As the world grows flatter, 'third-party ecosystems,' i.e. webs of interdependent contractors and outsourcers, are expanding in banking rapidly. An explosion in the number and variety of outsourcers and sales intermediaries has led to more rules for banks to obey. This article contains a list of 'best practice' points for compliance officers whose banks manage these relationships.

The advent of the Cloud, virtual data centres and hosted applications or apps has created a bonanza for IT service vendor-firms that can process business information. The result is more convenience but also a greater exposure to risks. Social media websites provide banks with platforms on which they can communicate and collaborate with their third parties in an informal setting, but it has also opened the door to risks to data security and privacy.

Regulation, the crucial factor

The Office of the Comptroller of the Currency in the USA, the Financial Conduct Authority in the UK and many others have evolved regulations and guidelines for "third-party governance." The underlying message is that although companies can outsource their activities, they cannot outsource their responsibility for observing the financial statutes and regulatory rules of their countries.

For years after the world's financial crisis began in 2008, the primary impetus behind banks' efforts to manage their third parties more effectively was regulatory scrutiny. Today's banks are increasingly making such efforts on their own initiative and, in the process, are finding that their customers trust them more, their boards and investors have more confidence in them and their businesses are performing better. Effective "third-party governance" makes good business sense.
 
Banks are now going beyond traditional third-party surveys and assessments, taking comprehensive steps to ensure that their third parties are protecting confidential digital information, avoiding unethical practices, strengthening supply-chain security, handling disruptions effectively and performing to high standards. It is in this context that the need is emerging for an integrated view at every bank of third-party risk, compliance, performance, quality and adherence to contracts.

'Best practice' for the optimisation of banks' relationships with third parties

To cease to be blind to various risks...

Each third-party relationship is risky in some way or other. Some risks are multi-dimensional, i.e. they apply all at once to suppliers, vendors, contractors, service providers and other so-called third parties. Other risks may affect such different levels of an organisation as financial product lines, business units and countries. To stay ahead of these risks, banks ought to do the following.

• Identify the important risks associated with third parties such as political risks, undesirable events, financial risks, contractual risks, legal and regulatory risks and information system failures. Follow it up with an analysis of the specific drivers that increase so-called third-party risk.
• Concentrate on contracts that govern third-party relationships. A comprehensive and carefully-written contract ought to outline the rights and responsibilities of all parties, enabling the organisation in question to micro-manage these relationships.
• Design and implement policies and controls to offset third-party risks, also evolving appropriate monitoring and testing processes to ensure that the controls are working as expected.
• Use content from external sources such as Smart KYC, Dow Jones, Dun & Bradstreet, BitSight and SecurityScorecard. These firms curate third-party data from adverse media reports, sanction lists, information on politically exposed persons (PEP), cybersecurity ratings and other sources – all of which can be invaluable for a bank on the lookout for risky third parties.

To run background checks on third parties more efficiently...

A reliable process for scrutinising third parties helps banks to understand third-party risks very clearly. It also helps them choose the right firms to work with. The process is often part of a larger "third-party onboarding programme" which forms the backbone of effective third-party  management. During the 'onboarding' process, companies can capture all the required third-party information along with certifications, contracts and documents. Meanwhile, onboarding assessments can help determine the level of risk monitoring required for each third party.

Many organisations take a risk-based approach to "third-party due diligence." They stratify third parties into various risk categories according to the product or service they are offering and/or to the third parties' countries of operation and other factors. They then come up with a risk category and score for each one and can then set the appropriate level of screening and other safeguards. 'Due diligence' is not a one-time event. Third-party risks can change anytime and banks therefore require continuous monitoring and screening processes to ensure that nothing slips through the cracks.

Not to lose sight of fourth parties...

Often, banks have run into trouble over data breaches that result not from their primary third parties, but from sub-contractors – particularly unauthorised sub-contractors. This is why it is important for them to see everything that is happening in their third-party ecosystems. They ought to be able to find out whether products and services are being provided by third parties, or if they are actually being sub-contracted to 'fourth parties.' One way of doing that is to oblige third parties to seek their approval for any kind of fourth-party involvement contractually. Another good practice is to insist on all essential fourth-party information being collected and stored. Fourth parties should also be included in the screening and risk management process.

To set the right tone at the top...

The senior managers, including the C-suite and board, are ultimately accountable for third-party risks. It is their responsibility to ensure that good risk management processes and controls are in place. They should also be aware of the top risks inherent in third-party relationships, so that they can make informed decisions. The health of a third-party risk management program depends, to a large extent, on their involvement. When they can show regulators that they are determined to foster a culture of risk awareness and accountability, and to invest plenty of money to deal with risks, good "third-party governance" will probably follow.
 
To keep a lookout for new and emerging risks...

With more third parties being given access to sensitive company information, the likelihood and seriousness of data security incidents has risen. In the past few years, some of the biggest companies have been brought to their knees by data breaches that sprang from "vendor vulnerability" or unsecured networks. Data security and privacy risk management at firms that perform software-as-a-service and other software vendors have become important elements of every bank's effort to manage its relationships with third parties systematically.
 
To keep risks in check, banks ought to categorise vendors according to their risk profiles and then subject them to an appropriate level of risk monitoring. A useful tool in these efforts is the “Standard Information Gathering” (SIG) questionnaires from Shared Assessments which they can use to gather important information about a vendor’s IT, privacy and data-security controls. Content providers such as BitSight and SecurityScorecard also provide useful information about cyber-security at third parties.

To measure the effectiveness of their third-party management systems...

How do you know if your approach to third-party management is effective? How can you find out whether any gaps or problems have arisen? In this context it helps to evaluate all aspects of third-party management (including policies, codes of conduct, processes, controls, compliance surveys, assessments and audits) regularly. When a private bank measures the effectiveness of its attempts to 'manage' third-parties, its high-net-worth depositors and partners can find out whether it is spotting and offsetting risks, if it is compliant with the rules and if it is taking appropriate action when danger signals or 'red flags' appear.
 
To collaborate with others more effectively and noticeably...

A 'siloed' approach to managing relationships with third parties, whereby different departments manage different processes, can often lead to a duplication of effort. It can also complicate the process of aggregating information to do with risks, making it difficult for senior managers to form a holistic view of their banks' relationships with third parties. The answer to this is greater integration and collaboration. Every firm can invent a language that all its departments use when they talk about the risks that third parties engender. It can also use a single system to co-ordinate the way in which it manages such risks, along with compliance on the part of third parties, the management of their performance, background checks and other vital processes.

To use software...

As third-party ecosystems grow more complex, information technology or IT is playing a crucial role in helping banks monitor, manage and evaluate risks more thoroughly. An integrated set of third-party management software can offer the following benefits.

• The bank in question can see the risks that third parties engender in a comprehensive way, along with compliance-related problems and other things that are bound to help it take pre-emptive action.
• It can automate and streamline the way it manages information about third parties, the checks it has to make when 'onboarding' third parties, its management of processes to do with compliance and risk, its audits, and its management of third parties' performance.
• It becomes more agile in responding to regulations and to changes in competitive markets and geopolitical factors (such as a change in a country's government).
• It obtains comprehensive and validated information about third parties, including their profiles, contracts, documents, and service-level agreements.
• The risk-related intelligence it gains helps it make decisions by giving access to advanced reporting systems and 'dashboards' that consolidate and roll up data about third parties.