The Critical Need for Vendor Screening

By Mark A. Parsells, Chairman & CEO of Regulatory DataCorp, the leading provider of enhanced due diligence services. He was a former member of the American Express Worldwide Compliance Council and founded the Bank One Information Privacy Council.

You’ve double-checked your employee and customer information. You’re certain you know whom you’re doing business with. Or are you? The frightening truth is, if you’re not regularly monitoring your vendors, and the agents they deal with, the answer is probably “no.”

For financial institutions, most of the anti-money laundering regulatory attention in the last 10 years has been focused on knowing your customers (KYC). Doing so has become a fundamental part of doing business. But there is an equally significant area of risk that most, if not all, FIs should be monitoring. Let’s call it KYV: “know your vendors.”

Unfortunately, too many FIs remain deeply exposed in this area. Vendors. Consultants. Out-sourced partners. Project managers. Service providers. Contract employees. These kinds of people are moving through your organization all day, every day. You may have certification from a vendor that its employees satisfy certain background criteria, but how certain can you be that the certification is current, or even accurate in the first place?

And because even the most mundane vendor or partner can represent a significant risk to your company’s security and compliance obligations, it is a concern that should not be ignored.

Several recent headlines attest to this fact:

Banks Increasingly Are Creating Vendor Management Offices
Vendor management is becoming a front-burner issue for banks in the face of regulatory pressure.
Bank Systems & Technology , July 29, 2008

This article points to the need for effective vendor screening for financial institutions to handle rapidly increasing regulatory scrutiny.

Government probe launched after details of one million bank customers found on computer sold on eBay U.K. Daily Mail , August 27, 2008

In this case, a second-hand computer sold for £35 in an eBay auction was found to contain personal data on a million customers of the Royal Bank of Scotland, NatWest and American Express. The computer’s previous owner? A technology vendor for Royal Bank of Scotland, NatWest and American Express.

And as the world continues to shrink, with more and more essential and non-essential services outsourced, the risk of not knowing your ‘vendor’ – let alone your vendor’s principals, local agents and sub-agents – increases nearly every day. The continued globalization of nearly every business demands increased vigilance. Whether public or private, every organization today must be able to demonstrate that every possible step has been taken to verify the authenticity of vendors as well as customers.

Failure to do so exposes your organization to “garden variety” dangers like fraud and theft, as well as significant regulatory violations involving privacy (Gramm Leach Bliley, Fair and Accurate Credit Transactions (FACT)), anti-money laundering (BSA/Patriot Act), and corruption (FCPA).

The U.S. federal government is unambiguous on this point. As set forth in an OCC Bulletin on Third Party Relationships (OCC 2001-47):

Selecting a Third Party and Due Diligence

Regardless of the type of third-party relationship, selecting a competent and qualified third-party provider is essential to managing third-party risk. The due diligence process provides the bank with an opportunity to identify qualitative and quantitative aspects, both financial and operational, of a third party and to assess whether the third party can help the bank achieve its strategic goals. Banks should conduct appropriate due diligence before selecting a third party and at appropriate intervals thereafter.

Due diligence should involve a thorough evaluation of all available information about the third party, and may include:

• Experience in implementing and supporting the proposed activity, possibly to include requiring a written proposal;

• Audited financial statements of the third party and its significant principals (the analysis should normally be as comprehensive as the bank would undertake if extending credit to the party);

• Business reputation, complaints, and litigation (by checking references, the Better Business Bureau, state attorneys general offices, state consumers affairs offices and, when appropriate, audit reports and regulatory reports);

• Qualifications , backgrounds, and reputations of company principals, to include criminal background checks, when appropriate;

• Internal controls environment and audit coverage.

  So, do you know the names of the principals at even your top 10 vendors? What are their backgrounds? Who are their agents and what do you know about them? Who are their key employees and what do you know about their reputations? What sort of experiences has the vendor had implementing the program or service they propose for your organization?   Do they outsource services themselves and, if so, how much do you know about the services they outsource? If your vendors vouch for the backgrounds of their agents, can or should you rely upon them? And if you cannot, what can you do?  

