Compliance Blog

Mar 27, 2013

Vendor Risk Management - Compliance Considerations

Written by Steve Van Beek

Back in May 2012, the Philadelphia Federal Reserve's Consumer Compliance Outlook webinar series discussed Vendor Risk Management - Compliance Considerations (the slides are available here). The Fourth Quarter 2012 Consumer Compliance Outlook publication included an article that provides highlights of the main themes. As you can see from the headings and subheadings, this article is a must read:

Vendor Risk Management - Compliance Considerations


What Are Common Types of Third-Party Relationships?

What Are the Risks of Using Vendors?


  • Overreliance on third-party vendors.
  • Failure to train new staff or retain knowledgeable staff.
  • Failure to adequately monitor the vendor.
  • Failure to set clear expectations.


Flood Insurance Monitoring

Loan Modifications

Credit Card Administration

Disclosure Software

Revenue Enhancements


  • Due diligence.
  • Risk assessment.
  • Clear contractual expectations.
  • Comprehensive monitoring program.
  • Board oversight.


Vendors provide value in the expertise and experience they offer; however, financial institutions must still maintain active oversight. It is important to remember that when a vendor performs a service or function, the institution bears ultimate responsibility for compliance. Because varying levels of risk remain with the institution that offers the product or service, a strong vendor risk management program is key to maintaining compliance and avoiding claims of improper treatment of bank customers. With good vendor management, banks can minimize the risk of less direct oversight or control and maximize the benefits gained through a well-managed vendor relationship. Specific issues about vendor risk management should be raised with your primary regulator.

Again, I recommend reviewing the full article and passing it along to your colleagues.


I also wanted to highlight the subsection on board oversight - which states:

"Board oversight. Keeping the board of directors properly informed about the vendor management program is key to ensuring that they can provide proper oversight and that the bank’s management process addresses the risks inherent in third-party relationships. The board should review the vendor management policy, due diligence reports, risk assessments, and monitoring results."

Board of Directors & Risk Management. Risk management and the role of the credit union's board of directors will be the focus of my colleague Anthony Demangone's presentation at NAFCU's upcoming Board of Directors and Supervisory Committee Conference.

Additionally, I'll be presenting on How the CFPB Impacts Your Credit Union and will include a discussion of the CFPB's latest actions related to "unfair, deceptive or abusive acts or practices" (UDAAP) - including how the actions of third-parties resulted in liability for the financial institutions. If your board is considering attending, sign up by Friday, March 29th to Save $100.


NAFCU's Online Training Program also includes 14 courses for credit union boards - including one on Risk Management.