Subscribe to our blog for the latest Q2 news, features, and events.

Sign up
Risky Business: Vendor Management

Risky Business: Vendor Management

Part 2 of 2

5 suggestions to help your FI with effective vendor compliance

Managing third-party vendor compliance can be a daunting task for a financial institution (FI). Without the right resources or plan to help your FI manage the “ins and outs,” it can become even more so.

Here are five important lessons we’ve learned that your FI can leverage to tackle third-party vendor risk management.

  1. Use a “top-down” approach. Your FI’s board of directors and key management should be involved to ensure the risks associated with the use of vendors are fully understood. With an appropriate oversight program in place your FI can monitor each vendor’s risk management controls, financial condition, and contractual performance.
  2. Limit the number of employees authorized to execute contracts. By doing so, your FI can better control the contract process and reduce risk. Make sure those chosen to execute contracts are familiar with risk factors and compliance requirements, and they know who to go to for specific risk-exposure concerns.
  3. Begin with a high-level preliminary risk assessment. If the risk is considered high, a comprehensive due diligence should be performed. As part of the assessment, analyze a vendor’s perceived financial, operational, strategic, legal, regulatory, and reputational risks. Some high-risk indicators to look for when evaluating vendors include a security breach in the last few years, laying off employees recently, being named as a party in a lawsuit, frequent changes in management, and difficulty proving due-diligence information.
  4. Classify vendors. Manage your compliance efforts more easily by categorizing vendors based on importance to the company, cost or difficulty to replace, and access to non-public account holder information. It’s important to understand what criteria are important to your FI. For example, an incidental vendor might be one that is easily replaced and has no access to customer information, while a critical vendor would be difficult to replace, performs key functions, and has direct access to your systems and customer information.
  5. Conduct ongoing reviews-they’re important. Conduct ongoing reviews of your vendors’ operational performance, particularly of critical vendors. Annual reviews are expected, but conducting ongoing reviews ensures the vendor is meeting and can continue to meet the terms of the contract. For smaller vendors, pay attention to their financial condition to determine ongoing operational soundness.

The right digital banking partner can help

Don’t have the time or resources in place to properly vet all the vendors needed to provide your account holders with the digital banking experience they demand? Choose a partner with rigorous risk management practices.

Q2’s dedicated risk management team focuses on having the most up-to-date vendor information. Not only does Q2 maintain vendor information, we stay on top of the latest regulations and news related to risk management. Q2 also provides real-time access to important Q2 due-diligence information via our client portal to assist our customers. This dedication to “clear” guidance and best practices is unique and has proven to be one of the reasons why FIs trust Q2 to be their partner. In an upcoming blog, we’ll offer in-depth information about our 24×7 regulatory information access.

Subscribe to the Q2 Blog today. You’ll receive the next blog in our series on regulatory compliance, as well as upcoming posts from our thought leaders on trends in digital banking. Plus, you’ll receive tips and best practices to help your FI compete and grow. To read the first compliance blog, click here.

Stay in-the-know with the latest digital banking news

We will never share your information outside our organization. Please view our Privacy Policy for more information. You may manage your email communication preferences at any time by using the “email preferences” link at the bottom of any email.