Vendors have always represented one of the highest risks to an organization’s security, yet risk management tools and procedures don’t always get the priority they deserve.
While not a regulation in and of itself, the Consumer Financial Protection Bureau’s (CFPB) 2012 third-party service provider bulletin which created repercussions in the marketplace that are still being felt, making vendor management more important than ever.
Yet Krissy Davis of Deloitte & Touche LLP recently told The Wall Street Journal: “Many organizations approach third-party risk management on an ad-hoc and selective basis through point solutions, addressing prominent pain points such as cyber risk, and mandatory regulatory compliance as they arise.”
Maybe it’s hard for lenders and title agents to find the time or resources to diligently monitor vendors.
But there’s too much at stake to simply put up firewalls and otherwise remain reactionary. We are entering an era of increased audits and regulatory screening of banks and other mortgage lenders, since TRID put them on the hook for vendor actions.
Now More Than Ever, It Behooves You To Know Your Vendors and Know Them Well
Davis adds: “A broad, cross-enterprise view is often missing, with lack of ownership being a common theme. Organizations should consider a broader extended enterprise risk management [EERM] program that emphasizes value creation as well as value protection.”
Vendor Audits and Risk Assessments
First and foremost, establish the right to audit and to conduct risk assessments with every vendor. Having protocols and tools in place that are universal to bringing on new vendors—and checking up on current ones—will assure the relationships are built on security, privacy and compliance.
Criteria for assessing vendor risk should be clearly defined, and both parties should agree on the business objectives for the relationship.
CGMA (Chartered Global Management Accountant) Magazine offers several measurements that can help your vendor relationships start on the right foot:
- Minimum number of years in operation: Is a vendor established enough to have a track record?
- Minimum size (revenues or staff): Is it large enough to handle the assignment?
- Geographic presence: Are its locations where you need them to be, and are any in a location that might be subject to high risk?
- Satisfaction data (references, social media reputation, ratings by recognized accreditation services): Is the track record acceptable?
- Management structure: Is there sufficient accountability?
- Ownership: Is it reputable?
- Financial stability: Do the financials raise any red flags?
- Staff tenure: Is turnover a problem?
- Staff education/certification: Is the staff knowledgeable?
- Bonding: If staff needs to be bonded, what is the proof?
- Staff hiring protocol: Are workers adequately vetted?
For Vendor Risk Management To Be Effective, It Must Be Used With Every Vendor You Have
Even if the vendor was referred to you with a glowing reference from a trusted source, they should prove that they can meet all of your criteria.
Vendors may also make claims that aren’t true—not unlike overstating experience on a resumé. Make sure the information provided by the vendor is verified. References from a vendors’ other clients should also be carefully considered. Are there ulterior motives for giving a good reference? Are there enough references to validate the vendor’s overall reputation? Are the references consistent with comments about the vendor on social media, or the vendor’s legal history?
Continue Vendor Evaluations After the Agreement is Signed
It’s a good idea to do performance evaluations for each vendor at least annually. Timeframes may depend on the significance of the vendor, or the budget associated with a vendor relationship. They should always be performed when there is a change in the scope of the agreement, a change in technology, or a security incident. These periodic evaluations will ensure that your expectations of the vendor are always being met.
The evaluation criteria should include, at the very least, performance against the following indicators:
- Service-level agreement standards or other agreed-upon standards
- Ability to respond to changes or special requests
This should be a transparent gathering of performance data—an assessment and dialogue between your business and the vendor. It should become part of a larger record on the vendor, which includes historical and current information.
With increased regulatory oversight, higher costs and increased focus on overall quality—including the quality of vendors’ policies and procedures—vendor management has become one of the most critical parts of compliance. But by ensuring standards are upheld at every stage when creating a service-level agreement, third-party vendor relationships will be an asset to an organization, not a liability.
ATS Secured’s Vendor Management Solution Is Affordable and Offers:
- Secure messaging
- Direct payments—right from your ATS Secured account
- Collaboration on ONE mortgage file, creating accuracy and transparency
- Audit-ready files