US regulators raise expectations for third-party risk management | Mitratech Holdings, Inc.


[author: Morgan Miller]

It takes something big for all of America’s banking regulators – the Federal Reserve, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) – to come together to pool their thinking and create an industry-wide range of banking regulations.

However, US regulators have a history of collaboration when there is an industry-wide problem that requires an industry-wide approach.

The recent publication of Interagency Guidance on Third Party Risk Management is a welcome acknowledgment of how banks of all sizes make extensive use of third-party relationships. These relationships drive product and service development, help them master new technology platforms, and create new efficiencies.

These relationships can cover servicesincluding IT help desk services, cloud computing services, application development and support, customer credit checks, model development, office facilities, payroll and HR services, market analysis and data, etc.

These relationships may also include industrial partnerships and may cover credit card services, digital partnerships, branded financial products and other promotional activities.

Dealing with deep-rooted relationships

The guidance recognizes that some of these services and partnerships are so integrated into many banking business models that’s all essential as banks’ risk management frameworks and accompanying regulatory scrutiny extend to these complex relationships with third parties.

While the publication of the proposed guidance provides an opportunity for industry to provide feedback, it also signals that third party risk management (TPRM) has moved from a ‘nice to have’ to a need”.

In fairness, the principles of risk management in TPRM are similar to other aspects of risk management in banking.

Management establishes several key areas to consider:

  • Planning
  • Due diligence and selection of third parties
  • contract negotiation
  • Oversight and Accountability
  • Continuous monitoring
  • Termination

A wide range of challenges

In these bald titles there is important nuances.

  1. First, there is the recognition that the challenges and stakes of TPRM for larger institutions are radically different from those of smaller ones. The text recognizes that it would be impractical to require institutions at both ends of the spectrum to use the same systems and processes. Instead, institutions will need to have systems and procedures in place aligned with their unique TPRM risk profile.
  2. Second, the guidance recognizes that third party relationships often require fourth and fifth level outsourcing relationships to be delivered in accordance with contractual requirements. This forces banks to consider the nature of those deeper relationships – not just third parties with whom they contract directly – when performing their due diligence, as well as managing their risk. Banks need to understand how to gain visibility into these deep relationships, even when they don’t have a direct contractual relationship.
  3. Thirdly, these deep relationships highlight the issue of concentration risk. For example, in banking, many software application and service providers provide SaaS capabilities to deliver their functionality. They often use one of the few cloud service providers to provide the underlying technology stack. The small number of cloud providers means that if one encounters a problem, no matter how small, it can potentially impact many software service providers for banks. This in turn can impact the banks that use these services, potentially in business-critical processes, impacting the wider economy and confidence in the banking industry. These risks may arise from technological problems, as well as from contractual or commercial developments.

Integrate TPRM into the enterprise risk landscape

Applying the fundamental principles of risk management to TPRM means that these risks must be integrated into the broader enterprise risk management framework. This helps a company factor its TPRM profile into its broader business resilience plans to ensure that even in the event of a business interruption, it can continues to provide its basic servicesas expected by regulators of the financial sector and the real world economy.

Although regulators have asked for comment, the direction for banks to take is clear and they need to start developing their plans to implement the final text.

So what is what does the optimal TPRM risk solution look like?

The ability to “reach” the depth of the supply chain means that a decentralized application based on SaaS is essential. Companies in the third, fourth and fifth tiers of a supply chain can quickly and easily implement corporate TPRM requirements, even if they don’t have a direct relationship.

Within a bank, there must be a centralized repository containing the relevant contracts, standard policy documentation and risk profiles of the different vendors. The ability to proactively monitor the different elements of the supply chain. If issues arise at any level – technical, business, operational or political, for example – a bank’s risk, operations and compliance functions can react proactively as needed.

Applying the fundamental principles of risk management to TPRM means that these risks must be integrated into the broader enterprise risk management framework.


About Author

Comments are closed.