According to Donald Saxinger (senior examination specialist in FDIC’s Technology Supervision Branch) in a telephone briefing given to the ABA in December of last year, almost half of all CAMELS score downgrades in 2012 were related to poor vendor management. The briefing was titled “Vendor Management: Unlocking the Value beyond Regulatory Compliance“, and in it Mr. Saxinger noted that in 46% of the FDIC IT examinations in which bank ratings were downgraded, inadequate vendor management was cited as a causal factor. He went on to say that although poor vendor management may not have been the prime cause, it was frequently cited as a factor in the downgrade.
Mr. Saxinger recommends that banks request, receive, and review not just financials and third-party audits such as SOC reports and validation of disaster recovery capabilities, but also any examination reports on the provider. Federal examiners have an obligation and a responsibility to monitor financial institution service providers using the same set of standards required of the institutions themselves, and they are doing so with increasing frequency.
In addition, consider that all of the FFIEC regulatory updates and releases issued last year were either directly or indirectly related to vendor management:
- Changes to the Outsourcing Handbook to add references to cloud computing vendors, and managed security service providers.
- Updates to the Information Security Handbook to accommodate the recently released Internet Authentication Guidance (with its strong reliance on third-parties).
- Changes to all Handbooks to accommodate the phase-out of the SAS 70, and replace with the term “third-party review”.
- Updated guidance on the URSIT programs for the supervision and scoring of Technology Service Providers.
- Completely revised and updated Supervision of Technology Service Providers Handbook.
So regulators see inadequate vendor management as a contributing factor in examination downgrades, and virtually all new regulations issued by the FFIEC are related to it as well. As a service provider to financial institutions we are prepared for, and expecting, added scrutiny. As a financial institution looking to optimize examination results and stay ahead of the regulators, you should be too.
Here is a link to all vendor management related blog posts.