Bates Research | 05-21-25

The Real Work of Effective FinCrimes Vendor Oversight

Practically every federal or state examination of a FinCrimes area includes a section on how systems and system vendors are being managed in the area. The examination steps are frequently woven throughout the exam as opposed to being in a separate “vendor management” section. Therefore, it’s prudent for FinCrimes Officers to have a thorough understanding of the systems and vendors used in the FinCrimes area, and what oversight of those involves.

When asked about what effective oversight of FinCrimes systems and system vendors involves, most FinCrimes Officers will respond by describing the once-per-year vendor risk assessments they perform for the TPRM (Third Party Risk Management) or Vendor Management department at their institution or Fintech. (If the Fintech is small, the “TPRM Department” might be one person in Risk Management.) But then the FinCrimes Officer might pause and say “but wait, I do much more throughout the year” to provide effective oversight of systems and systems vendors, and these actions will likely involve internal controls, even if the FinCrimes Officer doesn’t refer to them as such. This article will survey some of the actions a FinCrimes Officer can do to evidence effective oversight of vendors of FinCrimes systems.

Daily Disruptions: Tracking and Managing System Issues

Financial Crimes software programs and systems aren’t perfect. In any given day, something inevitably goes wrong with some system being used in the FinCrimes area, making this a key element of managing systems vendors. Consider the following events: an AML file gets ingested late; a system might be down for a few hours; OFAC alerts may come in duplicated; a vendor might send a notice regarding an unexpected outage or error; OFAC lists weren’t updated on time so OFAC scanning was incomplete; or some glitch prevented the wire alerts from generating on time. Somehow each event must be managed to determine what went wrong with the vendor, how the vendor fixed it, how the vendor will prevent it from happening again, and what the FinCrimes Officer has to do on their end to make everything right. It’s not an easy task.

At the very least, each event, from the mundane to the significant, should be documented by someone in the FinCrimes department. One suggestion is to keep a FinCrimes vendor log to capture the events sampled above. This log serves three main purposes:

As mentioned above, some events are mundane, but some events are significant and might even rise to the level of activating the institution’s incident response protocol. The log would include fields to document what type of event occurred and would help the FinCrimes Officer follow rules for whom to notify (and in what manner) and what other steps to take. Example: the OFAC scanning system was down 15 minutes. This is likely mundane, but it gets logged. The OFAC scanning system is down 90 minutes, and now it’s likely that some notifications are required to be made internally, especially if wires are being delayed. These notifications might be verbal. Now, consider the OFAC scanning system is down 30 hours. This will likely involve Incident Response because some other way of scanning wires needs to occur so they aren’t delayed. This response will be more formal.
The log can also aggregate all the events that occurred for a particular vendor in one place so that the vendor’s overall performance, compared to agreed-upon SLAs, can be monitored. For example, consider the OFAC scanning system that’s down 15 minutes. Was that a singular occurrence, or did it happen more frequently? Monitoring this is important because it can support the vendor conversations that will likely happen regarding SLA performance. If the information isn’t in one log, it’ll be up to someone in the FinCrimes area to remember which days the system was down and for how long, and that won’t support the vendor management process very well.
When the annual vendor management risk assessment takes place, it is not ideal to rely on anyone’s memory when answering the questions in the assessment. The log will provide the FinCrimes Officer with qualitative and quantitative information to respond to each area and assess risk accurately. It also serves as support for each response.

One-Time Events: Navigating Vendor Mergers and Sunsets

One-time events could involve a systems vendor being purchased by another vendor (M&A activity) who then sunsets a product, discontinues support, or moves customers onto a new module (for CDD or OFAC, for example.) Over the course of a systems vendor relationship, one or more of these events is likely to happen.

The key to effectively managing these one-time events is to remain informed, understand deadlines, understand impacts, communicate it internally (especially when needing operations and IT support) and document any risks to the FinCrimes program. The point is that the FinCrimes Officer needs to manage this situation and not let the situation manage them.

Using Systems Validations to Strengthen Oversight

Performing systems validations can also be an effective tool for managing a vendor relationship. Imagine a FinCrimes Officer validating the effectiveness of an OFAC scanning system and noticing that the system can’t flag names that have a one-letter change (a typical test). That would be a good time to have a conversation with the systems vendor about how their system is functioning and whether they have other options to improve effectiveness.

Proactive Engagement: Building Relationships with Vendors

Effective oversight of FinCrimes systems vendors also involves:

Attending vendor conferences, webinars, and training.
Being an active member on vendor information portals.
Periodic scheduled touch-base meetings with the vendor.
Participation in vendor task forces / advisory panels.

In other words, the FinCrimes Officer shouldn’t wait to receive one-way communications from the systems vendor. They should assume an active role in the relationship to support two-way communications.

Managing FinCrimes systems vendors is an important part of a FinCrimes Officer’s job which goes beyond completing the annual risk assessment for the TPRM department. Effective oversight is an ongoing process and part of daily operations, not just a yearly obligation.