Avoid the "Contract from Hell," and Other Third-Party Pitfalls

Article excerpt

History and literature are full of written agreements that didn't necessarily involve the fairest of relationships.

The Magna Carta was signed by the English Crown at the insistence of nobles backed by armed men. The Declaration of Independence was signed by the Founding Fathers in full knowledge that the failure of the revolution would turn the document into a confession leading to execution.

Shylock's "pound of flesh" loan contract is so infamous that Shakespeare's character became slang for loan sharks. And the fictional Corleone family was famous for making offers that couldn't be refused.

While banks rarely face such risks when concluding a business relationship with a vendor, they face serious business risks nevertheless. Nowadays, there are even Sarbanes-Oxley Act implications to the vendor contracting process.

Even the smallest of banks may deal with dozens of vendors of products and services. Some of those vendors may pose no risk at all to the bank, but there are others who, as a group, represent a veritable minefield of compliance hassles and potential safety-and-soundness dangers. Outsourced processing represents a major risk area.

Opportunity that brings risk

While outsourcing represents an opportunity for a bank to reach beyond the capabilities of its own organization, it exposes the organization to risks beyond its immediate control as well.

UMB Financial Corp. has relationships with more than 670 vendors, covering more than 900 products and services that the banking company needs, including outsourcing, according to Marshall R. Toburen, senior vice-president and operations risk manager at the $6.9 billion, four-bank holding company. Toburen, speaking at ABA's recent Regulatory Compliance Conference, noted that vendor relationships are risky because the service may not be a perfect fit for the bank in the first place, or because the bank failed to establish its expectations for the vendor's behavior up front, and then failed to properly monitor it.

For banks that pay little or no attention to such risks, the walls have been closing in. Toburen, and fellow panelist Doris Waldman, senior vice-president at Salem Five Cents Savings Bank, Salem, Mass., noted that regulators are paying increasing attention to how well bank management controls the risks built into vendor relationships. In fact, Waldman pointed out, this is considered a safety-and-soundness affair.

Additional factors have underscored the need to get the vendor management challenge down cold. Toburen points out that the Sarbanes-Oxley Act adds more pressure to the bank-vendor relationship. SOX requires company CEOs and CFOs to make an annual assertion regarding the design and quality of their corporate financial controls. Many outsourced services involve vendors whose work eventually winds up in one or more bank data systems, which in turn represent aspects of the financial controls that senior executives must worry about.

Privacy concerns, and the issue of data breaches, which now must be relayed to customers in many cases, add further pressure to the relationship, Waldman said. Banks are expected to have a handle on data-processing vendors' security capabilities prior to contracting with them, she said, and they are clearly expected to monitor this on an ongoing basis.

Waldman and Toburen told the audience that regulators expect banks to have built up systems and procedures for screening, monitoring, and, when necessary, correcting or parting from vendors' who don't toe the line. The two traced the essential steps of such programs.

Getting started

Basics for beginners include identifying the bank's current vendors and framing a way for capturing new vendors as the bank adds additional outside relationships or changes suppliers. Ideally, the setup also includes procedures for evaluating and finalizing vendor selections and, where necessary, setting up tiers of approval for vendor selection. …