Anytime you onboard a new vendor, or continue working with an existing vendor, you're taking on risk. According to the Consumer Financial Protection Bureau (CFPB), which is responsible for making sure that banks, lenders and other financial companies are responsible with the personal data that is entrusted to them during the normal course of business, non-bank lenders must have policies and practices in place to manage their vendors and the data that may be shared back and forth.
But for many non-bank lenders, vendor management often lacks the right resources and attention, leading to problems with compliance and other important issues that can result in expensive penalties and fees, if not a required cessation of activities in some way. That can significantly drive up your bottom line, making it harder to get things done due, or it might even require you to spin-up convoluted in-house capabilities.
However, if you're not prepared in your vendor management practices, you may be breaking the law without realizing it. Vendors may be a logical extension of your in-house capabilities, but unless you're integrating them with the same care that you would a new employee, as well as closely watching their every action, you could have a problem and not even know it.
Worse yet, if a vendor suffers some kind of security breach or issue, you could be on the hook. After all, no one remembers the vendor that messed up, but people sure do remember the companies that suffer large security breaches at the hands of their vendors. It may technically be the vendor's fault, but the customers rarely make that distinction, and, according to the CFPB, it's ultimately your responsibility.
The Art of Vendor Management
For many non-bank lenders, vendor management is an afterthought -- some kind of loose collection of guidelines and practices that supposedly governs how you work with your vendors, but there's nothing that actually prevents you from letting your vendors get away with everything. The reason vendor management isn't simple is that it's complicated, and there's a lot to consider with each vendor, nevermind the fact that you're likely dealing with something like a half-dozen vendors across all sorts of activities.
The CFPB tries to help with their various guidelines on how to ensure compliance and establish working policies for your vendors, but much of it is too dense to be understood by anyone that doesn't spend their days reading legalese.
While the concept is simple, there's no one way to develop a vendor management program, and many companies may only have loose policies in place to safeguard against the most egregious offenses, which isn't really sufficient. It's better than nothing, to be sure, but it can often end up being a roadblock to staying in compliance in the first place.
Start Simple and Build
Without a comprehensive vendor management process in place, non-bank lenders need to start somewhere, such as defining what the vendor management policy should be. Items such as compliance, security and privacy are all important considerations, as is limiting your exposure to financial and reputational risks.
Once you have a general goal, then it's time to take stock of your existing vendors. Make a list of every vendor you've worked with over the last 12 to 24 months -- get this information from accounts receivables if you don't already have it -- and assign each into different risk tiers based on what they do and the information that they have access to. If you have any consumer non-public personal information, the vender belongs in the top tier.
For the most part, Tier 1 vendors are your most important vendors. They're the ones doing mission-critical work for you, and they're also most likely to be dealing with confidential or proprietary information. Generally, they're not easily replaced, nor would you want to without plenty of advance warning.
Tier 2 vendors are important but not critical. They may maintain or otherwise deal with confidential or proprietary information, but in a pinch you'd be able to replace them and go with something else.
Tier 3 vendors are vendors that don't work on the important stuff. They may have less high-profile jobs to do, but they're still valuable to your business. Think of things like cleaning services or a caterer that comes by every Friday. They may not handle important data, but they still might have access to workstations after-hours or when everybody else is enjoying the food, so it's not like your risk is zero here.
Review Your Contracts
After you've organized your vendors into tiers, the next step is to review your contracts. The CFPB stipulates that non-bank lender vendor management extends to the contracts that you have with each of your vendors, with requirements for clear guidance and responsibility outlined in each of your contracts, particularly vendors in Tier 1. It may be difficult to locate a contract for each vendor if you don't have a central repository for all your documents, but that just illustrates the need for a management layer.
In addition to reviewing your vendor contracts for necessary amendments, you'll also want to institute vendor management best practices for the contract and on-boarding process. You could deal with the risk for every existing vendor, but if you neglect to institute your changes company-wide and moving forward, you'll likely end up in the same position in short order.
It can also help to bring all your client's docs, resources, contact information, questionnaires, assessments and the like into one place. That'll help you keep tabs on your vendor relationships, and it'll also help identify where there's a shortcoming with a particular vendor. For this piece, a non-bank lender vendor management software platform can be a big help as it forces you to organize your supporting documentation in some kind of workable way. Believe it or not, but random spreadsheets and emails are not the hallmarks of a viable system.
Evaluate Your Risk
With all your vendors split into tiers and all the important documentation just a click away, you can finally audit your vendors. Whether you're filling out questionnaires or determining it separately, the goal is to evaluate your risk vis-a-vis each of your vendors. Those who are dealing with sensitive information will need to be asked pointed questions about how they accomplish what they do for you, as well as where potential exposure points are.
Keep in mind that non-bank lender vendor management isn't just a checklist -- it's an evolving body of responsibilities that needs to bend with how you're operating and the vendors that you use. If you change one of your vendor's roles or you bring on a new vendor, that should go through your vendor management layer. Documents are important, but so is compliance and instituting policies that actually enforce what is agreed-upon. If a vendor raises your compliance risk, they need to be held to certain expectations.
Don't forget periodic maintenance, too. Just because you agreed on something last year doesn't mean that your vendor is still abiding by the rules. Or what if a vendor was sold or merged with another company -- can you be sure that all those guidelines you instituted are still being followed? Whether it's monthly, quarterly, bi-annually or yearly, you'll need to revisit your vendor relationships periodically to make sure that everything is still moving along as expected. Furthermore, there needs to be some kind of enforcement so that vendors who are not following policy are reprimanded in some way.
The Risk of Vendor Mismanagement
Due to both state and federal regulations for non-bank lenders, vendor management isn't something to take lightly. The CFPB is no slouch, either, and since 2012 they have the authority to enforce regulation of vendor management policies, especially with regard to sensitive data. But their authority isn't limited to merely demanding that you enhance your vendor management capabilities -- they can levy financial penalties and other enforcement actions against you or your vendors.
If the CFPB decides to audit your vendor management, they'll look at your vendor management policies first. That's why it's important to create policies that you can actually follow. Outlining the best policy in the world won't do you any good if you can't actually follow it, so it's better to create policies that help you actually manage your vendors. The CFPB will want to see that both you and your vendors understand the risk and what's at stake, and that proper guidelines are followed at each step of the process.
But it doesn't stop at you and your vendors. Your vendors' vendors are also a possible exposure point, which means that your vendors may need to have vendor management policies of their own in order to meet the regulatory and compliance needs of the CFPB. In fact, the SSAE 18 rule requires that subservice organizations -- i.e., your vendors' vendors -- must also be included in any comprehensive vendor management policy.
Help Manage Your Vendors With Infinity
With Infinity Software, you can stay up to date on all those tricky compliance issues without even batting an eye. It's a specialty built platform that does exactly what you need as a non-bank lender, including vendor management, organizing all your supporting documentation and even getting a better handle on who your customers are and where your money's coming from. It's a CRM for lenders, and it goes way beyond what a typical CRM can do for you.
To learn more about the Infinity platform, schedule a demo today!