Carrying Out Due Diligence on Technology Providers

2/17/2011

By Robert Mendez
Executive Vice President, BankOnIT

Before taking on any technology function internally, a bank should ask, “Can someone else do this task for us better, cheaper, faster, simpler, more reliably?”

There are excellent reasons to select an external provider for technology-related services: (1) guaranteed fixed cost, (2) access to specialized expertise, (3) uninterrupted staff availability (no risk that a key position becomes vacant), (4) improved redundancy and disaster recovery capabilities and (5) ability of management (after delegating the activity) to concentrate more time on banking - making loans, helping customers and essentially doing those things that make you money.

Utilizing a third-party provider can also be a better way to manage the bank’s technology related security and compliance risks.

However, assigning the performance of technology services to a vendor will not make a bank any less accountable to regulators for problems that may arise with those services. This reality requires a bank to make well-informed decisions when selecting any technology vendor, and to continue to supervise the services provided by that vendor.

Due Diligence is important (and regulators require it), but it doesn’t have to be difficult. Here are 5 simple questions a bank should ask in considering technology providers:

1. Is This a Good Fit?

A bank should carefully evaluate its technology and business needs before selecting a service provider. If you go to a car dealer without knowing what you want, you may go home with a car you don’t really want! It could lack the heated seats you really want , or may have features you really don’t care about which simply add to the price of the car. Either way, once you buy it, you’re committed. Technology providers tend to sell you what they offer, not necessarily what is best for you. If you understand what you need (instead of buying what a provider has for sale), you’re already closer to a good fit with the service provider.

A provider should understand the needs of your business, not just technology. An individual might have specific technical knowledge, but that gives you no practical value unless the person can also effectively apply it in ways that help you to solve problems, create greater efficiencies, or gain other advantages. I.T. personnel who use “nerd-speak”, or lack real-world understanding of regulatory requirements or bank customers’ needs are creating more inefficiencies and problems for you than they are solving. Select a company that can explain technology in plain English and has both technical staff and people experienced in your industry. Also ask for and check references.

2. Is the Provider Financially Stable?

You need a technology provider who will remain in business, continuing to provide the services you have contracted for. When a customer signs a promissory note, he’s legally bound. But that’s not all you care about. You want to know, “Do you have the ability to perform on this loan?” Banks should look at critical technology providers similarly: If you must have continued availability of technology services, you should make sure the provider is financially stable and able to continue in business during the contract term.

Analyze the company’s financial statement, like you would for a loan applicant. Bankers should review a company’s financial statement to detect potential problems. (For example, thin capitalization and substantial debt may impair a technology company’s ability to pay employees or support products. Would the loss of a few key clients put the company out of business?) What about the company’s growth rate and debt structure? Many technology companies have heavy debt loads or venture capital investments, making their primary goals rapid growth followed by a quick sale to the highest bidder. That may be fine for the owners, but it probably does not align very well with your goals.

A provider should take good care of its employees. A provider must retain experienced employees before they can help you. Does the company retain key staff, offer standard benefits, and a good working environment?

3. Who Runs the Company?

If possible, talk directly with individuals running the company. Do they have time for you? Do they listen well? Are they focused on your needs, or just trying to sell a product? Discover their business philosophy. Ask yourself, “Can we relate to these people and develop a good relationship?

Ownership of the company affects how it is operated. If officers are owners, they will focus on the company’s long-term best interest (and likely also the client banks’ best interest). By contrast, in some companies, the owners may be separated from management and personnel not only by geography but also by goals that emphasize short-term profits over longer-term customer relationships and service.

4. Are the Bank’s Risks Reduced?

Shifting the performance of technology services to an external provider may not reduce the bank’s overall risks. A third-party vendor will probably decrease certain risks for the bank. However, transferring functions to a technology vendor can open the door to other risks. A bank should anticipate these risks, and find out how the vendor controls them. Ask what internal steps the vendor takes to protect the bank’s data and systems. (These may include physical, electronic and employee-policy controls with respect to the vendor’s facility, data storage areas, and personnel, including employee-hiring standards, and background checks.)

Ask about the provider’s FFIEC Technology Service Provider Exam and independent audits, if available. An FFIEC regulatory exam evaluates the provider in a manner similar to your bank’s own exam. A SAS70 Type II audit gives additional assurance, measuring compliance with internal controls.

5. Does the Contract Protect You?

The provider’s contract should clearly spell out the services you will receive and what price you will pay. If the contract does not define the technology services clearly, resolve this in writing. What services are included for a fixed price? What services result in hourly-rate labor charges and travel expenses? Does the contract provide language assuring compliance with GLBA and other federal regulatory requirements?

Technology outsourcing can help you gain added reliability, redundancy, and efficiencies. With some due diligence before contract signing you can successfully enjoy the benefits while limiting your risk.

Editor’s Note: Robert Mendez is Executive Vice President for BankOnIT. BankOnIT works to make I.T. easy for financial institutions. Learn more at www.bankonitusa.com