Our overview of the Top 10 Considerations for Financial Institutions in 2020 series noted that financial institutions will continue to face challenges in a number of corporate, compliance, and risk areas, especially in light of COVID-19 and a potentially slowing economy in 2020. Our fifth consideration is vendor management.
Third-party risk management is important for financial institutions in the best of times, but with the advent of COVID-19, it is crucial. The risk management approach of today focuses on the most essential vendors providing lending platforms and core data processing systems but should also account for less critical vendors, such as cleaning or courier service providers.
Both the financial institutions and their service providers need to be aware of the expectations of the regulatory community with respect to these relationships. Regardless of specific challenges, one constant is that financial institutions are free to outsource their activities, but they cannot outsource the performance liability of those activities, especially when dealing directly with individual consumers.
As part of its vendor risk management review, financial institutions should consider reviewing the Federal Financial Institutions Examination Council’s (FFIEC) Interagency Statement on Pandemic Planning (FFIEC Guidance). The FFIEC Guidance emphasizes that an important aspect of COVID-19 planning is open communication and coordination with third parties, including critical service providers. On March 5, 2020, the Office of the Comptroller of the Currency (OCC) issued the bulletin “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29” (OCC Guidance). The OCC Guidance, although not specific to COVID-19, updates previously issued guidance and frequently asked questions from the OCC regarding on-going monitoring of third-party service providers.
It is important to review your vendor contracts to determine your rights to request audits and reports and to determine the vendors’ responsibilities for continuation of services in the event of a disaster, such as COVID-19, including continuation of services and sufficient information regarding security and privacy procedures. The key is to confirm that vendors have contingency plans in place and testing results should be provided to the financial institution. Monitoring could include questioning the most critical vendors about how they are affected by COVID-19 and the steps they have taken to prepare, mitigate, and manage their response.
For a financial institution’s vendors that may provide services on site, it is recommended that the financial institution take action to ensure that its vendors are complying with all applicable federal, state, and local COVID-19 guidelines. Vendors and their workforce members should be made aware and trained on the financial institution’s applicable COVID-19 policies and procedures including, but not limited to, social distancing, sanitization, screening, cleaning supplies, and contact tracing.
1. Review and implement actions outlined in existing business continuity plans with respect to monitoring your critical vendors and suppliers.
2. Carefully review your contracts with vendors and suppliers to be prepared in the event of default or disagreement.
3. Ensure that your critical vendors and suppliers have COVID-19 plans in place, especially with respect to potential disruption in provided services.
4. Contact your Howard & Howard attorney for any assistance in developing a COVID-19 vendor management action plan.
Howard & Howard has a dedicated team of financial services attorneys with deep experience handling complex transactional, regulatory, and litigation matters. Our attorneys regularly advise clients on M&A, strategic transactions, third-party engagement, enforcement matters, and regulatory compliance. For more information, or for questions related to this Financial Institutions Advisory, please contact the author(s), your Howard & Howard attorney, or visit us at https://howardandhoward.com/services/financial-banking/.