It’s the billion-dollar question – what is on a regulator’s mind when they walk through the door of a firm? What kinds of things are they looking for – and is the firm prepared?
The focus on third party risk management by regulators has increased significantly over the past few years. The regulators themselves are providing some clear and coherent guidance on their expectations, such as: OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance; FFIEC Appendix J: Strengthening the Resilience of Outsourced Technology Services. And, if you’re looking for a ‘crib-sheet’ of what the examiners are likely to be looking at, there’s also OCC Bulletin 2017-7: The OCC's Supplemental Examinations Procedures for Third Party Relationships.
In February 2018, Aravo brought together a panel of experts, two of whom were former US regulators, to talk about how supervisors are thinking about third party risk management. You can listen to the broadcast here – but we’ve also distilled it down into five key take-aways.
All the panelists were clear on one point – the TPRM program is expected to be, at the very least, aligned to the overall enterprise risk management framework. So, it makes sense that the panelists spoke of supervisory focus in terms of the risks the regulators have their eye on. The five key risks they identified were:
- Concentration risk – Deborah Bailey – now a managing director at KPMG’s financial services regulatory practice, but formerly a senior regulator at both the Federal Reserve (Fed) and the Office of the Comptroller of the Currency (OCC) – says regulators are closely following the trend among financial services firms to outsource more and more of their operations. They are also keeping an eye on the third party provider space – in some cases, the volume of outsourcing by firms means that some types of activities are now concentrated in just a few third parties. Regulators are looking to see how firms assess concentration risk, both in terms of different kinds of risks, as well as the types of services involved. Homer Hill – now a principal in KPMG’s regulatory risk practice, and formerly a senior vice president at the New York Fed – says firms should be particularly aware of situations in which a third party is providing a range of services for the firm, or the same task across multiple firms. As well, firms should keep an eye out for a third party who is performing the same critical operation for multiple firms. As is often the case, the Regulators telegraph areas of exposure they consider a concern, and Concentration risk was called out in the OCC’s Semiannual Risk Perspective, Fall 2017. It’s clear that this is an area of risk firms should be aware of and putting in place controls for.
- Compliance risk – Many financial services organizations are outsourcing, to third parties, elements of their operations that involve direct contact with retail customers. Even though these retail-facing operations are being performed by a different entity, they must comply with all of the retail-focused regulations that would apply if the banks were undertaking these activities in-house. However, says Bailey, this is an area of ongoing challenge for firms. Banks are finding it difficult to validate the systems, processes, and tools that third parties are using to fulfill the contracts – banks need to ensure they have the ability to directly review the way the third party engages with the retail customers – for example by doing an onsite inspection or by reviewing customer complaints. Ensuring these retail processes are carried out correctly at the third party can also wind up putting an extra burden on the financial services firm’s compliance team. Ideally, the right to review needs to be baked into the contract. As well, the compliance team should be part of the process of establishing what a good review will look like, and what resources are required to conduct one. Firms should also consider looking at the third party’s overall approach by performing a risk assessment of the third party’s risk and controls program – if overall it meets the standards of the financial services firm, then the firm can have more confidence that its retail transactions are being undertaken in compliance with existing rules and regulations.
- Cyber-risk – One of the key risks that many third parties can be exposing their financial services firm clients to, is cyber-risk – whether it’s hacking, malware or information security concerns. “Cyber-risk is the number one risk across all of the regulators, no matter who you look at,” says Hill. “If you think about how things are changing, where we are with things like cloud computing and digitization, it makes sense in terms of understanding where this risk is. For third party risk management, it’s become critically important as financial firms have become more reliant on third party technology service providers. There are concerns beyond just individual firms, too. The regulators, as well as other government officials, want to protect the financial ecosystem. So what regulators want to see is an effective program for managing business continuity with these third parties.” Hill adds that regulators are looking at the contracts firms have with third parties to see if the right requirements are baked in – such as the right to assess the third party’s processes and systems, as well as BCP obligations. The cyber-risk program should meet the expectations that the financial services firm has for their own, internal, cyber-risk program, he adds.
- Fourth party risk – US regulators have greatly increased focus on fourth, fifth and nth party risk – essentially the risks posed by a third party’s own suppliers. Greg Matthews, a partner and third party risk management expert at KPMG, says supervisors are not looking for a comprehensive and infinitely deep understanding of these entities. Instead, firms should focus on third party relationships where critical services are being performed, and particularly where key elements of that service are being performed by a fourth party. Contractually, it makes sense to ask third parties to disclose the vendor relationships they have that are relevant to your contract with them. In long-term, ongoing relationships, firms should ask the third parties who the involved fourth parties are, and what their role is. The financial services firm should then, in all cases, assess the TPRM program of the third party, to see how well these fourth party relationships are being managed. If a firm is not happy with the way the fourth party is being managed, then the firm may wish to consider contracting directly with the fourth party, to gain more control says Matthews.
- Geopolitical risk – Hill says the US supervisors are also focusing on offshoring by financial services firms – particularly around critical or retail-facing services. Regulators want to see evidence that the firm – including senior management and the board – understands the geopolitical risks that may be posed by locating certain critical services in particular jurisdictions. Ideally, he adds, the vendors themselves should be working with the firm to complete that analysis.
Overall, all three panelists said it would be difficult, in a financial services firm of any complexity, to effectively track risks such as these without using TPRM software. “Technology is critically important to transform the TPRM program,” Hill said. “You need it to really help enhance transparency and consistency,” as well as executing the program effectively. TPRM software provides the ability to better incorporate the TPRM program into the enterprise risk program, he added, as well as making the TPRM program more sustainable over the long-term. Technology also enables better monitoring, as well as reporting to senior management and the board of directors. Says Hill, “In this space, it’s critically important”.
The webinar: What Do Financial Industry Regulators Expect from Third Party Risk Management? was broadcast on 29 January 2018.
Partner, Third Party
Risk Management Expert, KPMG