In July last year, the US Consumer Financial Protection Bureau (CFPB) announced its first public enforcement action since its inception in July 2011. Capital One – which offers bank, loan and credit card services – was forced to repay $140 million to customers who had been mis-sold add-on products, including payment protection insurance, by a third-party vendor of its products. The bank was also fined $25 million by the CFPB.
On top of this, the Office of the Comptroller of the Currency (OCC) ordered a further $10 million be repaid to customers harmed by unfair billing practices. The OCC also fined Capital One $35 million for the bank's failure to implement "a comprehensive and effective enterprise risk-management programme to detect and prevent unfair and deceptive practices, and the duration of and failure to correct those practices", according to the OCC's statement on the issue.
The bank was also ordered to stop the sales and marketing of any debt suspension product, debt cancellation product, credit and identity monitoring products, or any other similar products, and to take other corrective action to ensure compliance with consumer protection laws.
In short, Capital One failed to manage its vendor risk and paid the price at the hands of tougher and more focused regulators. The CFPB warned other institutions that the agency "will not tolerate deceptive marketing practices and institutions will be held responsible for the actions of their third-party vendors".
Vendor risk can take many forms. While questionable marketing practices were the root of Capital One's vendor risk issues, this is far from the only challenge financial institutions can face from their vendors. Technology can provide serious headaches for financial institutions also: not only through service outages, but also in subtler ways.
Although a service failure may ultimately come down to the vendor, there should be a mechanism to measure the risk and the extent of the exposure to that risk well in advance of the failure
"A bank might be locked into a vendor's solution," says Matt Clay, a London-based manager at management consultancy Baringa Partners. "This could mean that a vendor utilises a particular underlying technology that gradually becomes marginalised as a result of new technology innovation. A firm that has adopted that technology as part of its mission-critical business is therefore reliant on an inferior technology platform and is dependent on a declining pool of experts to support and maintain that technology."
There is also the risk that a vendor may stop developing a product that is part of a bank's business, meaning that support from the vendor may decline as well.
Of course institutions can mitigate the risks that come with being reliant on a vendor, says Clay. "Mitigation revolves around securing roadmap service-level agreements up front and reviewing the roadmap on a regular basis," he says. "There needs to be tight support around these agreements and contractual get-out clauses."
Reliance on a vendor solution is not the only way in which financial institutions can find themselves exposed to vendor risk. Reports of data loss are commonplace, both in the financial sector and in the wider community. In October 2012, TD Bank notified customers that two data backup tapes that were reported to have the details of 43,750 New Hampshire residents on them had been lost in transit. The tapes were shipped via a third party between TD Bank locations, but never arrived. Not only did they contain the bank details of these customers, but also their social security numbers and in some cases driving licence numbers. Reports at the time stated that the loss occurred in March 2012, although the bank did not notify customers until October 2012. Those reports also stated that the discs were unencrypted, meaning they would be accessible to anyone who found them.
This is not the only way a company can lose customer data. It can also be lost in the cloud. "A vendor can fail to execute its internal controls as required and critical client data may be compromised in the cloud," Clay says. Firms can help prevent this by putting in place clear key performance indicators and key risk indicators (KRIs) relating to their controls, with regular reviews of those indicators.
Clay says this involves taking a firm line with vendors to ensure that accurate and relevant metrics are delivered on-request.
Another issue financial institutions need to consider when thinking about vendor risk is their vendors' vendors. The so-called fourth parties or sub-service providers will also need to be vetted. This is already an area of focus for some financial institutions, according to Chris Ritterbush, New York-based director at Ernst & Young. "We are definitely seeing an effort to identify those fourth parties by firms through various processes," he says. "Some firms will then go out and even do reviews of those fourth parties as though they were a third party because this sometimes presents a very high risk."