Pub. 4 2014 Issue 1

21 WINTER 2014 propriate due diligence, management should periodically review each vendor’s operations and performance. These management reviews, based on staff and audit reports, should consider the degree to which the vendor is carrying out contract requirements. Management also should assess risks with each such review. Management also must be sure that there is sufficient in-house staff to over- see and monitor vendor performance. Failure to maintain sufficient staff to maintain vendor over-sight is cited all too frequently in enforcement cases. The ongoing management reviews of vendor performance should include an assessment of the effectiveness and consistency of the vendor relationship in meeting the bank’s strategic goals, Finally, the annual review should verify the vendor licensing or registra- tion) and should evaluate the vendor’s financial condition. 5, Does the contract give the bank the ability to oversee vendors properly? The contract should provide the bank with the authority to take steps to properly manage vendors. Most contracts, especially those drafted by vendors themselves, give detailed descriptions of expected performance. Where vendor-drafted contracts usually fall short is in providing appropriate authority to the bank to oversee the vendor’s performance. Before signing any vendor contract, banks should be careful to include several elements. First, the contract should give the bank authority to conduct regular audits of the vendor. This does not mean sitting in a conference room while the vendor presents a dog- and-pony show. It means digging through files and computer records to verify performance. It does not mean accepting vendor assurances that it has done an audit and found no problems. If the vendor is not willing to share the risks of errors or noncompliance, you don’t want to do business with that firm. Period. 3. Will vendors share the culture of supervision? Too often, when banks request information about a function, vendors respond negatively. “Trade secret!” they may insist. And when all other responses fail, vendors will claim that none of their other clients want or need that, so there will be a charge for it—a really big charge. Problems arise when requesting any type of change. Even though the regula- tion is pretty clear or examiners are insistent, vendors have been known to refuse to make the change. Again, the reason given is “none of the other users want that” and there will be a signifi- cant charge. This tactic doesn’t work for banks when being audited or examined, and it shouldn’t work for vendors. Ask for the user list and contact other users who have the same regulator. Chances are pretty good that they have been told the same thing. 4. Are the board and top management exercising proper over-sight? Examiners never want to hear, in reply to a question: “That’s not a prob- lem. We’ve outsourced it.” Management of vendors starts at the board level. The vendor management policy should establish that the board will review and approve each vendor selection. The board’s responsibility doesn’t stop there. The board should review the vendor’s performance at least annually, using management and audit reports. And the board should ask questions. Next come management’s respon- sibilities. In addition to ensuring that vendor selection is preceded by ap- Second, the contract also should require the vendor to provide regular—and detailed—reports that track performance. The bank should carefully study each report from a vendor to evaluate what the report does—or does not—reveal. Third, the bank should ensure that the contract authorizes the bank to make onsite visits, listen to calls, and review and monitor customer complaints. Finally, just as with an internal bank function, the vendor’s performance should be monitored, using testing, reports, special inquiries, and customer feedback. Key vendor management elements Transferring any work to a vendor should be done carefully and deliberate- ly. It calls for a policy with clearly stated goals and expectations. In addition, the policy should clarify responsibili- ties for oversight reporting, monitoring, and audits of performance. A checklist (see box) can be used to review vendor contracts for required elements. Vendors may not like it, but all contracts with vendors should clearly authorize the bank and appropriate reg- ulators to have access to vendor records as necessary for evaluating compliance with laws, rules, and regulations. Not only is the bank responsible for the vendor’s compliance with regulations affecting the bank, but the bank must be able to demonstrate this compliance to examiners. Many vendors use subcontractors, therefore the bank should consider whether the use of subcontractors is an acceptable risk for the bank. If the bank accepts the use of such subcontractors by vendors, the policy and all con- tracts should provide the bank with the authority to audit performance, ensure compliance with regulatory require- ments and require reports. n Outsourcing | continued on page 22