American Banker

How Safe Is Too Safe?

Consultant Paul Schaus recently wrote an opinion piece for the American Banker (paid subscription required) in which I think he got the substance right but may have been a little off on some of the “shading.” The title of his piece, “When Vendor Management Goes Too Far,” and his opening paragraph, give the appearance that banks are taking regulatory guidance on vendor management “too literally” and that banks need to “lighten up–at least a bit.” I was concerned when I read these opening sentences, because I thought that one thing banks don’t need to do is to blow off regulatory guidance. However, reading on, Paul made some excellent points.

One of those points was that the portion of the guidance on third party relationships (for example, OCC Bulletin 2013-29) that states that banks should reserve in their vendor agreements the right to audit the vendor should be interpreted in the light of the “real world.”

But bankers are wrong to think they have an inalienable right to audit under regulatory guidance. The largest bank technology vendors have hundreds or even thousands of bank clients. If every bank client demanded a right to audit and then followed through on visits, vendors would be hosting at least several banks per day, every day. They might as well offer group tours.

It may well be enough for banks to receive and review their vendors’ third-party reports as part of their vendor management programs. Banks have the right to refuse to accept those audits, but in that case, I would wonder why the bank is doing business with a particular vendor in the first place.

If the vendor does not have third-party reviews, the bank will need to conduct the audit or retain an independent party to do one. But you definitely don’t need to perform a surprise audit and show up at the data center without advance notice. Data centers are secure environments; if you are not on the approved list of visitors, you won’t get in.

That advice is spot-on. I expressed the same opinion last week on a panel with an attorney for a major technology vendor, a vendor that would never consider giving each of its thousands of bank clients the right to individually audit the systems and controls of the vendor, for precisely those reasons articulated by Paul. That’s why major vendors have an annual SASE 16 audit performed by a nationally recognized auditing firm and make the audit reports available to its customers. On this point, the regulatory guidance simply has to be interpreted in the light of the goal of the requirement in the guidance for having an audit performed, not upon a literal interpretation of the express wording of the guidance. I suppose “fundamentalists” might disagree with me, but I’ve never been a “guidance-thumper” myself.

Paul also addresses a comment he’s heard from a number of banks, that when it comes to vendors (like lovers) “size matters.” Again, I agree with Paul that this is not a valid interpretation of the regulatory guidance.

This is not the case. The OCC states that a bank must select “an appropriate third party and understand and control the risk posed by the relationship, consistent with the bank’s risk appetite.” Vendor management includes determining if the vendor’s offering fits the bank’s strategy, but the guidance does not dictate vendor size.

When bankers argue that they are wary of selecting a less well-known vendor, I often point out that under that logic, consumers would never entrust their community bank with deposits when they could open an account with Bank of America, Citibank or Wells Fargo. The truth is that bigger is not always better — and the biggest provider may not always be the right fit for a bank’s needs.

On the other hand, it’s my view that “two guys operating out of their garage” are always going to raise more red flags than one of the well-established Mastodon that occupy the particular “space.” If a bank, especially a community bank with less sophisticated vendor management policies, processes and in-house expertise, wants to deviate from the “safe” course and hire “the next Bill Gates” over IBM as its vendor, it needs to be prepared to defend that decision to its examiners, who are not likely to be “cutting edge kind of guys.” That may ultimately, as Paul worries, “suck innovation out of the banking industry.” However, when it comes to vendor selection, how many community banks want to be the guys at the tip of the spear?

The bottom line is that banks simply must take the regulatory guidance seriously. While “overreacting” and “too literal” interpretations of that guidance can cause problems for some banks that do not need to exist, and Paul’s observations are certainly valid on the points that he raises, I think that most banks will continue to opt to err on the side of “stifling innovation” as opposed to defending their choices to questioning examiners.

Leave a Reply

Your email address will not be published.