How Should Banks Handle a Vendor Risk Assessment? [Podcast]

In this podcast, Maria Abbe sits down with Megan Fielman, Senior IT Audit & Compliance Manager at PrecisionLender, to discuss best practices for handling a vendor risk assessment, and why a partnership with your vendors is crucial when it comes to security.

Podcast Transcript

Maria Abbe: Hi, and welcome to the Purposeful Banker Podcast. The podcast brought to you by Precision Lender, where we discuss the big topics on the minds of today’s best bankers. I’m your host, Maria Abbe, content manager at Precision Lender. Today I’m joined by Megan Fielman. She’s our senior IT audit and compliance manager. Thank you all for joining us.

Bank service converse, and that’s not something new. What is new is the wave of technology available to banks, and also the post security risks that may come along with implementing these pieces of technology. That’s why we brought in Megan, who has 10 years of previous experience at First Citizen’s bank in audit and risk. We’d though we’d take some time to discuss how banks can navigate a vendor risk assessment when vetting new technology, to make sure that the bank is as safe as possible. With that, welcome Megan. We’re excited to have you.

Megan Fielman: Thanks Maria, I’m excited to be here.

Maria Abbe: Now, do you mind kicking us off by telling us a little bit about your background at First Citizen’s bank?

Megan Fielman: Sure. I spent the first part of my career with the bank as an internal auditor, kind of getting to know the bank, and getting the feel for everything. From there they actually identified the need for a corporate governance division at the bank. I left the internal audit area to support that function. We realized at the time when we were kind of going through acquisitions, and a lot of changes within the organization, that there was really a need for a risk division. We took the steps needed to establish our risk committee of the board, and a supporting framework for that organization. I spent the last several years of my time at the bank focused on the deployment of that ERM program.

Maria Abbe: Yeah, I bet it was really cool to be a part of that roll out.

Megan Fielman: It really was. It certainly was a challenging endeavor, but one that was really rewarding and exciting to see the adoption that occurred across the organization.

Maria Abbe: Yeah. Now, what is it that you do here at Precision Lender?

Megan Fielman: Well I’m on week four, so I’m still figuring that out myself. So far I know that I’m going to be assisting with the build out of the existing audit and compliance program that’s here, as well as kind of doing part of what I did at the bank. Helping to further refine and establish the risk framework within precision lender. Given there’s already one in place, but certainly continuing to build that out a bit here. One of the things I also have seen so far is some of the interface with our clients already, to address their vendor risk concerns.

Maria Abbe: Sounds like a lot of fun too. Now when you were at First Citizen’s, how did vendor management tie into the ERM program?

Megan Fielman: Vendor risk is, I think a key component of really any banks operational risk profile. There’s an ever increasing focus not only on third party risk, but even within the past couple of years. There’s been a focus on fourth party risk as well. We partnered really closely with our vendor risk team to work on refining, reporting, and figuring out what data was pertinent to go to the operational risk committee, and then even as needed, escalate that information to our board.

Maria Abbe: That’s interesting, cause now you’ve been on both sides of the risk evaluation with being at the bank, and then at a vendor for a bank.

Megan Fielman: Yeah, it’s definitely, it’s really neat to have seen it from that side, and then to come onto Precision Lender, and to kind of be talking to the old mes at the bank.

Maria Abbe: I bet those conversations are a lot different being on the flip side. Now Megan, what are some of the biggest vendor risks relative to banking?

Megan Fielman: I think it’s safe to say that for any bank, the largest vendor risk exposure is going to be sharing your data. Generally that’s going to be one of the first questions that’s asked going into an engagement is, “Are you planning to share your confidential information, or PII? If so, how are you going to be doing that?” I think that the vendor process for vetting a vendor, for someone who you are going to be sharing data with, versus someone who you aren’t, is probably going to look a lot different.

Maria Abbe: Interesting. PII, that’s pretty important and pertinent stuff, where and how should that be stored?

Megan Fielman: I don’t know that there’s really a right answer to that question. I would say that securely for sure, but I think it depends on the banks preference. There’s so many options today, whether that information’s hosted, or whether you’re working with someone who deals with Cloud computing, or you’re looking for a software as a service solution. There’s a plethora of choices, and it’s really just a matter of insuring that whichever choice you make, that they’re securing your data.

Maria Abbe: With the flurry of new technology, especially within the Cloud based sphere, have you seen that banks are becoming more comfortable with Cloud based solutions?

Megan Fielman: Most definitely. I think that banks are commonly not known as early adopters, they as you mentioned earlier, normally tend to be a little bit more risk adverse. I think when Cloud computing was initially introduced a couple years ago, it was unfamiliar, and unfamiliar things are often kind of scary. As Cloud computing has advanced, and evolved, and really a lot of those service providers have been able to either gain certifications, or provide additional information on what they are doing to secure your data, banks have been able to gain a lot more comfort with going to solutions like that.

Maria Abbe: Yeah, and now prior to this shift in mindset what were some of the misconceptions the banks had towards Cloud based solutions?

Megan Fielman: I think that you couldn’t secure your data as well, I’ll say. Although there’s some level of comfort knowing that you could find a solution that could secure your data through Clouds, there just wasn’t that same level of trust there. I think that as there’s obviously pros and cons to any option, when Cloud computing was initially introduced it seemed like the list of cons was really long. I think as we’ve started, well, we’ve continued to evolve with Cloud computing, I think that list has evened out quite a bit, and maybe even slanted a bit to seeing more pros than cons associated with it.

