Trust, in the context of Financial Services, has been somewhat of an elusive characteristic in recent years. This is particularly so in respect of the relationship with the people we seek to serve. But what of the trust between the many firms that serve our industry and the established financial institutions? In a world where the regulators have acted to fill the trust void, we operate in an environment where trust must be backed by robust strategies for risk.
As the financial services industry rapidly evolves, we see ever more disaggregated business models as banks and other financial institutions respond to the changing and challenging business context. In this emerging new world order, regulators hold firms fully accountable for third party risk. The customer and therefore the regulator only really looks at the primary relationship which, of course, is with the bank, insurer or manager.
Let’s make this real. Some firms have already felt the pain of this accountability. The strict regulatory environment has led to several enforcement actions and fines. In a well-documented recent case, a chain of IT failures caused a bank’s customers to be unable to access their accounts. This resulted in the FCA imposing a £42m fine on the bank for failing to manage third party systems.
The use of third parties to deliver elements of the value chain driving efficiencies and reducing costs is an entirely viable model. The reality is that the risks of working with third parties need to be understood and mitigated against, to avoid costly failures and thereby to avoid regulatory action. Firms cannot sideline this issue. Certain activities or functions can be outsourced – but not the accountability for them.
Of course, the higher the number of vendors a firm works with, the higher the risk exposure for that firm. And it doesn’t stop there as some third parties are known to also outsource some of their functions (giving rise to ‘fourth parties’). The end result is that today’s financial institutions face a substantial challenge in the management of third party risk. Firms must apply the same type of rigorous controls to mitigate these risks as they do for ‘traditional’ internal risks.
The question is then, given the sophisticated nature of these new emerging risks and the architecture and resourcing of the risk functions of financial institutions, are firms well placed to respond to the issue of third party risk? Those that are ahead of the curve will be in a position to maximize opportunities and gain competitive advantage – it’s not all about the downside!
So how to approach managing third party risk in the most effective way? Our experience of working with a number of banks and insurers on these issues suggests a core set of principles and actions should be adopted to guide the design and implementation of risk strategies:
- Consider risk within your third party selection and contracting processes – implement comprehensive criteria for selecting vendors which includes an assessment of their internal risk and the risks associated with the interaction with your firm. Establish constant monitoring of vendor performance (including provisions to swap out vendors should performance criteria not be met or insurance policies in cases where failure leads to fines).
- Know your customer – know your third parties – build a catalogue of every vendor the firm interacts with, as well as documenting the activities they are responsible for and fully understand the extent of their activities. Consider interaction between vendors and document any ‘fourth party’ relationships.
- Risk assess and rank your third parties – identify the potential risks that each vendor may place on the business and rate each vendor accordingly. Prioritise the management of high-risk vendors.
- Develop effective governance and control frameworks – define senior-level ownership of third party risk management and clearly define roles and responsibilities with defined controls and measures. Ensure frameworks are adopted with appropriate reporting.
- Engage and communicate with your key stakeholders – ensure regular communications and reporting with key internal and external stakeholders, keeping them engaged, informed and accountable.
- Introduce processes, tools and technology – appropriate systems and technology must be in place to support processes and management tools.
Financial institutions face a very real challenge to manage third party risk in a way that meets regulatory requirements. A well thought through and comprehensive approach will help firms respond effectively and can create competitive advantage.
There has never been more urgency to ensure third party risks are managed. Firms must act now to determine whether their third parties can – and should – be trusted. A third party risk management framework that is well implemented and trusted internally allows a firm to place trust in its network of valued vendors. At a time when trust is elusive, to build trust in this way is not only a requirement, but a driver of good business practice and good business outcomes.
 FCA Final Notice – 19 November 2014:
For more information contact:
Phone: +44 (0)207 571 0496