Follow ACC Docket Online:  

Verifiable Vendor Management: 4 Tips to Avoid Risk

F inancial service companies are required by law to have vendor management procedures in place to minimize risk associated with their providers. The Consumer Financial Protection Bureau (CFPB), Office of the Comptroller Currency (OCC), Federal Reserve Bank (FRB), and Federal Financial Institutions Examination Council (FFIEC) all have such guidance. These straightforward guidelines apply to any industry and protect the company receiving services, as well as their customers. It’s all about risk mitigation.

1. Understanding the services and provider

It’s difficult to appropriately assess due diligence if you don’t understand the nature of the relationship. What does the business need? What does the vendor provide? Is there any gap between the two? While there is an advantage to certain bundled services, it is important to first ascertain such services are actually needed.

It can also be less cost-effective if a provider will need to customize its out-of-the-box product to meet your company’s needs. That added customization cost could well be eliminated if you use a provider that already delivers your required product. Research and initial discussions are key.

That said, remember to include a non-disclosure agreement (NDA) if you are going to be discussing your company’s strategic plans, or any business information that should remain confidential, while determining whether to use the provider.

2. Due diligence

The breadth of due diligence largely depends on the services being obtained. If you are buying paper towels, there’s not a whole lot to do there. If you are seeking integrated data reports by using your company’s live customer or sales data and the vendor’s algorithm, it requires a deeper dive.

An area often overlooked is the financial health and capitalization of a provider. A breach of terms resulting in damages can be moot if the supplier is under-capitalized and/or not fully insured. If the business is not based in the United States, additional considerations should be taken, especially with regard to data protection, applicable law, and regulatory structure. At a minimum, you want to look into your supplier’s:

  • Length of time in the industry (e.g., experience and stability);
  • Finances (e.g., audited financial statements);
  • Technology and systems architecture;
  • Policies and procedures (e.g., quality control, human resources, background checks, privacy, efficiencies, and facilities);
  • Internal controls and training;
  • Security, business continuity planning, and disaster recovery;
  • Insurance coverage (e.g., cyber, crime and fidelity, umbrella policy, and errors and omissions insurance); and,
  • Reputation on litigation, regulatory concerns, or complaints (i.e., reputational risk can have unintended consequences; guilt by association).

3. Contracting

Clear expectations and appropriate, enforceable consequences for a breach of terms are critical for every organization. Developing risk tolerances with executive management prior to contracting is advisable. I have developed contract guidelines for various employers so that the vendor management team can more easily assess and understand what will require additional review if there is a deviation from the approved terms and conditions. While there are many terms to include, the following should be in every service contract:

  • Scope. What do you need? What are they providing? How will it be done?
  • Performance measures. Set benchmarks, service levels, and acceptance criteria.
  • Reporting. Schedule reports and content, as well as thresholds for notifications (e.g., service disruption, security breaches, or material changes to scope).
  • Audit rights. Companies should reserve the right to audit for compliance with terms and financial data, and provide for the regulators’ ability to audit vendors.
  • Confidentiality and security. The following are vital in the financial services industry or for any company that uses consumer data: clear security requirements (no less than commercially reasonable), return and destruction of information, notice of suspected/actual breach, and cooperation for remediation of the same.
  • Fees and compensation. Determine base fees, calculations, change orders, and any additional costs or expenses, including integration or set-up.
  • Ownership and license. Intellectual property, work product, and the right to use should be addressed. 
  • Business continuity and disaster recovery. This process should include any third-party related backup or integration, provision of annual testing results, or specific time frames for business resumption.
  • Indemnification. Vendors should indemnify at a minimum for breach of material terms: gross negligence and/or willful misconduct, breach of confidentiality, and third-party claims that the vendor’s services/product are infringing upon a third-party’s intellectual property rights.
  • Insurance. Vendors must maintain adequate insurance and notify the company of material coverage changes.
  • Limitation of liability. Companies must assess if any vendor limitations are properly related to a potential loss by company (i.e., limitations on indemnified obligations dilute the indemnification protection).
  • Default or termination. Beware of the evergreen contract with no ability to terminate, except for breach. Instead, have a clear default and cure provisions, and avoid termination penalties where possible.
  • Dispute resolution. Consider arbitration, mediation, or a delineated dispute process using the executive management functions, with litigation as a last result.
  • Subcontracting. Require that any subcontractors used by the vendor must be subject to the agreement terms, the vendor will remain responsible and liable for subcontractors’ performance, and the company has the right to audit subcontractors.

4. Oversight and monitoring

You’ve done the up-front investigation and contracted for services. Now you need to ensure your vendor is performing in accordance with the terms and maintaining their business in a risk-averse manner. Any problems identified through the oversight and monitoring process should be dealt with timely and effectively, including termination if warranted. At a minimum, consider the following:

  • Annual review of audited finances, insurance coverage (certificate of insurance), disaster recovery and business continuity planning, audit reports, and applicable policies/procedures; 
  • Assess performance problems, discuss them with the vendor in a timely manner, and document them and any remediation;
  • Review and resolve customer complaints related to the vendor; and,
  • Maintain and assess vendor-provided reporting.

Vendor management is about building a good business. You want to get the best service from your suppliers in a cost-effective and compliant manner. Prioritizing vendors according to risk expedites responses to regulatory exam inquiries in a meaningful manner. The four basic guidelines above, if followed, will help streamline your vendor management process, meet the required standards for risk mitigation, and effectively maintain your supplier base.

About the Author

Erin WilsonErin Wilson is a senior vice president and associate general counsel for Stearns Lending, LLC. She was an ACC SoCal Rising Star Honoree in 2012, and nominee for the Orange County Business Journal’s Women In Business award in 2013 and 2014.


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.