Looking To Buy New Compliance Software? Here’s How To Assess Vendor Risk
Get good at it, because compliance will increasingly be about interactive, integrated third-party apps not standalone, in-house systems
At a Star conference several years back, a veteran compliance officer for a large asset manager gave this personal example of a technological interaction he believed offered insight into the future of financial compliance: “When you use an app to pay at a parking meter, the app talks to your bank, the bank confirms you are who you say you are, the bank authorizes payment, and then tells the parking app to complete the transaction, which then sends out an email breaking everything down for you—almost instantaneously. It’s apps talking to apps in near-real time. It’s where much of the economy already is and where compliance is headed.”
We know this developmental roadmap intuitively, from so many of our own personal and professional technological interactions. And with less and less reliance on in-house compliance platforms, and having to source more and more essential compliance capability from third-party vendors—makers of all these interactive, talkative apps—it behooves compliance officers to get good at assessing and managing these vendors, particularly any risks associated with using them. Your compliance software vendor isn’t part of your company, after all, though they are providing a very important service to you or working in very close conjunction with you. Here’s a guide for what to look for and how to think about partnering with a compliance software vendor.
1. THINGS THAT SHOULD MAKE YOU GO ‘HMMMM’
Companies can get up to all sorts of things in the course of doing business: activities which can and occasionally should raise eyebrows. These activities range from the clearly malign and dangerous to the legal operation of your firm to the more simply benign, which may just be indicative of a poor fit. Here are a few examples of both types:
- Outside Activities: Are the key principals of the target vendor involved in any side businesses? Might said businesses distract from or conflict with what your firm does? Is the vendor operating more than one business out of the same location? All of this is more common than you might expect. And while anything you surface might be as innocuous as strategic diversification, it could also amount to something more nefarious.
- Reputation: How well is the third-party regarded in the supply chain? How well is it regarded in its overall sphere of operation? Service complaints. Product complaints. Lawsuits. Fines in greater numbers than one would expect. Some or all of these could indicate bigger problems: not just that the vendor might be difficult to work with, but that any consequent poor financial performance could compel it to operate unethically.
- Politics: For certain kinds of businesses in certain countries, political connections can be a boon and can be perfectly legal and ethical. But government connections can also indicate the kind of coziness that regulators in home countries and foreign countries frown upon. Vendor connections to governments in countries that don’t have the best reputations for transparency should be carefully considered in the vetting process.
- Vendors’ Vendors: In the same way your firm is considering contracting out for help, so the third party you’re considering using may also have similar needs and relationships in place, with the same third-party risk that goes along with it. Now you’re getting at levels within levels of vendor risk assessment and management. And while it may all seem a bit too much to think about and delve into, the farther down you can investigate and vet your way through the chain of interconnected companies the better.
- Size And Sophistication: How big is your target third-party vendor? Is it a one-person shop, a small-to-medium sized one, or a big corporation? Too small and the vendor may not be able to stay on top of its own operations (including compliance), let alone yours. Too big and corporate hubris can set in, with similar results, i.e., important governance practices and processes fall by the wayside. A good indication of this is the satisfaction of their current client base. See if the vendor will put you in touch with references, who can shed some light on this and any other service or user questions you might have.
2. MINDING SOMEONE ELSE’S BUSINESS
How do you find the above-mentioned kinds of things out? With due diligence, of course. In some cases this could be easier said than done, because it means auditing your potential vendor partners. But any upstanding vendor with nothing to hide should be more than happy to answer your questions (within reason of course) and provide the information requested in a timely fashion. Deep-dive evaluations of this sort are more typical than not these days, so most vendors should have the majority of the information you seek already compiled:
- Inspect your target vendor’s financials, if you can. Or, request a letter from the company’s external auditors stating there’s no problem with the vendor’s financials. Both are equally acceptable.
- Ensure the vendor has documented and functioning compliance programs and polices in place.
- Extend background checks and audit functions to subcontractors, i.e., the vendor’s vendors, if necessary.
- Implement a review schedule with your vendors, to revisit topics critical to both parties on a regular basis.
So long as you present your case and handle matters professionally from the start, a company with nothing to hide should have no problem satisfying your very reasonable curiosity. After all, by partnering with you, depending on the precise nature of the relationship, they may be privy to the most sensitive information you handle, including proprietary processes and practices. It’s a reciprocally intrusive arrangement, in that sense.
And don’t forget the simple things when vetting a vendor. Go out to the company website. See exactly what it is they do. Find out their approach and who their clients are. A company that has its act together should want to let prospects and clients know it. Finally, do an internet search. Make sure the vendor hasn’t been in the news for anything objectionable.
3. DATA INTEGRATIONS, IMPLEMENTATIONS, AND SECURITY
If we are in the brave new world of apps talking to apps, then vetting your compliance vendor with an eye toward gaining a thorough picture of how they handle their data—implementations and integrations in particular—is key. A good vendor has this end of things down pat. Here are some important questions to ask as you vet your potential partner for its range of tech skills.
- Integration: Integrations bring relevant data from other firm systems, or external sources, that could be of use in the compliance platform for cross-referencing purposes. What does the vendor have to say about their own capability in this area? What datasets and integration points do they currently offer that could enhance your data and optimize system usage? This skillset gets at the heart of being able to successfully make apps talk to apps and using data to make business decisions. Make it a priority in your compliance vendor search.
- Implementation: This gets at the actual installation, set-up, and tweaking of your new compliance software. Gathering requirements. Setting milestones. Moving data from an existing compliance platform—be it in-house or that of another vendor—into the new platform. And eventually turning your code of ethics and policies into functionality and software settings that you can manipulate and adjust yourself moving forward. A good vendor can make this happen with alacrity and, one would hope, accuracy. And in this continuing new normal of pandemic lockdown and social distancing, the enterprising and on-its-game compliance software provider can also accomplish a full implementation almost entirely remotely.
- Data Security: There’s no mystery here. Anyone involved in the handling, manipulation, or channeling of your data needs to have their data-security processes and practices completely squared away. What kind of certifications are in place? SOC2? ISO 27001? How about ISO 9001? What is the vendor’s data-center availability? Above 99%? It should be. Do they have an Information Security Officer on staff? And is your prospective compliance vendor itself compliant? Are they regularly audited both internally and externally? Are they compliant with all the latest data-protection regulations, like the GDPR? The answer to all of these questions ought to be a resounding “yes.” If not, consider looking elsewhere.
THERE’S AN APP FOR THAT, OF COURSE
“Compliance officers will need to become more like technology officers, and technology officers will need to become more like compliance officers.” A parting thought from our veteran compliance officer from earlier, one that dovetails nicely with his thoughts on apps talking to apps being the present and future of financial compliance. As technology increasingly becomes an integral component of compliance, and as that tech is increasingly supplied by third-party specialist vendors, the ability to determine not just which application is best but also which supplier is best will be more than a handy skillset: It will be an inescapably necessary one.