year
• Incentives tied to Quality and Compliance
• Quality Assurance and Operational Testing
• Maintaining our debt collector licensing
• External audits and exams (PCI, SOC1, CTT, etc.)
• Our robust, industry-leading Compliance Management Program – we have a 3 lines of defense model we follow stringently to ensure risk management effectiveness. Monitoring for upcoming regulatory change and preparing for it is a fundamental aspect of our Compliance Management Program and we are ready for CFPB’s Reg F.