Guiding vendor practices can be a tricky business. You want to be sure your third parties are performing due diligence and acting in accordance with regulations—but at the same time, once you direct the vendor’s every move, you can become liable if their actions end up being out of compliance. Is it possible to find a perfect balance between guidance and liability?
An ATS Secured webinar conducted by former CFPB regulator Ben Olson brought about this very question.
Question: In conducting due diligence on a supplier/vendor, at what point is the line drawn between accepting the way the supplier/vendor conducts themselves to prescribing how they should do it?
By Prescribing (Vendor Conduct), Are You Accepting Risk and Liability Unnecessarily?
Ben Olson’s Answer:
“As far as the regulator is concerned, the supervised entity has the liability and responsibility. Indemnification provisions within a contract – if you specifically direct your vendor to do something a certain way because you believe that is in compliance with an applicable law and it just turns out the regulator has a different view – at some point down the line it may be more difficult to invoke that indemnification provision if you’re the source of the [legal] interpretation. That’s certainly a risk and something you should take into account.
But of all the risks at play here, I think that, if you see something in the way your vendor is handling whatever the task might be that you’re concerned creates a compliance issue, the obligation on you is to make sure it’s being done correctly. If that means you’re directing your vendor and taking on yourself the risk that you’re wrong, I think that’s what’s expected of you under all the guidance.”