As vendor management practices have evolved in the financial services industry, are these new rules of engagement actually good for banking? The answer is a firm “yes and no.” Among other issues, concentration risk has mounted in bank procurement processes, in the name of mitigating third-party risk, with implications for both the industry’s performance and its safety and soundness.

It’s a Catch 22 in more ways than one.

Regulators have insisted on more rigorous requirements for third-party risk management at banks, in the wake of the financial crisis. And as the Office of the Comptroller of the Currency (OCC) duly reported in its Semiannual Risk Perspective last December, “Banks’ increased focus on third-party risk management in recent years has resulted in fewer open concerns and [matters requiring attention] related to the use of third parties.” In the next breath, though, the OCC added that, “On the other hand, increased reliance on a limited number of entities creates concentrations that increase systemic risk to the financial services sector.”[i]

And when it comes to doing what’s best for business, banks can find themselves caught up in an irreconcilable web of needs, between regulators, business executives, procurement professionals, and suppliers.

The Upside and Downside of Bank Vendor Management

Vendor management is a discipline that enables financial services companies to control costs, drive service excellence, mitigate risks, and gain increased value over the life cycle of supplier relationships. In many banks, the procurement office got a boost in stature when federal and state regulators issued their rigorous post-crisis requirements for third-party risk management.

This timely focus addressed mounting risks from outsourcing, digital applications, fintechs, and cyber criminals. Ten years later, procurement processes at most banks (and the vendors serving them) are fully operational and provide the aforementioned benefits. Procurement professionals who achieve these goals are highly skilled in strategic relationship management, communications, and collaboration among diverse parties.

For far longer, rigorous procurement processes have been the standard operating procedure in other economic segments. In government procurement, rules on the books are intended to enhance transparency, mitigate corruption of fixed salary officials, and tightly control costs through competitive bidding.

Sadly, the premium placed on transparency, uniformity, and open tender participation in government contracting has created bureaucracies that thrive on long, complex documents filled with arcane jargon and convoluted procedures. These often require a Rosetta Stone and armies of consultants to decode, take too long to execute, and create inefficiencies and perverse incentives.

Are banks destined to follow suit? Certainly they are not managed like government enterprises. Internal audits, independent transaction testing, external examinations, and other control functions quickly identify acts for illicit personal gain and impose swift sanctions with limited reputational harm to the bank. For their part, regulators have focused on guarding against systemic threats that could be introduced by third parties into bank infrastructure and systems, which might injure customers at many institutions or impair financial condition.

Then why do so many bank contracting documents, communications, and processes now look eerily similar to those found in government? A risk-averse mindset is developing today that counteracts the very benefits that a robust vendor management program is supposed to deliver. There are unintended consequences if limited selection variables – such as price or brand name – trump all others regardless of business need, quality, or reputational risk. The dark side may be stifling innovation and expertise in a way that, if left unchecked, could actually prevent risk mitigation and harm business outcomes.

Technical or Strategic? Step by Step

Evaluating key steps in the procurement process can yield takeaways that cut across the banking business and suppliers of all stripes on which it vitally depends. Here are some real life observations of how the process is often handled – or could be:

Onboarding. It often takes more than three months to get a master services agreement (MSA) in place, as the foundation for a business relationship, unless a hair-on-fire need pulls rank to circumvent the process. This discourages business units from exploring new capabilities and service providers, because it just takes way too long to get vendors the door.

Negotiating. There is little flexibility offered in the MSA negotiation process. That’s a shame, since one size does not fit for vendors large and small across different disciplines (service versus product, technology versus advisory, etc.). Smaller or newer vendors may not easily meet certain insurance coverage, financial, or security requirements that are irrelevant to their product or service, which could shut out the best provider.

Risk Tiers. Vendors are categorized into risk tiers (high to low) at the outset of the relationship, based on attributes such as criticality to bank operations, customer or data interface, and/or concentration. If a vendor is assessed relative to a wide range of services for a broad category of vendors (like technology systems or professional services), this adds complexity to the risk assessment and possibly disqualifies a perfectly suitable vendor.

Questionnaires. Risk assessment and information questionnaires are often identical for every type of vendor. This practices misses opportunities to streamlines onboarding time substantially on both sides, by tailoring to the actual scope of the service or product being provided. The risk tiers themselves can get stagnant over time as vendors add or shed new products and services. A strategic relationship and interactive dialogue between the procurement office and prospective vendor would make it more likely that the correct risk tier is assigned whenever there is an exchange of value. However, if they are only engaged episodically, without clear purpose, then it is highly possible that emerging risks will be missed.

