US Regulators Raise Expectations of Third-Party Risk Management

The recent publication of the Interagency Guidance on the risk management of third parties is a welcome recognition that the way banks of all sizes make extensive use of third-party relationships. These relationships drive product and service development, help them master new technology platforms and create new efficiency savings.

These relationships can cover services, including IT support services, cloud computing services, application development and support, customer credit checks, model development, office facilities, payroll and HR services, market analytics and data, and more.

These relationships can also include industry partnerships and might cover credit card services, digital partnerships, branded financial products, and other promotional activities.

Dealing with deeply embedded relationships

The guidance recognizes that some of these services and partnerships are so embedded in many banking business models that it is essential for the risk management frameworks at banks, and the regulatory scrutiny that goes with them, extend into these complex third-party relationships.

While the publication of the proposed guidance offers the opportunity for the industry to provide input, it also signals that third-party risk management (TPRM) has moved from a ‘nice to have’ to a need to have’.

In fairness, the risk management principles in TPRM are similar to other aspects of risk management in banking.

The guidance lays down several core areas to consider:

• Planning
• Due diligence & third-party selection
• Contract negotiation
• Oversight and accountability
• Ongoing monitoring
• Termination

A range of widely varied challenges

Within these bald headlines, there are significant nuances. 

1. Firstly, there is the recognition that the challenges and issues of TPRM for the largest institutions are radically different from those of the smallest. The text recognizes that forcing institutions at both ends of the spectrum to use the same systems and processes would be impractical. Instead, institutions will be expected to have systems and procedures in place that are aligned to their unique TPRM risk profile.
2. Secondly, the guidance recognizes that third-party relationships often need fourth and fifth-level subcontracted relationships to deliver to according to the contractual requirements. This compels banks to consider the nature of these deeper relationships – not just the third parties they contract with directly – when performing their due diligence, as well as managing their risk. Banks need to understand how to get visibility into these deep relationships, even where they lack a direct contractual relationship.
3. Thirdly, these deep relationships highlight the issue of concentration risk. For example, in the banking sector, many software applications and service providers provide SaaS-based capabilities to deliver their functionality. They often use one of a small number of cloud service providers to deliver the underlying technology stack.  The small number of cloud providers means that if one has an issue of whatever size, it can potentially impact many software service providers for banks. This in turn can impact the banks that use these services, potentially in business-critical processes, impacting the wider economy and confidence in the banking sector. These risks can arise through technology issues, as well as contractual or commercial developments.

Integrating TPRM into the enterprise risk landscape

Applying the core principles of risk management to TPRM means that these risks must be integrated into the broader enterprise risk management picture. This helps a business factor in its TPRM profile into its wider business resilience plans to ensure that even in the event of a business interruption, it can still deliver its core services, as expected by financial sector regulators and the real-world economy.

While the regulators have asked for feedback, the direction of travel for banks is clear, and they need to start making their plans for implementing the final text.

So, what does the optimal TPRM risk solution look like?

The ability to ‘reach’ into the depth of the supply chain means that a decentralized, SaaS-based application is essential. Companies in the third, fourth and fifth tiers of a supply chain can quickly and easily implement the TPRM requirements of companies, even if they have no direct relationship.

Within a bank , there must be a centralized repository containing the relevant contracts, policy standard documentation, and the risk profiles of the various suppliers. Also essential is the ability to proactively monitor the various elements of the supply chain. If issues emerge at any level – technical, commercial, operational, or political, for example – a bank’s risk, operations, and compliance functions can respond proactively as needed.

Mitratech offers a range of powerful and proven TPRM solutions that will help banks respond positively and decisively to the enhanced expectations of their regulator. Learn more.