What is Vendor Compliance Management?
An effective risk management strategy includes the assessment and monitoring of vendor compliance with your company’s policies and procedures. Today’s compliance program involves an ongoing struggle organizing vendor responses utilizing spreadsheets and questionnaires while manually tracking reoccurring events and supporting documents. Where should you start?
According to CFPB Bulletin 2012-3, companies must “oversee” their vendors “in a manner that ensures compliance with Federal consumer financial law…The CFPB’s exercise of its supervisory and enforcement authority will closely reflect this orientation and emphasis.”
What Do You Need for a Vendor Compliance Management Program?
In the past, managing vendor compliance contractually used to be sufficient. Compliance risk and responsibility was transferred to the service provider, and through this process, compliance activity was kept at arm’s length. However, now a full chain of custody is necessary to ensure full compliance. In order for this to happen, an effective process must be in place. So, what does this include?
- Policies and procedures: Policies and procedures should define your vendors’ due diligence requirements as well as list the policies and procedures surrounding the process of terminating contracts with vendors. You should also have policies and procedures that verify that policies and procedures are being implemented.
- List of third parties: A key step in vendor compliance management is creating a list of all vendors and the services they provide to your organization.
- Contracts with third parties: In contracts with vendors, you need to list specific expectations and obligations. Your contract should include the scope of the relationship, cost, performance standards, reporting guide, security standards, dispute resolution, and termination rights.
- Evidence of due diligence: To ensure that your vendors are practicing due diligence, you should monitor their compliance efforts. This can include monitoring their performances, audit reports, compliance requirements, training effectiveness, quality of services, and risk management practices.