Vendor Management Discussion with Knowledgeable Bank Regulatory Attorney

As part of our Venminder Thought Leadership series where we speak with the industry’s sought-after thought leaders for their perspective and advice on third parties, mitigating risk, best practices, trends and more, I had the opportunity to speak with Nicole DeSantis, Deputy General Counsel at Rabobank.

Nicole is an accomplished bank regulatory and corporate transactional attorney with experience across both wholesale and retail contexts. She has strong experience in privacy and data security, with extensive knowledge of the General Data Protection Regulations (GDPR), corporate governance, enterprise/operations risk management, BSA/AML compliance and vendor management, just to name a few. The list continues, as Nicole has a wide range of experience in the industry.

Additionally, she is a previous nationally recognized expertise in the field of 1031 Like Kind Exchange transactions as well as an experienced writer, instructor and speaker for several continuing legal education ("CLE") courses. 

Nicole DeSantis Interview Highlights

During our time, we covered:

• The three lines of defense
• Corporate governance
• GDPR
• Third party risk best practices
• And more

3 Lines of Defense Model Is a Best Practice

If you’re not familiar, the three lines of defense include the following:

1. First line – the line of business or vendor owner
2. Second line – the departments overseeing third party risk like legal or compliance
3. Third line – the internal audit team

Nicole shared how important the three lines of defense model is as risk happens often upon first impression or, as she stated it, when risk first comes in the door. Due to this, it’s very important to keep communication open with the first line of defense as they’re the ones who are going to be most aware of any risk posed to the organization. She shares that this awareness isn’t only crucial in vendor management, but in other areas like privacy and data security too.

Corporate Governance Structure Can Impact Your Organization Greatly

Per Nicole, the sophistication of an organization’s corporate governance structure impacts if the third party risk program gets enough attention from senior management and the board or not. In the end, it comes down to the number of committees available, the processes in place and looks something like this:

• What are the committees responsible for deciding?
• When do they have to seek the authority or the approval of another committee?
• Are the corporate governance documents clear?
  
  

Take this example:

If two different business units are disagreeing on something like maybe on a new product/service to purchase, then what happens next? Typically, a more established or sophisticated organization will have a policy that dictates the next steps including sending a request for a decision all the way to the executive team. This helps keep senior management and the board involved. It also sets clear guidelines.

“I feel corporate governance, even though sometimes people think of it is maybe more of like a superficial structure that's there, is really almost like a tail wags the dog in a good way. I feel like sometimes when you have that skeletal outline in place of, ‘These are the committees, these are what they can decide, this is when they have to elevate something to another committee or a senior leader in the organization,’ then it all starts falling into place for both the business (front) line, the second line and the third line of how it works together.”

GDPR: How Will It Impact US Organizations Regarding Third Party Risk?

Nicole certainly has extensive knowledge around the GDPR and shared some great insight with me. She shared that there are a lot of gray areas and many aren’t sure what to expect right now; however, GDPR isn’t going away and companies need to be careful with their approach. She even shared a great example of how it could potentially impact even a small business owner with the way the regulation is written as of right now.

An IAPP-EY survey released in late 2018 found that 56% of companies aren’t fully GDPR compliant. Based on this finding and our discussion, it seems this is likely true, especially for smaller companies. I think Nicole and I can agree that, like with many other new regulations, we’re really all intrigued and waiting to see how the cards unfold.

On behalf of Venminder, I’d like to thank Nicole for her participation in this series. Be sure to listen to our discussion here to catch even more helpful information.

Dive deeper into the definitive lifecycle to vendor management. Download your copy of the toolkit.