Obviously, there is a critical need for a comprehensive, searchable central repository of open source risk-relevant information concerning the vendors and service providers with whom your organization interacts. But where?

Government lists (OFAC, BOE) are a baseline for prohibited parties/transactions, but these lists cannot provide adequate coverage needed to ensure proper due diligence. Formal checks of criminal records may identify some issues in known jurisdictions, but such record checks are typically limited by known region/area of inquiry. The efficacy of such inquiries may be further limited by specific practices of a foreign jurisdiction and/or the verities of a formal request. And some of these considerations may entail trying to avoid the questions that a request for background information may provoke.

The good news is that the work of uncovering the potential for serious risk need not be limited to the record of formal court judgments or proceedings. More often than not, a wide range of valuable information can be found in published reports from government, media, or self regulated organizations (SROs).

These open source reports or records often detail investigations and, of particular significance, they also often document known associations of individual/entities. In fact, such investigative journalism and other open source reports often presage formal judicial action and provide far more detail than criminal charges or indictment. And while Internet search engines enable greater research capabilities than ever before, there are many inherent limitations to Internet research including copyright law, terms of use, and often a very limited window of availability or retention of internet-sourced records.

Public Records vs. Publicly Available Records

Of course, if obtaining such information were a simple task, there would be little discussion. The truth is there is a significant distinction between what are considered “public records” and what are considered “publicly available records.” Knowing the distinction and how to obtain one versus the other requires significant expertise.

Although many types of documents such as court records, drivers’ license information and real estate records are generally considered “public records,” access is often limited by law, or to entities that make formal requests, or to entities (like ChoicePoint) that purchase access to entire document sets of millions of records across states and municipalities.

These types of “public records” can be distinguished from the types of “publicly available” records that comprise Regulatory DataCorp’s (RDC TM) Global Regulatory Information Database (GRID SM).

RDC aggregates records directly from original sources. RDC scours government websites, publishers, the media and an exceptionally wide range of sources in the public domain. Further, RDC captures only records from the public domain that can be considered “risk relevant.” This means RDC applies intelligent criteria to ensure that the data it gathers matches a client’s risk profile.

Some of the database records RDC currently collects include regulatory enforcement actions, adverse media articles, politically exposed persons lists, regulatory “watch” lists, and other relevant information from open sources around the world. All information contained in GRID is of a public, non-credit related nature. The GRID presently contains more than five million open-source records, making it the largest such database in the world. And RDC is adding more than 4,000 records every 24 hours.

GRID’s scale is not its most compelling factor. RDC 6,600 users can choose from 42 automated risk code filters to access the most relevant data. And RDC can deliver this data in bulk or in slices. The combination of scale and the ability to sort the data in the most relevant ways makes RDC the world leader in supplying risk-relevant information.

Clients Signaling A Growing Demand for Vendor Monitoring

In the last 12 months, RDC has seen a sharp upturn in the number and frequency of inquiries concerning vendor and contractor monitoring. With the increasing number of vendor and contractor relationships has come a growing awareness that understanding who vendors really are, understanding who their agents are and knowing how to apply that knowledge to protect and secure an organization’s assets and reputation is vital.

And this enhanced due diligence applies not only to the vendor, but to all of that vendor’s employees, now and in the future.

The bottom line is this: just having a vendor certify that its employees have completed appropriate background checks, or that the vendor’s agents are competent and trustworthy, is no longer sufficient protection for your institution. Regulators want to see that institutions are conducting enhanced due diligence for both on-boarding and on-going monitoring. Companies engaged in comprehensive initiatives to “Know Your Vendors” (KYV) will be recognized as best-in-class. Others will be recognized as well, though hardly for such envious reasons.

RDC was founded by 20 of the world’s largest financial institutions and is today the world leader in collecting, analyzing and supplying risk-relevant public data to help clients satisfy their compliance and due diligence requirements. At the same time, RDC has become the leader in providing due diligence data across clients’ enterprises so that they know their customers as well as their vendors.

RDC helps clients “Know who you are doing business with.” To find out more, contact Solutions@RDC.com or call RDC at 888-533-1181.