How to Manage Third-Party Vendors While Remaining Compliant

Today, you can’t count on vendors to manage compliance for your customers. You must do it. All lenders need a robust vendor management program to protect consumer interests and maintain regulatory compliance. This is easy to say, but hard to do. Here’s how to keep third-party vendors from putting you at risk; including best practices to follow along the way.

Take Accountability for Third-Party Vendors—the Risk is Yours

Third-party vendor management compliance practices simply cannot fall short of CFPB expectations. Third-party vendors used to be satisfactory if they met performance and budget targets. This changed years ago with regulatory guidance that mandated that lenders should manage third-party vendors as internal operations. This includes regulatory oversight as well as performance.

As lenders, you are on the hook for any errors or harm to consumers created by your vendors. The only way to reduce this risk is to have an active and operating vendor management program.

Your third-party vendor management compliance program needs to ensure ongoing adherence to applicable federal and state laws and must protect consumer interests. Remember that both you and your vendor have one main common interest: your customer.

Key Components of a Vendor Management Program

A comprehensive third-party vendor management program consists of several key components. When you implement and maintain a program with the four elements listed below, you’ll reduce third-party risk from initial vendor selection to ongoing oversight.

1. Risk Assessment to Assess Knowledge and Strategy
2. Due Diligence for Fairness
3. Contract Structuring for Consistency
4. Oversight for Ongoing Compliance

1. Risk Assessment Demonstrates Knowledge of Third-Party Vendor Practices

Regulators have defined different types of third-party risk. These are Strategic, Compliance, Reputation, Operational, Transaction, and Credit risk.  Basically, you need a risk evaluation process to ensure that the proposed relationship type is consistent with your strategic planning and overall business strategy.

The Risk Assessment also allows you to demonstrate your internal knowledge of the practices and controls required to manage the proposed type of third-party vendor.  Additionally, it ensures an understanding of the risks and rewards of using this type of third-party vendor and should drive the level of Due Diligence resources required along with the Minimum Standards Document.

2. Due Diligence Ensures Fair and Accurate Evaluations

A robust scorecard-driven due diligence process includes examination of all information available by a centralized team (e.g., Legal, Compliance, Vendor Management, Risk, etc.). It also includes support from key business line stakeholders. Due Diligence includes analysis of the following:

• Policies
• Procedures
• Compliance
• Internal controls
• Financial condition
• Training

3. Contract Structuring Provides Standardized, Consistent Vendor Management

Establish standard contract materials for consistent handling and expectations for vendors and service providers. Include master service agreements (MSA) and/or statement of work (SOW) templates to provide clear expectations and responsibilities for each service provider.

Elements in MSAs or SOWs:

1. Scope
2. Cost and compensation
3. Reporting requirements
4. Audit timelines
5. Confidentiality and security criteria
6. Proper customer complaint handling
7. Business resiliency testing requirements (e.g., contingency and disaster recovery plans)

Also, incorporating specific service level agreements based on the vendor type allows for enforceable consequences including compliance and/or performance-based termination. Contract terms should be primarily standardized across business lines in the MSA with room for flexibility and more specific details in the SOW.

4. Oversight Maintains Regulatory Compliance and Customer Satisfaction (once a quarter review with a scorecard—risk based)

Comprehensive monitoring within your third-party vendor management compliance program ensures adherence to regulatory compliance and customer experience standards. Make sure to perform quarterly reviews with a scorecard that is risk-based. Programs include frequent account reconciliations, targeted transaction testing, and process reviews for identification of issues and assignment of action plans as needed.

Use recertification processes to ensure that active vendors continue to meet defined standards.  Define enforceable consequences, including a termination protocol, for applicable situations.

6 Best Practices for Managing Third-Party Vendors

Implementing a vendor management program with the key components outlined above can be challenging.  Lenders can miss opportunities to protect themselves, their vendors and their customers. When you follow these best practices, you will mitigate your risk.

1. Define Criteria and Ratings

Lenders must manage third-party vendors to a defined set of criteria and ratings. Not doing this results in inconsistent treatment of vendors and unnecessary risk. Establish the criteria and review with each vendor so that each is aware of how they are being rated. Your goal: no surprises or claims of biased treatment.

2. Trust but Verify

Vendors must be an extension of you.  So, expectations for vendors should be the same as internal teams.  Vendors should prove they are complying, just like your internal teams do.  As the lender, it’s your responsibility to prove third-party vendor compliance with regulatory requirements.  You should do this through reporting, account reviews, and/or review of controls and results.

3. Know What Customers are Saying

Vendors must send all applicable complaints from your customers they are servicing. During vendor oversight routines, you should confirm proper tracking and make sure that all complaints are sent to you for review. That way, tracking complaint volume and benchmarking it against other vendors you use provides a natural “Champion / Challenger” insight. Consequently, this will show the volume of complaints from vendor to vendor. Plus, you’ll notice if you aren’t receiving all complaints.

4. ‘That’s the Way it’s Always Been’ Just Won’t Work

Expectations have changed a lot over the last five years. So, lenders should review any processes that are still in place from before that time to make sure that they’re compliant and performing as expected. Some processes may still be valid and aligned to current requirements. Invalid processes need updating.

5.  Create a Competitive Model Where Possible

Where possible, having more than one third-party vendor supporting your work is good if the right measurements of success are in place. Vendors will compete to make sure they are staying at the top and limit the risk of losing business. Make sure there’s a proper blend of quality, performance and control metrics in place. Not having the proper balance could reward the wrong behavior.

6.  Document and Share Oversight Results

Document, Document, Document.  It’s critical to be able to show evidence of oversight completion and trending of results.  This gives lenders insight into potential risk and enables action earlier.  Most importantly, it provides regulators with the transparency they are looking for when you use vendors for a service.

Check Your Vendor Management Processes to Find Your Risk

If you’ve loosened vender requirements, or haven’t looked at your vendor management processes recently, you could be failing to protect yourself—and your customers—from risk.

Make sure you’re following the four key areas of a vendor management program outlined above. And consider our best practices because we’ve seen them result in successful partnerships.

If you don’t know if you have a strict program in place, contact us for an evaluation. Then, we’ll provide you with an assessment, a gap analysis and a prioritized road map to get you on the right track.