July 7, 2014

Vendor Risk Management a Big Area of Focus for….Everyone

Not surprisingly, in the 2014 Compliance Trends Survey conducted by Deloitte and Compliance Week, third-party risk management was identified as the leading area of concern for compliance managers surveyed:  “Third party relationships continue to be a prime source of anxiety for small and large companies alike. A sizable 85% of respondents said they are somehow reassessing their businesses’ relationships with joint ventures, suppliers, distributors, agents and the like…”

What was surprising is the lack of oversight practiced, even by larger organizations. According to the study: “The most common form of managing third-party risks is only to provide those third parties a copy of the Code of Conduct…Less than one-third of respondents said they perform extensive background checks on third parties”

Enforcement efforts around third-party vendor compliance have increased over the last several years, most acutely in the financial services sector. In April 2012, the CFPB armed by the Dodd-Frank Act announced that financial institutions under their supervision would be held responsible for the actions of their service providers or vendors. Since that pronouncement, the CFPB has levied hundreds of millions of dollars in fines and restitution payments against banks and credit card companies tied largely to deceptive sales tactics employed by third-party service providers.

Similarly, the healthcare industry has fallen under greater scrutiny for third-party vendor compliance by their regulators. According to Healthcare IT news, “Between 25 percent to 27 percent of all HIPAA breaches involve a business associate, with some as high as 64 percent, according to the Office for Civil Rights, the HHS division responsible for investigating HIPAA violations.”

With the menagerie of rules and regulations pertaining to third-party risks (e.g. FCPA, AML, HIPPA/HITECH, Dodd-Frank, etc.) coupled with the small staff and budgets allocated to compliance departments, a breach is virtually inevitable.

Based on market discussions, vendor management firms appear to be experiencing tailwinds. As enforcement continues and grows, we believe those winds will only strengthen. Another trend we expect to emerge is compliance-as-a-service. We are already starting to see some vendors adopt that go-to-market strategy. After all, compliance will never be a core competency of businesses big or small. It doesn’t offer a competitive advantage or drive top-line revenues. In fact, in certain markets we have seen competing firms even collaborate in order to determine and benefit from best practices. Accordingly, we believe the function or certain sub-functions of compliance are ripe for outsourcing. Imagine having only one vendor to oversee, analog to a utility, versus the 80 to 100 that most FIs contend with today.