VACB Pub. 10 Issue 3Your institution has decided they want a new product or service – great!  They want you to start looking for the perfect vendor – not so great!  The vendor selection process can be time-consuming and overwhelming.  Not to worry, there are a few things you can do to simplify the process and find the vendor that fits perfectly with your institution.

Outsourcing Policies and Procedures

The first step is of any outsourcing is understanding the importance of developing risk-based policies and procedures to govern your outsourcing process.  As discussed in the FFIEC Guidance, "Risk Management of Outsourced Technology Services," a comprehensive risk assessment will consider how the outsourcing arrangement will support the institution's objectives and strategic plans and how the relationship with the vendor will be managed. Once that step is completed, utilizing policies and procedures to review and compare multiple vendor candidates will ensure a stable comparison field and a better understanding of risk between various vendors.  Using the same process enterprise-wide provides a path for ensuring both services and vendors in all areas of the institution are in line with the institution's overall business strategy and goals.

Vendor Due Diligence

Now you have sent out a Request for Proposal (RFP) or started conversations with several vendors related to the proposed product or service.  Now, what do you do next?  Due diligence can serve as a verification and analysis tool, providing assurance that the vendor meets the institution's needs.  Understanding how to spot the right vendor requires knowing what to look for.

  • Review the vendor's corporate history, including qualifications, backgrounds, and reputations of company principals. Verify that the vendor and your institution are a good fit from a mission and business strategy aspect.
  • Analyze the vendor's audited financial statements to ensure their financial stability.
  • Evaluate the vendor's experience and ability in the industry, including institutions with similar size and operations to your institution.
  • Request and review references from current users about the vendor's reputation and performance
  • Review the vendor's technology and systems architecture. Verify that the technology requirements of the service and vendor are compatible with your institution.
  • Look at the Internal controls, security history, and audit coverage of the prospective vendor.
  • Assess the vendor's information security program and resiliency.
  • Check for any legal and regulatory compliance issues.
  • Review the vendor's Insurance coverage.
  • Review the vendor's reliance on and management of subcontractors
  • Evaluate the vendor's fee structure and incentives
  • Verify with your IT Department that the technology requirements of the service are in line with your institution's current technology. Different vendor services may have very different requirements, so having your IT Department review all vendor information could help point you to the best vendor for your institution.

Contract Negotiation Time

Contracts provide you with the ability to clearly identify rights and responsibilities and address significant issues.  Financial institutions can feel like they must sign the vendor's contract as-is, especially when dealing with a big company.  However, you have the right to negotiate what is included in a contract.  In fact, this step may clearly indicate which vendor will best suit your institution's needs.  If a vendor is not willing to include what your institution has decided is integral language, you may choose to continue searching for a vendor that will.  Here are some important elements the contract should address:

  • Scope of Service including a description of activities, timeframes for implementation, and assignment of responsibilities
  • Security and Confidentiality concerns
  • Internal controls such as system monitoring, notification requirements, records maintenance, and cybersecurity
  • Requirements to provide audit reports (state specific types and frequency)
  • Requirements to provide performance and financial reports (state specific types and frequency)
  • Requirement to provide Business Resumption/Contingency Plans
  • Resilience on subcontracting
  • Choice of law and jurisdictional provisions for foreign-based third parties
  • Compliance with regulatory guidance and applicable laws
  • Right to audit and require remediation
  • Indemnification, Insurance, Dispute Resolution and Limits on Liability
  • Defaults and Termination
  • Performance Standards including measurable standards, minimum service level requirements, remedies, and Service Level Agreements (SLAs)
  • Notification standards for service disruptions, security breaches, significant changes to the contracted activities, etc.
  • Data access, ownership, and license

Vendor Selection can be time-consuming and overwhelming.  But, using good outsourcing policies and procedures, understanding what to look for in vendor due diligence, and knowing the important elements to include in vendor contract negotiation will make identifying the best vendor for your institution a bit easier and more successful.