Qifei Zeng
- Explore the latest trends and challenges financial institutions are facing in relation to next-generation third-party risk management.
- In a time where financial institutions struggle with increased regulatory scrutiny and a complex risk landscape, discover how to drive effectiveness and efficiency.
Over the past decade, financial institutions (FI) have greatly increased their use of third parties (e.g., merchant payment processors, cloud service providers, financial technology companies). FIs increasingly see third parties as a competitive advantage. Meanwhile, emerging third-party risks makes risk-based, enterprise-wide third-party risk management (TPRM) more important than ever. Ongoing budget cuts combined with increasing threats to business continuity, compliance, reputations, and cyber security necessitates improving the effectiveness and efficiency of FIs’ TPRM programmes.
Latest TPRM trends and challenges
While third parties are playing an increasingly vital role in FIs, FIs are in turn struggling with significant TPRM challenges. The following are emerging trends and challenges observed:
- Growing reliance on third parties. FIs are increasingly adopting technology from third parties to improve their competitiveness and enable innovation. This is leading to the sector's growing reliance on technology-based services provided by third parties.[1]
- Increased regulatory scrutiny. Regulators globally are increasing the pressure on FIs to better manage their third-party risks. Recent interagency guidance[2] on third-party risk management in the US called upon financial institutions to apply specific principles to the varies stages of the third-party lifecycle. A common theme amongst this and other regulatory guidelines is “resiliency as a supervisory priority”, making it imperative for FIs to carefully review the full array of critical activities outsourced to third parties and implement mitigating measures to maintain operational resiliency.
- Increased third party-caused disruptions and reputational damages. According to a recent KPMG survey, 72 percent of the FI respondents are experiencing ‘significant disruption, monetary loss, or reputational damage because of a third-party incident within the last 3 years.[3] For instance, the hack of a software vendor caused a downed system.
- Limited resources. With the economic uncertainty, many FIs are reducing the spending for TPRM programmes. While TPRM’s remit is expanding, FIs still lack the depth and breadth of TPRM capabilities needed to effectively manage the significant challenges they are facing.
- Expanded universe of third-party risks. The third-party risk landscape has been increasingly complex, confronting FIs with new risks.[4] In particular, cyber security has become a crucial area for TPRM, with rising data breach incidents compromising FI data. TPRM has also evolved from focusing solely on the immediate contracting party to a more expansive view, to include the Nth parties to better identify potential sanctions and concentration risks. Additionally, FIs are increasingly challenged to integrate ESG risks in their TPRM framework, as sustainability has become an overarching goal globally.
Opportunities to drive effectiveness and efficiency
Stages of the Risk Management Lifecycle
Source: Board, FDIC and OCC
The lifecycle of a third-party service relationship typically includes planning, due diligence and selection of a service provider, contracting, ongoing monitoring, and termination.[6] With the rise of emerging technologies, there are opportunities for FIs to innovate how they manage third-party risks and reduce the cost of compliance:
- Data synchronisation across varies systems. One of the typical challenges faced by many FIs is data silos. Each business unit uses its preferred tools, leading to manual efforts to gather isolated islands of information for decision-making. Implementing a unified third-party onboarding platform that auto-aggregates data across the third-party ecosystem allows different teams to collaborate seamlessly and enable speedy decisioning.
- Automate a risk-based workflow. A risk-based approach tailors TPRM efforts based on risk levels of third parties, optimising compliance resources to pinpoint critical, high-risk third parties. Automating a risk-based workflow allows organisations to significantly decrease process time while increasing the volume of assessments.
- Screening beyond sanctions and corruption risks. As the third-party risk universe expands, the traditional screening solution that solely focuses on financial crimes, sanctions, and corruption is no longer meeting the need for effective and efficient TPRM. Screening solutions that cover emerging risk areas helps FIs broaden the risk coverage efficiently and enables a more consistent approach in risk identification and assessment.
- Continuous monitoring and dynamic risk scoring. Continuous monitoring and dynamic risk scoring of third parties involves an ongoing management of risks and threats throughout the TPRM lifecycle. It allows for accurate, real-time risk scoring for third parties, leading to a potential reduction of review volume, and quicker risk mitigation on an ongoing basis.
