Banks Turn the Spotlight on Vendor Risk

Tags: economic crisis, financial services, banks, asia/pacific,

In recent months, we received several inquiries from banks about how they are best to ascertain the business and financial viability of their vendors. The intent of the inquiries could partly be attributed to how banks are working to avoid another spectacular issue as that seen out of the former Satyam. Banks have more clearly  understood how technology failures, including the failure of technology vendors to deliver, can have dire implications for business continuity, bank reputation, and business strategy.

Indeed, the economic crisis has put in question the viability and sustainability of vendors' businesses. While several financial technology vendors have reported strong results despite a tumultuous economic environment, most players have shown their weakest performance in years. The pace of vendor consolidation has gained more speed. Early this year, we stated that 2009 will see 12 of the top 100 financial technology firms acquired or declaring bankruptcy, higher than the industry average over the past five years.
Vendors have been more mindful of fee structures and engagement margins. Banks justifiably have to be on guard for vendors drastically cutting staff levels (especially in banks' outsourcing partners), as well as those showing declines in SLA compliance and performance.

Although the fall of Satyam is not necessarily attributed to weak financial performance, the Satyam saga easily proved that lapses in reporting are possible. Financial institutions have thus intensified their scrutiny of the financial reports and balance sheets of their vendors. The lack of transparency is correctly considered a significant risk in itself. Vendors though have themselves responded with improved transparency. Disclosures made by vendors to current and potential clients have become more detailed to include other client references, new wins, and other metrics for performance and delivery.
Regulatory mandates have also scaled up to reflect the new regime of vendor transparency. There will be a greater push to report vendors' banking relationships (are vendors themselves clients of the banks they serve?) — something that we note especially in India. Although the most recent regulatory guidelines coming out of Asia/Pacific regulators speak more to data integrity, data privacy, and information security, the focus on effective governance of vendor relationships has indeed been heightened. We expect that in the medium term, more specific guidelines on vendor due diligence and monitoring will be put in place, following IT risk guidelines in Singapore (Internet Banking and Technology Risk Management Guidelines) and Hong Kong. This is similar to the developments we saw in the United States, where the Gramm-Leach-Bliley Act's mandates for privacy and integrity of customer information gave way to vendor due diligence and vendor risk management rules.