It's a strict regulatory requirement that banks keep close tabs on all their vendors and pay particular attention to the ones that have access to confidential customer data. For many community banks, this has meant the creation and maintenance of spreadsheets that, depending on their complexity, list each vendor and rank them in degrees of risk. Such spreadsheets also can be used to rank the criticality of each vendor to the bank's operations, giving a measure of the potential risks they may pose to the bank.
It seems simple, but as banks grow, they may engage hundreds of vendors and manage hundreds more contracts. It can be a full-time job to keep the spreadsheet squares up to date, accurate, and in accordance with changing regulations. Also, just because a particular vendor may not rank high on operational criticality, it may pose significant security risk due to its access to customer information. Then, when the person to whom this job is delegated and who set up the whole thing leaves the position, things are likely to fall through the cracks.
That's why many banks are starting to migrate from the spreadsheet environment to an automated system. Those that have point to many positives. Once the automated system is set up, it can do everything a spreadsheet system can do and more, and--importantly--can do it better. It can help in overall contract management, provide automated alerts for upcoming contract renewals, allow for input from line-of-business managers, and keep the bank audit-ready at all times, thus forestalling the traditional week-ahead panic that the auditors are coming.
Such systems do pose challenges, particularly at the onset. First, a budget has to be made available to review, select, and install a system. It can be a four-to-six-month project to get it up and running. A system has to be customized to fit the bank, and that requires a complete examination and documentation of every contract the bank has.
Regulators weigh in
As regulators ratchet up requirements, it seems the shift to automation is inexorable. Don Saxinger, a senior examination specialist for FDIC, notes that 46% of bank IT exams in 2012 that resulted in downgrades were due to some sort of inadequate vendor management.
"From a regulatory perspective, all that we require is that you have a formal program," he said during a recent ABA telephone briefing. "We don't require you to use an automated tool or Excel or anything like that.... What we are seeing is those who just have a fiat Excel spreadsheet file; they are tracking risk priorities. They are tracking financial reviews and audits. So they are getting a lot of that. But what we're also seeing is that automated applications do have some additional features, such as tying into other risk management modules."
Fortrex Technologies Inc. offers vendor risk-management tools designed for financial institutions. J. Michael Edison, CEO, said during the telebriefing: "A spreadsheet is viewed as something that's free. We know that's not the case. Somebody has to develop it, and as regulations change or guidance comes out, you have to stay on top of it and modify it. You typically don't have multiple people using a spreadsheet simultaneously, which is why it's a highly centralized activity. It's not always the savings it may seem."
"There are several questions you, as an institution, have to ask," said Doug Johnson, vice-president of risk-management policy at ABA, who moderated the briefing. "Do you have a level of comfort with the manner in which you are tracking your vendors? Do you believe that you have a sufficient capacity, in a spreadsheet or otherwise, to be able to understand the risk associated with each vendor when contracts are up for review? If so, there's no reason why you shouldn't use a spreadsheet or some sort of less-sophisticated system. But I think every bank …