By Sara Burton
I recently had the opportunity to participate as a panelist on an AccountsRecovery.net webinar discussing a topic that deserves far more attention within our industry: The Vendor Conversation Nobody’s Having: What Your Tech Providers Owe You on Compliance and Performance.
The discussion explored the evolving role of vendors and service providers in the accounts receivable management industry, and the responsibilities organizations have when outsourcing critical functions. I’ve also included short clips from the webinar for those interested in hearing parts of the discussion firsthand.
In the accounts receivable management industry, we spend a great deal of time talking about compliance, consumer protection, cybersecurity, and operational risk. We invest in policies, audits, monitoring programs, and training. Yet, one of the most significant sources of risk often receives less scrutiny than it deserves: our vendors.
Or perhaps more accurately, our service providers.
The terms vendor and service provider are frequently used interchangeably in business conversations.
Most organizations use both terms to describe third parties that provide products, services, or support to their operations. While I may be known for occasionally pointing out the difference, this is more than a compliance nerd’s pet peeve; it’s an important regulatory distinction.
The Dodd-Frank Act specifically defines a service provider as a person or entity that provides a material service to a covered person in connection with the offering or provision of a consumer financial product or service. Simply put, a service provider is a third party whose activities can directly impact consumers and, by extension, an organization’s compliance obligations.
That distinction matters because regulators have consistently made one thing clear: organizations cannot outsource accountability. While a service provider may perform the work, the organization remains responsible for overseeing the activity and ensuring it is conducted in compliance.
This is especially relevant in the ARM industry, where technology providers have become deeply embedded in nearly every aspect of our operations. They host our data, facilitate consumer communications, process payments, manage workflows, provide analytics, and increasingly influence business decisions through automation and artificial intelligence. Many of the consumer-facing experiences regulators evaluate are no longer controlled solely by us; they are enabled by our service providers.
That raises an important question: What do our technology providers owe us?
For many organizations, vendor management still focuses heavily on onboarding. We conduct due diligence, negotiate a contract, complete implementation, and move on. However, the most significant risks often emerge long after the contract is signed.
I frequently see accountability gaps surface during change management. A system update is released. A workflow is modified. A subcontractor is added. A process that was once compliant begins producing unexpected results, and no one is quite sure who was responsible for identifying the risk before it reached production.
The challenge is that compliance is not a static achievement. It requires ongoing transparency, communication, and shared accountability.
One area where organizations need to be particularly vigilant is during the sales process. When a provider tells me their platform can solve all my operational challenges, that compliance is “built into the product,” or that their solution automatically eliminates risk, I become less interested in the promise and more interested in the evidence. Compliance is not a feature that can simply be turned on; it is the result of governance, controls, testing, oversight, and ongoing monitoring.
I want to understand what has been proven in production, what independent validation exists, how issues are identified and corrected, and where the limitations of the solution remain. Independent audits, security assessments, business continuity testing, and documented control frameworks tell a far more meaningful story than marketing materials or sales presentations ever could.
Transparency is another area where organizations should be asking tougher questions.
As clients, we should feel empowered to request documentation, challenge assumptions, and validate critical controls. This is not about distrust; it is about responsible risk management. If a provider’s process directly impacts consumers, data security, operational resilience, or regulatory obligations, organizations have both the right and the responsibility to understand how those controls operate.
The conversation becomes even more complex when we consider fourth-party and fifth-party risk.
Most technology providers rely on their own network of vendors, subcontractors, cloud providers, and service partners. While organizations cannot realistically audit every company in that chain, they should understand which downstream providers have access to sensitive data or perform critical functions. Vendor oversight can no longer stop at the first contract.
Another uncomfortable reality is that sometimes a vendor relationship simply no longer fits – even when the provider has done nothing wrong.
As organizations grow, regulatory expectations evolve, and technology advances, the solutions that once supported the business may begin creating friction. Increased manual workarounds, reporting limitations, integration challenges, or an inability to keep pace with regulatory change can all signal that it is time to reevaluate the relationship. Strategic alignment matters just as much as current performance.
Perhaps the most overlooked vendor-management discussion is the exit strategy, and that conversation should begin during contract negotiations, not after implementation. Organizations dedicate months to evaluating and deploying technology but often spend far less time defining what happens if the relationship no longer meets their needs.
Data ownership, transition assistance, export capabilities, service levels, subcontractor oversight, notification requirements, data destruction obligations, and termination support should all be clearly documented in the contract. A well-drafted agreement establishes expectations throughout the lifecycle of the relationship, including how the parties will disengage if circumstances change.
The strongest vendor relationships are not those that make leaving difficult; they are those that provide a clear, orderly, and predictable path forward for both parties.
Ultimately, vendor management is not about checking a regulatory box. It is about recognizing that our vendors and service providers have become extensions of our organizations. Their performance impacts our consumers, our compliance programs, our reputation, and our business continuity.
The most successful vendor relationships are built on something stronger than trust alone. They are built on transparency, accountability, and a shared commitment to managing risk.
As technology continues to transform our industry, the vendor conversation is becoming increasingly important. The rapid growth of artificial intelligence has introduced an influx of new providers into the accounts receivable management space, many of whom are not only new to our industry but are still operating in startup mode. Their innovation is exciting, and in many cases these organizations are developing solutions that have the potential to significantly improve compliance, efficiency, and consumer experience.
At the same time, organizations must carefully distinguish between what has been proven and what remains on the product roadmap. Early adopters often benefit from collaborative development opportunities, enhanced support, and favorable pricing structures. Becoming a strategic partner can be incredibly rewarding for both parties. However, those benefits must be balanced against the realities of heightened operational, compliance, cybersecurity, and business continuity risks that can accompany emerging technologies and newer companies.
Before implementation, organizations should understand not only what a provider’s technology can do today, but also the maturity of the organization behind it, the sustainability of its business model, and its ability to support clients through regulatory changes, growth, and unexpected challenges. Innovation creates opportunity, but effective vendor management ensures that opportunity does not come at the expense of risk awareness.
Because while we can outsource functions, we cannot outsource responsibility.
I encourage you to watch the accompanying webinar clips and explore the valuable educational content available through AccountsRecovery.net. The platform hosts daily webinars covering timely issues affecting the credit, collection, debt buying, and receivables management industries. It is also an excellent resource for staying informed about emerging trends, regulatory developments, operational challenges, and industry news impacting our profession.