- Leverage innovation from your enhanced due diligence provider. Nowadays many due diligence providers are utilising new technologies (e.g., AI) to enable faster delivery of due diligence, with broader coverage of jurisdictional expertise than FIs have in-house. Additionally, next-gen providers can deliver machine-readable risk data that can be directly fed into FIs’ systems, reducing manual efforts by in-house analysts.
- Mapping of Nth parties. The increased use of third-party technologies in FIs have caused increased exposure to concentration and operational risks, as many of the technology providers in the sector shares the same underlying technology / data infrastructure. Therefore, FIs should have appropriate controls for the critical Nth parties to strengthen operational resilience.[7] Incorporating supply-chain mapping capabilities will provide better visibility of the vendor landscape at scale and uncover potentially risky vulnerabilities faster and more accurately.
As FIs become increasingly reliant on third-party technologies in an evolving risk landscape, driving effectiveness and efficiency in TPRM is critical. There are tremendous benefits to be gained from embracing the innovation made possible via new technologies – enabling increased breadth of risk insight and depth in the most critical areas, while reducing manual efforts.
1. Newsletter on third- and fourth-party risk management and concentration risk (bis.org)
2. https://www.fdic.gov/news/financial-institution-letters/2023/fil23029.html
3. TPRM challenges continue for financial services institutions (kpmg.com)
4. Federal Register :: Interagency Guidance on Third-Party Relationships: Risk Management
5. ESG risks in banks (kpmg.com)
6. Federal Register :: Interagency Guidance on Third-Party Relationships: Risk Management
7. Newsletter on third- and fourth-party risk management and concentration risk (bis.org)
Legal Disclaimer
Republication or redistribution of LSE Group content is prohibited without our prior written consent.
The content of this publication is for informational purposes only and has no legal effect, does not form part of any contract, does not, and does not seek to constitute advice of any nature and no reliance should be placed upon statements contained herein. Whilst reasonable efforts have been taken to ensure that the contents of this publication are accurate and reliable, LSE Group does not guarantee that this document is free from errors or omissions; therefore, you may not rely upon the content of this document under any circumstances and you should seek your own independent legal, investment, tax and other advice. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon.
Copyright © 2023 London Stock Exchange Group. All rights reserved.
The content of this publication is provided by London Stock Exchange Group plc, its applicable group undertakings and/or its affiliates or licensors (the “LSE Group” or “We”) exclusively.
Neither We nor our affiliates guarantee the accuracy of or endorse the views or opinions given by any third party content provider, advertiser, sponsor or other user. We may link to, reference, or promote websites, applications and/or services from third parties. You agree that We are not responsible for, and do not control such non-LSE Group websites, applications or services.
The content of this publication is for informational purposes only. All information and data contained in this publication is obtained by LSE Group from sources believed by it to be accurate and reliable. Because of the possibility of human and mechanical error as well as other factors, however, such information and data are provided "as is" without warranty of any kind. You understand and agree that this publication does not, and does not seek to, constitute advice of any nature. You may not rely upon the content of this document under any circumstances and should seek your own independent legal, tax or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the publication and its content is at your sole risk.
To the fullest extent permitted by applicable law, LSE Group, expressly disclaims any representation or warranties, express or implied, including, without limitation, any representations or warranties of performance, merchantability, fitness for a particular purpose, accuracy, completeness, reliability and non-infringement. LSE Group, its subsidiaries, its affiliates and their respective shareholders, directors, officers employees, agents, advertisers, content providers and licensors (collectively referred to as the “LSE Group Parties”) disclaim all responsibility for any loss, liability or damage of any kind resulting from or related to access, use or the unavailability of the publication (or any part of it); and none of the LSE Group Parties will be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, howsoever arising, even if any member of the LSE Group Parties are advised in advance of the possibility of such damages or could have foreseen any such damages arising or resulting from the use of, or inability to use, the information contained in the publication. For the avoidance of doubt, the LSE Group Parties shall have no liability for any losses, claims, demands, actions, proceedings, damages, costs or expenses arising out of, or in any way connected with, the information contained in this document.
LSE Group is the owner of various intellectual property rights ("IPR”), including but not limited to, numerous trademarks that are used to identify, advertise, and promote LSE Group products, services and activities. Nothing contained herein should be construed as granting any licence or right to use any of the trademarks or any other LSE Group IPR for any purpose whatsoever without the written permission or applicable licence terms.