Application Process. If a vendor is forced to engage in individual MSAs (for products, projects, and people) with a totally separate application process and business sponsor for each of these contract components, this is highly inefficient.

MSA vs. non-MSA. Requests for proposals (RFPs) may be offered to non-MSA vendors simultaneously alongside MSA vendors. If the contracting process is long and the business need is immediate, this can create an un-level playing field. Having multiple bids becomes mere window dressing and a price squeeze tactic.

Concentration. Regulators have expressed concern about high concentration in vendors who provide critical operations – and not just in its most recent Semiannual Risk Perspective. The OCC also warned earlier last year of “concentrated points of failure,” saying that, “Examiners have identified instances of concentrations of third-party service providers for specialized services, such as merchant card processing, denial-of-service mitigation, trust accounting systems, securities settlements and custody, and other specific product or market services.”[ii] More generally, a focus on limiting the supplier pool may result in too many one-stop-shop vendors and insufficient diversity in specialty vendors or new entrants.

Sole Sourcing. Multiple bids or proposals from three or more vendors is good business, so sole sourcing should be an exception. But when business need, timing, and risk suggest otherwise, a well-documented sole or limited process is perfectly acceptable.

Deadlines. An unreasonably short timeframe from RFP issuance to response deadline may cause qualified suppliers to self-select out of the process. Vendors may also be dissuaded from offering scope suggestions. If scope is defined before any vendor discussions, the business may be asking for the wrong project. Q&A can surface different approaches or scope issues that a contracting sponsor may not have considered when formulating the initial statement of work.

Business Unit Engagement. Opportunities to assess the level of chemistry between business partner and vendor are often missed, if business units are not actively engaged in selection. Of course, contact may be expressly prohibited in some cases (say, for regulatory enforcement or remediation work). Where possible, however, including business units can ensure compatibility to work through thorny issues, a determining factor in the success or failure of a proposed initiative. Also, if the business is disenfranchised from the formal procurement process, it can lead to dangerous “work-arounds” that can circumvent important controls.

Feedback Loops. There may be no feedback loop on price, scope, and the sharpening of terms before closing. That’s another missed opportunity; vendor responsiveness in making adjustments may result in getting higher quality for a better (though not necessarily lowest) price.

Transparency. Certain vendors must remain highly independent and free of conflicts (again, for regulatory enforcement or remediation work). A strong communicative relationship featuring transparent disclosures is beneficial to all parties, including regulators. Building relationships with suppliers that strengthen both businesses should be a key value metric, yet it is rarely encouraged.

Price. A red flag should go up if low price always determines the winning bid. Effective vendor management is not about selecting or negotiating the lowest price, but rather coming to agreements that produce mutual benefit for both organizations. If incentives are solely aligned around achieving lowest cost, quality can slip and result in costly re-do’s or failed implementations.

The Decision. After putting a lot of work into a proposal, not even getting a courtesy phone call feels disrespectful to the losing bidder. Qualified suppliers get fed up and direct their energy elsewhere. Vendors are genuinely interested in improving their products and services to satisfy clients. No feedback is worse than critical feedback.

Turning Away from the Dark Side

In summary, a well-managed vendor relationship can produce better quality, better service, reduced costs, and more satisfied customers. The following simple measures can turn procurement away from the dark side:

  • Simplify relevant contractual language – concise, less jargon, plain English legal language that describes clear outcomes and deliverables from the relationship.
  • Diversify the supplier mix by specialized expertise, size, features, and characteristics rather than just aiming for fewer suppliers.
  • Shorten the process for assessment and onboarding – non-critical risk mitigation items can be addressed later.
  • Tailor risk assessments and questionnaires to the matter at hand.
  • Flex – don’t make one thing (price, brand name, one-stop shop) the only thing.
  • Give feedback so vendors can sharpen their pitches and learn from mistakes.

Adopt a strategic, collaborative, relationship-oriented mindset to vendor management and everybody wins.

As seen in Banking Exchange


[i] “Semiannual Risk Perspective: Fall 2018,” Office of the Comptroller of the Currency; https://www.occ.gov/news-issuances/news-releases/2018/nr-occ-2018-131.html

[ii] Semiannual Risk Perspective: Fall 2017,” Office of the Comptroller of the Currency; https://www.occ.treas.gov/news-issuances/news-releases/2018/nr-occ-2018-4.html