The ever-changing role of third party risk management
Branan Cooper, TPRM Consultant
Below is an insight into the role of third party risk management, with a highlight into how the it has developed over the years. Discover more at Vendor & Third Party Risk USA.
The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
Third party risk management has been in the news a great deal over the past several years. Going from a back-burner topic that people rarely understood to a front-page news story in the wake of high-profile data breaches and major enforcement actions, one might argue that third party risk management has never been more important.
At its core, third party risk management is the latest step in the evolution from quality assurance to vendor management and then into a realm in which practitioners came to realize that there was a need to consider measurable risk, information security and legal concerns into the equation. Due diligence, often thought to be a checklist of items to be considered in selecting a third party, suddenly took on new importance when a retrospective look at an enforcement action or data breach often revealed that the weak link in the chain was failing to understand with whom the company is doing business, introducing an element of uncertainty, or risk, associated with something that could easily have been discerned during the initial selection and due diligence process.
The financial services industry is widely regarded as one of the most heavily regulated industries, with good reason, as it controls so much of the world’s economic health. Along with manufacturing, financial services began to recognize third party risk management as a “necessary evil” in the early 2000’s. In 2008, the United States Federal Deposit Insurance Corporation (FDIC) brought the term “third party risk management” into the forefront of regulatory guidance with the issuance of Financial Institution Letter (FIL) 44-2008. The guidance identified specific areas of risk management and vendor management that intertwined when considering the outsourcing of a particular product or service. The guidance emphasized that it is ultimately the responsibility of the financial institution to mitigate the potential hazards of sending a product or function normally conducted by the institution out to a vendor.
Over the next several years, US prudential regulators, along with the FDIC, sought to refine the guidance to ensure that each of its components – namely, selecting a third party, due diligence, risk assessment, ongoing monitoring, contract management and reporting – were adequately addressed. In late 2013, the US Office of the Comptroller of the Currency issued Bulletin 2013-29, which galvanized all the concepts into a sweeping lifecycle approach. Indeed, the lifecycle wheel inside a triangle became a very familiar image for those in the risk management and compliance space. This approach dictated the need for an ongoing view of third party risk, not a static, one and done, all done in tranches approach. It was widely seen as “the gold standard” for third party risk management until the release of new Interagency Guidance on Third Party Risk Management (SR 23-4).
Like the earlier bulletin, the Interagency Guidance emphasizes the need for an ongoing renewed view of risk in outsourcing any key activity. In addition, much like the OCC document, the guidance placed the ultimate responsibility for the management of the program with the institution’s board, stressing the need for active involvement and demonstrable management. The guidance also played “catch-up” for other agencies, to get everyone involved speaking the same language and operating under the same guidelines.
Notably, many small-to-midsize institutions had never needed to fully comply with the OCC mandate for, even though the OCC is a federal regulatory agency, its immediate purview is primarily national banks. The need for creating a robust set of practices was not lost on the Consumer Financial Protection Bureau (CFPB) who has made consumer complaints one of its major enforcement focal points. Indeed, the Bureau uses its broad authority to enforce UDAAP (Unfair, Deceptive, or Abusive Acts or Practices) violations by examining areas with the potential for consumer harm. The UDAAP standard includes an extra “A” for Abusive, that gives it an expansion of the powers long held by the Federal Trade Commission UDAP (Section 5 of the FTC Act). The Abusive standard has never been fully and rigorously defined, though there has been a long-awaited move toward such a well-versed standard over the past several years. Many of the UDAAP violations came with multi-million dollar enforcement actions, enough to catch the attention of financial institutions, as, at the heart of many of the UDAAP violations is a failure on the part of a third party to rigorously follow the regulatory guidance, either unwilling, unknowingly, or unable to offer the same level of care that a financial institution would afford its own customers. Immediately, third party risk management took on an all-new level of attention and significance in the daily operation of a financial institution.
At its core, third party risk management helps to bring together the highly structured risk frameworks offered by other disciplines (e.g., COBIT, Sarbanes-Oxley, ISO, et al.) along with recognition of broader initiatives around data protection and privacy, enhanced reporting, maturing enterprise risk programs and other robust guidance that requires the support of not only the financial institutions internal resources but their service providers as well.
In an era of tremendous change, the practices around third party risk management will continue to grow and evolve, particularly with the introduction of more robust yet easy to operate software to categorize and mitigate risk, the advent of artificial intelligence as a practical tool, and the continued expectations of the regulators. The end product, however, is a highly desirable state for the financial institution as doing third party risk management well creates a true operational and strategic advantage, while reinforcing and protecting the trust of its customers.