Maria Abbe: Yeah, so now that banks are leaning more towards Cloud based solutions, and taking that into consideration especially as they go through under management, and due diligence processes, security and risk are probably at the top of the list when they are vetting those vendors.

Megan Fielman: Maria, I as a risk professional would love to say that’s the case. I think it depends in a lot of different organizations. I think it always ends up being a part of the process, it’s just kind of a matter of where that actually is sequentially part of the process. Sometimes it’s not until later with the vetting, but definitely the evaluation of vendor risk should be a component of any vendor risk assessment.

Maria Abbe: Really it’s contingent upon the process that’s within the bank. In your opinion where do you think that should come into that process?

Megan Fielman: I am certainly biased in that response because I do believe that it should be at the beginning of the process. I think that sometimes the determination about the vendor risk profile will have an effect on the rest of the due diligence. I think it’s better to do that up front, but obviously as the audit compliance person at the table I’m going to come back with that response. I think that you can see it be successful at any organization, I just think that it’s definitely the more effective and efficient way to do it up front.

Maria Abbe: Yeah, I can totally see that. That makes sense. Now, when a bank gets to that part in the process whenever that may be for them, what are some questions that they should ask to ensure that the vendor has covered all risk bases?

Megan Fielman: Well, oddly enough I feel like that … Also, we’ve been talking a lot about shifts over the past three to four years. I think something that we started seeing several years ago was not only a focus just on some of the attestations and certifications that vendors are able to provide banks to gain that level of security, but also getting a better feel for who your vendors are, and what your programs look like, and really developing some of those relationships so that a bank can gain trust in the companies that they’re using.

Maria Abbe: Yeah, so building a partnership almost?

Megan Fielman: Exactly, exactly. I think that banks are realizing that having that partnership, and getting to know your vendors a little bit better is certainly meaningful for both sides of the table.

Maria Abbe: How would a bank obtain a greater level of trust with a vendor?

Megan Fielman: There’s definitely a really long list of compliance, kind of check the box items that I could speak through as far as whether you wanted to see a companies SAE 16 reports, or their SOC 2. There’s obviously a plethora of different regulatory and compliance check boxes that are very important to see. I say check boxes, and I don’t mean to diminish those, but I certainly think that in addition to making sure that they have, I’ll say a standard. At this point if you’re going with a vendor that you’re trusting with your confidential data, you want to see those things. I think one of the things we’ve really begun to see, and I hope we continue to see, is companies really trying to understand the core values of some of the companies that they’re choosing to do business with. I think obtaining a greater sense of transparency into those organizations, and who they are, and what matters to them, and kind of where they’re going as an organization is also really important to do.

Maria Abbe: Yeah, so it sounds like it’s two fold. On one hand you have, like you were saying, the documents that you need to see that ensure that everything is properly put in place and audited. Then on the flip side it goes back to that partnership of trust, and transparency, and you’re forming a relationship with this company.

Megan Fielman: Exactly, exactly.

Maria Abbe: In light of that we’ve actually recently decided to rename our IT security department to be called, “Trust.” Why have we made that change?

Megan Fielman: Yeah, it really was a recent change. I joined, and joined the security team, and now I’m part of the Trust team which I actually love, and I love the reason behind it. Carl our CEO, he has an axiom, and that axiom is as time goes to infinity, activities will approach the literal interpretation of their name. I’ll give you the same example that I was given. I believe when our customer success managers started implementing their process, they setup courtesy calls for the institutions that they serviced. It turns out that even though that courtesy call was supposed to be a regular checkpoint with their customer to make sure that they were happy with the Precision Lenders solution, and kind of find out more about really what was going on with them. Because it was labeled a, “Courtesy call,” and that’s what we were calling it, it really kind of turned into a courtesy call.

A lot of the time either the courtesy call didn’t happen, or people said, “Oh no, we’re good. Thanks for offering.” We really wanted to find out is the customer having success with the tool, and what can we do to better serve the customer? We renamed those from, “Courtesy calls” to, “Customer success review,” which is what they truly wanted it to be. Using that same logic, although we’re still focused on security and compliance, our goal is to provide trust to our customers. We’re changing our name, and we’re going to be the Trust team.

Maria Abbe: I love that, it reminds me of the quote, “I think, therefore I am.”

Megan Fielman: Exactly. I hope that my job here will definitely be providing that trust to our clients

Maria Abbe: Yes, I’m sure it will. Great, those are the only questions that I have for you today Megan. Thank you so much for joining us, and for sharing all of your knowledge on risk and compliance, and all of that good stuff. That will do it for us today folks. Thank you all for listening. As always you can find more information about today’s podcast at PrecisionLender.com/Podcast. If you like what you’ve been hearing, make sure to subscribe to the feed in iTunes, SoundCloud, or Stitcher, and we would love to get ratings and feedback on any of those platforms.

Thanks again for listening. Until next time, this has been Maria Abbe and Megan Fielman. You’ve been listening to the Purposeful Banker Podcast.

The post How Should Banks Handle a Vendor Risk Assessment? [Podcast] appeared first on PrecisionLender.