Vendor Consolidation Doesn’t Limit Risk in Third-Party Risk Management

Consumer data fulfillment services come in all shapes and sizes and include credit reporting firms, appraisal management companies and outsourced underwriting to name but a few. 

For some vendor services, the core product means that the vendor has a client base of financial institutions who use the core product. For them to continue to grow their company, they may delve into the realm of becoming a vendor services reseller. Recognizing that having the ability to offer multiple products builds a level of reliance from the client to the vendor that may be appealing and help capture more revenue. This is achieved by bringing in other vendor services from additional third parties to offer to their captive client base. 

Sound like a win-win doesn’t it? Well, not quite.   

Vendor Consolidation Doesn’t Reduce Risk Oversight

Unless the product is directly owned by the primary vendor provider, then all you have done is added a middleman between yourself and the third and fourth party vendors. In a recent sales pitch we read, the primary vendor was evangelizing that consolidation would reduce a client’s third party risk oversight liability. Nothing could be further from the truth.

Regulators, such as the OCC and CFPB, have long recognized that vendors offer strategic and competitive advantages to institutions but have cautioned that the responsibility of risk assessment and oversight remains with the institution, not the vendor. Under the SSAE 18 requirements, fourth party vendors must be given the same level of oversight as third party vendors. This, in turn, puts enormous pressure on the original third party vendor who is now reselling other products. The question to ask of your third party reseller partner is how robust their ability is to implement an adequate third-party risk management program on all their reseller partners. Institutions have a difficult time as it's in managing the various aspects of third party risk management, which include financial analysis, SOC reviews, business continuity and disaster recovery plans and the relevant experience to manage according to federal consumer protection laws.

If you’re considering this option, then you must verify that the reseller has a vendor management team on staff who can adequately perform satisfactory oversight, both from contractual language controls and subject matter expertise. In doing so, your internal third-party risk management program cannot rest and would be required to review all information which the original third party is conducting.

This leads to another worthwhile point to consider. If you come to rely on the findings of the reseller vendor that all is well with the additional providers, are you really managing risk? How transparent is the vendor likely to be since they have a vested interested in offering the vendor products in the first place? It points back to a possible conflict of interest.

If your vendor reseller partner states that this helps decrease third-party risk oversight for institutions, then consider their internal resources to help manage the process. It may help simplify your billing process, but the inherent risks will not diminish. Don’t believe the hype. Risk needs to be mitigated and cannot be transferred.

Gain control and keep tabs on the work that your vendors are doing - download our infographic on vendor oversight and ongoing monitoring.