Due diligence

After the risks of the outsourcing to the bank are evaluated, the bank must necessarily turn its focus to the potential vendor and perform due diligence. The amount of due diligence required is directly related to the level of risk and complexity of the vendor’s service. Critical vendors, those with access to confidential data, particularly customer data, and those that pose high risk to the bank will require the most extensive due diligence.

Banks too often rely on their prior experience with the vendor or recommendations from other banks as a proxy for due diligence and do not conduct a thorough vetting of the vendor. That is a recipe for major problems because a vendor’s condition can change and the expectations and requirements of a vendor may vary widely from one bank to another. 

To establish an effective due-diligence component of the vendor management program, the bank may need to investigate the following:

• Strategies

Consider the effect of the vendor’s business plans and focus on the outsourcing. If  its business focus is moving away from the services the bank needs, that should be a red light for the bank. Similarly, if it is contracting, acquiring or partnering with businesses that are competitive to the bank, certain contractual and operational controls may be necessary. Also, if the vendor is associating itself with businesses that may reflect negatively on the bank in the eyes of the public or the regulators, that is another factor to consider.

• Legal and regulatory compliance

The vendor’s potential to impact the bank from a compliance standpoint has to be quantified and, when appropriate, the bank should evaluate the vendor’s legal and regulatory compliance programs to ensure that not only does the vendor have the appropriate licenses to provide the services but also to ensure that it has the necessary internal controls and programs to provide the services in compliance with applicable laws and regulations. Also, the bank should investigate whether the vendor has any enforcement actions against it, or regulatory related civil actions that could materially affect its ability to perform as expected.

• Financial condition

The bank should review the vendor’s  financial statements, to make a reasoned judgment as to whether the vendor will be financially able to perform the outsourcing. Audited financial statements are the best because the auditors state whether they believe the vendor will be in business one year later.

• Reputation

Determine how the vendor is viewed by existing customers, its industry and the public in general.  Review marketing materials to make sure the vendor accurately represents it business, deliverables and capabilities.

• Operational capability

Fundamental to any outsourcing is the ability of the vendor to perform.  Whatever the relationship is, the bank should determine if the vendor can provide the services and products the bank needs. This may take the form of reviewing the vendor’s existing products and services, the vendor’s resources, its proposed staffing and its experience.

• Fee structure

The proposed fee structure of the service must be analyzed to determine if it creates inappropriate risks such as high upfront fees or fees that could incentivize inappropriate behavior.

• Background checks

One of the reasons that banks are so heavily regulated is that their business is considered vital to the U.S. (and global) economy, and perhaps  national security, as well. To that end (not to mention some federal legal requirements), a bank must be sure that its vendors (and their subcontractors) are not hiring employees with criminal records.

• Security

Because of the critical nature of the information that banks possess and the financial implications of transactional relationships, banks must consider a vendor’s access to confidential customer information, money or accounts. When such access is part of an outsourcing, the bank must scrutinize the vendor’s information security and physical security programs and policies, internal controls and infrastructure.

• Human resource management

The bank should review the vendor’s programs to train employees on policies and procedures and its process for dealing with violations and failure to pass screenings. Depending on the services provided, the bank may need to consider the vendor’s succession plan for key personnel and its ability to continue to retain or attract skilled employees to perform the services.

Appraise  how the vendor’s employment practices could bear on the relationship or reflect on the bank. For example, diversity programs are part of the business landscape, and a vendor without a diverse employee base may have potential social or legal issues in its future or may even  damage the bank’s reputation. 

• Subcontracting

It is imperative that the bank assess any potential vendor’s use of, and reliance on, subcontractors and its ability to monitor and manage them. If the services provided by the subcontractor have the potential to impact the bank or if they involve customer information, due diligence may be required on the subcontractor. 

• Insurance

Assess the vendor’s insurance coverage to ensure that appropriate types and levels of coverage exist. Of course, the coverage requirements will vary depending on the size of the vendor and the nature of the outsourced function. 

Be wary of the terms of coverage and other contractual terms. For example, a high deductible or co-insurance requirement in conjunction with a limit of liability may render the insurance coverage ineffective.

• Business background and strategy

Recent innovations in products and services, and the resulting boom of new banking vendors, might seem to shift the due-diligence focus away from vendor backgrounds. In many cases, the vendors are providing something brand new. However, even in cases where the service, product or the vendor is new to the market, consider how the vendor got into its business and its roadmap.

• Risk management

Examine the effectiveness of the vendor’s risk management program and internal controls. Include a review of the vendor’s internal audit department and its effectiveness, as well as a review of Service Organizational Control reports and any external certifications.

• Management of information systems

Understand  the vendor’s technology systems, processes, maintenance and compatibility. The bank should also understand how the metrics expected from the service will apply to the vendor systems and schedules for upgrades and/or enhancements.

• Disaster recovery

There is concern among the regulators that banks are not paying enough attention to their vendor’s business continuity plans as evidenced by the FDIC’s guidance recently issued. Evaluate the vendor’s ability to deal with service disruptions from external and internal events and determine how those disruptions and recovery plans will impact its operations. Ensure the vendor is appropriately testing those procedures and confirming they remain effective and up to date.

• Incident reporting

The bank should determine if the vendor has a satisfactory and sufficient process to identify, report, escalate and resolve incidents, including but not limited to, data security incidents, employee-related incidents, operational disruptions, compliance violations and legal claims. The vendor must be able and willing to report anything that could impact the bank, the bank’s customers or the vendor’s ability to perform.

Although no amount of diligence can eliminate all risk, the bank’s due-diligence policies and procedures should reasonably assure the board of directors, senior management and regulatory authorities that the appropriate investigation into potential third-party vendors was conducted.