Potential threats and vulnerabilities arising from the reliance on external vendors, service providers and partners – collectively third-party risks – have never been higher at banks. While third-party risk (aka vendor risk) management at banks is not a new or novel function, it has become a much more critical component of a bank’s overall risk management strategy as they increasingly look to outsource various functions and services.
Some key third-party risks in banking, include but are not limited to operational, cybersecurity, compliance and legal risks. By relying on and entrusting third parties to provide key services/functions to the bank and its customers, the bank is opening itself up to these risks on a vicarious basis and it is imperative that the risk management framework of the bank extend to oversight of third parties to mitigate these risks.
Adding to the very practical need to manage these risks, management of third-party risks continue to move up on bank regulator’s agendas. Regulators continue to emphasize the importance of robust vendor management programs and require banks to have policies and procedures for evaluating, monitoring and managing third-party relationships. The Office of the Comptroller of the Currency (OCC), Federal Reserve and Consumer Financial Protection Bureau (CFPB) all provide guidance on managing third-party risk.
Effective risk management strategies for third-party oversight include:
The key component of a robust due diligence process is an assessment of network and data security, ensuring third parties have adequate data protection measures in place to safeguard sensitive information is table stakes. This includes encryption, access controls and secure data storage. Furthermore, additional cybersecurity assessments that evaluate third party's cybersecurity practices and protocols and regularly assess their ability to prevent and respond to cyber threats and breaches is an imperative component of onboarding due diligence.
Many banks deploy risk management software to assist with the operational, financial and administrative burden of overseeing and monitoring their third-party populations. These tools can streamline the process of evaluating, monitoring and managing third-party risks and can help track performance metrics, compliance status and risk indicators.
The management of third-party risks continue to evolve and thus presents many complex challenges. Outsourcing is a growing trend with banks looking to optimize costs and drive operational efficiencies. Outsourced functions are also continuing to grow in complexity and importance, including technology, compliance and customer functions. Regulatory oversight of banks as it pertains to third-party management continue to evolve and to introduce new expectations and compliance obligations on banks.
Lastly, increased globalization introduces a whole new swath of risks from cross border risks, new regulatory requirements and cultural differences. Maintaining risk management strategies that are living, breathing strategies that adapt with evolving risks, stay ahead of regulatory changes/mandates, and require enhanced due diligence when engaging international third parties are key to proactively managing third-party risk.
Some observed best practices at banks are the establishment of a clear governance structure to manage third-party risk, including roles and responsibilities; many banks have implemented vendor management offices or vendor risk practices with dedicated employees with clear responsibility for decision making.
Continued training and awareness for employees, particularly those directly involved with third parties, so they understand the importance of mitigating these risks and are additionally equipped with the skills/knowledge necessary to manage third-party risks and lastly integration into the broader enterprise risk framework of the bank to ensure a comprehensive approach to identifying, assessing and mitigating these risks are all key best practices for managing third-party risk at banks.
In closing, managing third-party risk effectively requires a proactive and systematic approach. By implementing robust due diligence, monitoring and risk management practices, banks can mitigate the potential impacts of third-party failures and ensure the resilience of their operations.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance
