Potential threats and vulnerabilities arising from the reliance on external vendors, service providers and partners – collectively third-party risks – have never been higher at banks. While third-party risk (aka vendor risk) management at banks is not a new or novel function, it has become a much more critical component of a bank’s overall risk management strategy as they increasingly look to outsource various functions and services.
Some key third-party risks in banking, include but are not limited to operational, cybersecurity, compliance and legal risks. By relying on and entrusting third parties to provide key services/functions to the bank and its customers, the bank is opening itself up to these risks on a vicarious basis and it is imperative that the risk management framework of the bank extend to oversight of third parties to mitigate these risks.
Management of third-party risks
Adding to the very practical need to manage these risks, management of third-party risks continue to move up on bank regulator’s agendas. Regulators continue to emphasize the importance of robust vendor management programs and require banks to have policies and procedures for evaluating, monitoring and managing third-party relationships. The Office of the Comptroller of the Currency (OCC), Federal Reserve and Consumer Financial Protection Bureau (CFPB) all provide guidance on managing third-party risk.
Effective risk management strategies for third-party oversight include:
- Robust due diligence prior to onboarding
- Clear contractual arrangements that detail allocations of liabilities and indemnification agreements
- Ongoing processes to effectively monitor and reassess individual (high risk) vendors
- Proper business continuity plans that respond quickly to issues arising from third-party failures.
The key component of a robust due diligence process is an assessment of network and data security, ensuring third parties have adequate data protection measures in place to safeguard sensitive information is table stakes. This includes encryption, access controls and secure data storage. Furthermore, additional cybersecurity assessments that evaluate third party's cybersecurity practices and protocols and regularly assess their ability to prevent and respond to cyber threats and breaches is an imperative component of onboarding due diligence.
Many banks deploy risk management software to assist with the operational, financial and administrative burden of overseeing and monitoring their third-party populations. These tools can streamline the process of evaluating, monitoring and managing third-party risks and can help track performance metrics, compliance status and risk indicators.
Challenges of third-party risk management
The management of third-party risks continue to evolve and thus presents many complex challenges. Outsourcing is a growing trend with banks looking to optimize costs and drive operational efficiencies. Outsourced functions are also continuing to grow in complexity and importance, including technology, compliance and customer functions. Regulatory oversight of banks as it pertains to third-party management continue to evolve and to introduce new expectations and compliance obligations on banks.
Lastly, increased globalization introduces a whole new swath of risks from cross border risks, new regulatory requirements and cultural differences. Maintaining risk management strategies that are living, breathing strategies that adapt with evolving risks, stay ahead of regulatory changes/mandates, and require enhanced due diligence when engaging international third parties are key to proactively managing third-party risk.
Best practices to manage third-party risk
Some observed best practices at banks are the establishment of a clear governance structure to manage third-party risk, including roles and responsibilities; many banks have implemented vendor management offices or vendor risk practices with dedicated employees with clear responsibility for decision making.
Continued training and awareness for employees, particularly those directly involved with third parties, so they understand the importance of mitigating these risks and are additionally equipped with the skills/knowledge necessary to manage third-party risks and lastly integration into the broader enterprise risk framework of the bank to ensure a comprehensive approach to identifying, assessing and mitigating these risks are all key best practices for managing third-party risk at banks.
In closing, managing third-party risk effectively requires a proactive and systematic approach. By implementing robust due diligence, monitoring and risk management practices, banks can mitigate the potential impacts of third-party failures and ensure the resilience of their operations.
