Fintechs emerging to fill financial institutions’ product gaps are running into challenges in the vendor management (VM) department
In October 2013, the OCC released guidance for financial institutions (FI’s) on how to manage third-party suppliers, the implementation of which has had the perhaps-unintended consequence of burdening the small companies that serve FIs.
Many large FI’s, in their rush to comply with the OCC guidelines, have simply written into their contracts that fintechs must follow FI security standards. In my experience, the challenge for fintechs is not so much creating and maintaining security, policies and procedures that meet FI standards; rather, the burden lies in documenting to the FI’s satisfaction that the fintech is meeting its standards.
At the root of the problem is that most FI’s rely on a “three lines of defense” risk management model. The first line of defense is operational (risk management and oversight), the second line of defense is compliance, and third line of defense is internal auditing. Many FI’s also employ a fourth line of defense, which is their information security teams.
From our point of view, it looks as if these lines of defense do not coordinate with one another when it comes to the vendor management requests they make of third parties. As an affected fintech, we often get three (or four) hefty questionnaires a year of 50 questions or moreµ— one from each line of defense. Each questionnaires asks the same questions covered by the other, previously submitted questionnaires. In other words, a bank may ask the same questions three times a year to satisfy each of its internal lines of defense (LOD), and as a responsive fintech, we are submitting our response three times, usually in three different formats.
And often, the questions require detailed responses. For instance, it is not unusual for a risk questionnaire to ask about our change management process. We will prepare a thorough explanation of our change management process, including our formal policy document, only to receive the exact same question from the FI’s information security team a month later, and then from another team a month or more after that.
To further complicate matters, each LODs may request responses in a different format. Some may ask fintechs to submit spreadsheets, PDFs or Word documents, while others may use a third-party tool such as Vendorly, VendorRisk, Archer or Ariba.
Maintaining the logins and passwords for all of these tools, as well as coordinating responses in the multiple formats requested, takes an inordinate amount of time that could be more productively directed at improving product lines or other business-building work.
Why isn’t there a single, standardized fintech questionnaire that could be used by multiple FI’s, you may ask? Well, that is the million-dollar question. Our company maintains an annual SOC 2, Type 2 exam (as do most other companies in our space), and this should be accepted by the FI’s — but oftentimes they request their own audits on top of this.
The OCC in that same 2013 bulletin stated that multiple FI’s may collaborate on reviewing fintech controls, but I have yet to encounter such a collaboration. However, a consortium of FI’s created TruSight, which should consolidate at least the info sec requests of several large banks.
To improve fintechs’ ability to focus on making their products as effective and compliant as possible (by spending less time on answering questionnaires), it would be nice to see some of the big players or regulatory bodies (FFIEC, OCC, or CFPB) come up with a standard review package, including all LOD, that each fintech could answer once a year and make available to all of its FI clients.
In the meantime, FI’s should align their internal teams to ensure streamlined requests that occur concurrently and without repetitive content.