5 Things I Learned About Vendor Management: “Fingerprints Everywhere”

I’ve heard a lot from lenders about what they’re up against with third party vendor management regulations.

  • “What used to take 1 person part-time now takes 2 FT employees!”
  • “We ended up having to cut vendors from our list. It’s just too hard to manage them now.”
  • “It’s not just about picking good vendors. Now we have to track them, too. And the more data we collect, the more time we have to spend tracking the data, acting on it, storing it and sharing it.”
  • “We’re putting our vendors through the same scrutiny that we do our own internal employees.”

The challenges are real, and so is the uncertainty about what regulators want to see in third party vendor management policies. I listened with great interest today as Scott Roller, 3W Partners, delivered a presentation with us on Third-Party Oversight & Governance In A New Regulatory Era. Roller has more than 25 years’ experience working with Fortune 500 firms and was on the receiving end of audits by the likes of the OCC, OTS, CFPB and the three major rating agencies. At Citigroup, he was responsible for developing the third party oversight program for the company’s mortgage lending division. The new reality is that regulators are pushing third party oversight at levels never before seen. The good news is there are similarities across requirements so if you build common dimensions into your policy, you should satisfy your regulators.

“Forget about the days of “once and done” due diligence. Forget about vendor agreements made with handshakes instead of contracts. Banks can’t look at a vendor, sign them up in 2015 and never look back. What regulators expect to see is that you document everything. That you’re essentially repeating your due diligence on an annual basis to gauge things like: Is this vendor still worthy of your biz? Have they met or exceeded performance goals? Have their financials changed?”

~ Scott Roller, 3W Partners

Here are the five things I learned from him during today’s live event:

  1. Apply the same rigor you use for your security and IT functions.

Most institutions have mature, well-oiled machines driving their IT and security functions.

“One of the key messages today is that what regulators want is that you apply that same rigor, and replicate those same measures in a similar fashion when managing your third party vendors. Put the management back into vendor management.”

~ Scott Roller, 3W Partners


  1. Go wide. Enterprise-wide.

In terms of maturity, banks’ programs for managing third parties have a long way to go, especially at resource-strapped small banks where staff often wear three or four different hats. Most programs are led by a single group, rather than part of a larger enterprise-wide risk program. Even if your resources are limited, start with making sure you’ve identified the appropriate things to monitor and that you’re doing it consistently across the organization. The put together a policy that defines clear roles and responsibilities for tracking vendor performance over time within your organization.

  1. Embrace a scorecard approach.

Performance-based monitoring of third party vendors using a scorecard approach is very popular with auditors. They like to see that you have key performance indicators, or KPIs, in place that are important to the bank, that impact the consumer in positive ways, that are tracked on a regular basis and are addressed with vendors and upper management.

  1. “Directors need to have their fingerprints everywhere.”

Governance is gaining substantial attention by regulators and many institutions fall behind on this. It’s a real advantage if you are able to demonstrate that the bank’s directors are more than just generally “in the know” about your vendors. They need to have their fingerprints everywhere. Do they have access to audit failures? Scorecard results? Is someone in front of them all the time giving them read outs? It is critical to make sure senior executives and the board are directly involved in vendor management.

  1. Leverage technology as much as possible.

If you think about third party vendor management very holistically, it is critical that you are managing all of your vendors in a consistent structure.

“Technology is a great lever to catapult you forward. Tools like forms, dashboards, scorecards and timelines are the kind of thing that board members love and understand. Start with spreadsheets and checklists first if you have to, but then consider off the shelf workflow systems that can help with accountability and tracking across your institution.”

~Scott Roller, 3W Partners


Vendor management is not just a one-time assessment, but an ongoing process. If you’re a small bank and at a loss for where to begin, start with Roller’s 12 “key dimensions” that every bank can address to cover most regulatory expectations across the board.


Food for Thought

Is your institution’s third party vendor management policy:

  • Monitoring consistently across vendors?
  • Building an audit trail?
  • Using performance based criteria?
  • Providing for adequate staffing for oversight?
  • Relying on the right skills and competency?
  • Involving executive engagement at the highest levels of the organization?


For steps you can take to protect yourself from potential fines or enforcement actions, listen to a replay of Scott Roller’s webinar.

Roller’s presentation materials were not just easy on the eyes (thankfully!) but informative.