How Banks Can Supervise Third Party VendorsThe Minnesota Attorney General's case against USBank last summer - combined with the Gramm-Leach-Bliley Act of 1999 and an overall heightened awareness of how credit card issuers conduct third-party marketing programs - have caused banks around the country to tighten their data security and vendor management procedures.
Credit-card issuers to a large extent, and checking account and other loan account issuers to a lesser extent, work with third-party firms to offer programs such as insurance, clubs, merchandise, and various protection services. To conduct marketing programs, product providers often call upon subcontractors for functions such as segmentation/modeling, data appending, telemarketing, customer service, personalized printing and mailing. This puts a number of firms in touch with customer data and materials in order to market, bill and service programs.
Most banks conduct inspections and reviews of the vendors contracted to support their programs. Some conduct audits through in-house staff and others thorough outside auditing and specialty management firms experienced in the particulars of the credit card and bank third-party marketing business.
"We have seen an increase in interest from financial services for independent auditing services this past year" said Colleen McMillan, CBSI quality assurance manager. "Many companies do not have available staffing to travel all over the country to audit every vendor and subcontractor who touches their clients' data. We frequently find subcontractors are not previously known to the clients who are coming in contact with customer data."
Let me suggest several key steps and considerations to management of third-party marketing programs:
Request For Proposal: From the initial contact with the candidate firm, the standards which will have to be met should be spelled out. Caution should be applied at this stage to not make the requirements appear so burdensome as to discourage candidates who otherwise might do a good job.
Sometimes unexpected situations require hiring a vendor on short notice. In this case, the vendor is being hired for their particular expertise or abilities that can be utilized immediately. A review should be made of the vendor's supporting infrastructure, and any changes to meet the client's standards that must be immediately made - and those for which a reasonable amount of time can be provided for compliance - should be made.
Preliminary Interview: Serious candidates should have their proposals reviewed from the stand-point of data security and ability to meet client standards. Areas of potential weakness can be identified for detailed inspection during the on-site audit. Key areas to examine:
A. Use of Subcontractors: Will all data processing, calling, customer service, mailing and personalization be done in-house? Anticipated use of subcontractors should be specified up-front.
B. Account Numbers: The new financial service legislation limits the transfer of bank customer account numbers to third-party marketing programs even in a coded or truncated manner. It is important to verify how the firm can set up identification numbers to track individual customer records through processing.
On-site Audit: Probably the most important part of the process. Every location which receives, stores, processes client data should be visited.
Considerations such as the following should be examined:
Building: What overall security is conducted? Is access to secure areas regulated by pass keys?
Staffing: Are ID badges worn by all employees? Are background and drug tests conducted on employees?
Tape Library Security: How is access limited? Are tapes labeled using a file security package? Is there a system for erasing data upon completion of the job?
Physical Security: Is data center and library protected by intrusion alarms, fire protection alarms, automatic extinguishing systems and backup power facilities?
Firewalls: How will client data be kept separate from other clients? How is authorization given for online access. How often are pass keys changed?
Overflow: Will any additional sites be used if any aspect of the assignment can't be performed at the primary location? Arrange a visit to any site requesting to be authorized.
Teleservices: If a call site, verify the information each representative will have access to. Generally, the minimum amount of client-specific data should be provided, with a paperless environment preventing any customer data being written down.
"Anonymity software such as IBM/RACF is a key to keeping client data secure within a data center" says Myles G. Megdal, Chairman, of Marketing Information Technologies, Rye, NY. "This software assigns random numbers to each segment of data so that no specific data is recognizable. It logs every attempt to access client or project information identifying any user IDs which do not have access approval."
Contract: A well prepared contract not only itemizes the services to be performed and pricing, but also lists the standards the bank requires for the vendor to meet in handling data and proprietary information. Hold harmless clauses should cover any specific liabilities the bank and its customers might suffer from exposure to the vendor or administration of the program.
Ongoing: A review of each vendors compliance with bank standards should be conducted annually. The vendor should be on notice to receive prior approval from the bank to bring in additional work sites or subcontractors who will touch the program.
The use of outside vendors by financial institutions is a practice established over many decades and provides special expertise and customer servicing capacity that would be costly to duplicate in-house. With proper management and regular supervision, partnership with outside vendors can be very beneficial.