Five Approaches to Managing Third-Party Risk

Transcription

1 Five Approaches to Managing Third-Party Risk by Lou Payeur, CG Risk & Regulatory Practice Lead Financial institutions are operating at record levels. And while the mix of business and profits may be different from that of pre-2008 recession times, the industry continues to grow albeit with a host of new conditions and considerations. Similar to the past, financial institutions have addressed growth and capability challenges by utilizing a mixture of internal talent and external third-party providers. From specialty firms that address unique underwriting considerations, to settlement agents located throughout operating geographies to offshore development that expedites new product introductions, these third-party relationships are critical to the success of financial institutions.

2 2 Greater Scrutiny Over the past few years, regulators have tightened requirements for financial institutions to manage the risk of these third-parties. Greater scrutiny from regulators into a financial institution s risk management practices has signaled more rigorous oversight and management of all third-party relationships. The regulators increasing vigilance in this area has resulted in more demanding regulatory standards and a series of harsh enforcement actions. For example, the Office of the Comptroller of the Currency (OCC) has increasingly broadened the definition of a third-party provider to encompass any business arrangement between a financial institution and another entity by contract or otherwise. This means financial institutions must increase regulatory scrutiny into all vendor relationships. For many banks, this number is in the thousands. For top 20 banks, it could be tens of thousands of relationships. Harsh Penalties a Reality These new standards are resulting in harsh enforcement actions. Substantial fines are becoming a reality of today s third- party vendor management environment as are the financial and reputational losses. Recent examples abound as to the severity of this risk: $25 million fine and forced refund of approximately $140 million to 2 million customers because of call center vendor s deceptive sale of add on products $20 million fine and payment of $309 million in refunds to more than two million consumers for third party s sale of credit monitoring/credit protection services $27.5 million fine and forced refunds of $85 million to approximately 250,000 consumers because of discrimination and deceptive practices on the terms of signup bonuses, and late fees

3 3 In the face of these heightened expectations come heightened demands and challenges in operating sound processes to mitigate the operational risks of these third-party relationships and business arrangements. A New Risk Model Because of the regulators stricter oversight of all aspects of third-party relationships, individual financial institutions must embark on shortterm and long-term initiatives that provide a common view of their third-party vendors from engagement and monitoring. In the short-term, this entails collecting and reviewing current due diligence procedures and tracking mechanisms to assess points of divergence from regulatory guidance. This should be followed by the development of a target third-party framework, inclusive of the policies, processes and procedures necessary to deliver on the target. Long term, financial institutions must define and realign standards and risk-based expectations, consolidate processes, streamline performance, reign-in costs and improve reporting and governance. And, while the focus is on risk, all of this needs to be done with the business in mind which means that maintaining line-of-business flexibility while increasing end to-end throughput and visibility is mandatory.

4 4 5 Ways to Manage Risk As financial institutions redefine their third-party provider processes, key gaps from will become evident. These gaps can range from incomplete approvals and reviews, lack of integrated monitoring to inconsistent termination procedures and can be remediated through the following approaches: 1 Link engagements to strategic objectives. Accurate vendor due diligence is more likely to take place when these relationships are tethered to other business-oriented strategic initiatives within the organization. 2 Expand the scope of planning and due diligence efforts. Driving diligent efforts at the front end of the third-party engagement process and ensuring appropriate governance over that component will increase the quality of short- and long-term efforts and decrease defects and rework issues further down the process chain. 3 Increase deal visibility and tighten supplier approval process. Better visibility involving third-parties, especially with smaller deals, greatly improves adherence to guardrails and tightens up approval processes. 4 Take a risk-based approach to managing relationships and setting performance metrics. Establishing or expanding metrics, Key Process Indicators (KPI s), refining tracking and detailing Key Risk Indicators (KRI s ), will reinforce a conservative, risk-based approach and mitigate further risks to the firm. 5 Increase monitoring and oversight; institute escalation paths and issues for management attention tracking. Having robust Key Control Indicators (KCI s), escalation paths to leadership and quick resolution processes further supports a risk-based approach.

5 5 Taking the Next Step While financial institutions rely on third-party vendors to provide the expertise and capacity to meet growth and capability challenges, these relationships can introduce real business risk. New regulations make it clear that financial institutions are accountable for these third-party providers the four walls of these institutions have been extended to include thousands of relationships. To address these risks, banks must strengthen and codify the manner in which they engage and monitor their third-party relationships.

6 6 Contact Us Powered by financial and technology experts, CG s Risk & Regulatory Practice knows how to identify, develop and deliver risk solutions to optimize your regulatory functions. One of the biggest risks when outsourcing regulatory projects is increased compliance concerns and the lack of understanding associated with how things have to be done. Our professionals have lived through your challenges, experienced the everevolving risk and regulatory environment and managed projects for the top financial institutions in North America. To learn more about how we can help you succeed, please contact: Lou Payeur Risk & Regulatory Practice Lead lou.payeur@cgcginc.com