Are there examples of best practices in Vendor Risk Management that you can share with us?

Well, beyond what we’ve discussed in the context of this session, here are some broad examples: Complaints are one of the biggest points of emphasis, particularly for the Bureau, right now in examinations. Anybody who you allow to interact with your customers needs to be monitored.

You also need to be looking at their scripts. A lot of issues that were alleged in the ancillary product cases arose out of the fact that that the scripts were inadequate for collecting consent or they weren’t being followed. So if you have a vendor who is interacting with your customers over the phone, they should be doing their own monitoring but you should have the ability to also listen in to a sample of calls, so you can verify that the scripts you put the effort into reviewing for compliance with the law are in fact being followed and aren’t being undermined in the sales process.

Another recommendation for a best practice is having your shop in order. By that I mean knowing who all your relationships are with and having ready access to the agreements and other information about those relationships. When you’re disorganized, in my experience, the regulators just start to assume there is increased risk of non-compliance, whereas if everything is clean and organized and you can show you are hitting all of the expected marks, that allow them to check the box and move on. You can, by investing the effort up front, put yourself in a position to make the actual examinations that much smoother or – in the inevitable event that an issue does arise – to be able to demonstrate that you did everything you could up front to prevent it. That way, if it is necessary to remediate harm to a consumer, you can go ahead and do that but not be penalized by the regulator for a failure to prevent the action in advance.

Note: This transcript has been edited from the January 2015 vendor management webinar for clarity and completeness.

Answered By: Ben Olson