$1 billion, $4.75 million, $1 million, $35 million, $1.3 million - Sounds like some lucky person won the lottery, right? Not this time. Unfortunately, those are not lottery winnings, rather they are Unfair or Deceptive Acts or Practices (UDAP) and Unfair, Deceptive or Abusive Acts or Practices (UDAAP) penalties assessed against financial institutions.
Weak - or nonexistent - vendor management programs can result in very hefty UDAP or UDAAP penalties. Without naming names (although they were published), I want to draw your attention to some of the penalties and restitution orders issued regarding vendor management programs. In July 2018, an UDAP restitution order was issued for $4.75 million. Earlier that year, UDAAP penalties of $1 billion and $1.13 million were assessed. Going back, there was another UDAAP penalty of $1 million in 2017 and a penalty of $35 million plus restitution in 2016. These orders were very painful for those financial institutions (FIs).
A common thread wove through the assessment of each of those penalties: the FI's weak oversight of third-party vendors and vendor management programs.
How can you prevent these painful penalties from finding their way into your institution? Consider your institution's relationship with vendors in terms of an ongoing cycle - a lifecycle involving six steps:
- Planning - Determine the FI's wants and needs, engage the appropriate management and consider the FI's strategic plan.
- Due Diligence - Conduct a risk assessment and thorough examination of vendors in the selection process.
- Contract Negotiations - Address specific criteria to ensure the FI is represented in each definite area of concern, mitigating risk in those areas.
- Relationship Monitoring - Ensure the vendor is fulfilling contract terms to avoid unnecessary risk to the FI.
- Report Findings - Keep management informed and up to date on any possible issues that may arise to mitigate unnecessary risk.
- Termination - Dissolve the relationship in a manner that causes the least disruption of workflow for the FI and its customers.
Each step in this cycle is significant. Failing to provide adequate consideration to any of the six steps can open your institution to areas of risk, which can lead to painful penalties.
Controlling risk is a balancing act. Think of it as the knot that keeps the thread from unraveling when sewing together a vendor management program. Design and oversight of the vendor management program is based upon the size, product complexity and risk assessment of each FI.
Lack of thorough due diligence and risk assessment of vendors before entering into contract negotiations is a frequent finding. Assessing the risk of a prospective vendor is imperative, regardless of the vendor's size. Understanding the risks involved and establishing internal controls mitigates some of the risk and provides an extra layer of protection from painful penalties.