3 Trends Driving Third Party Risk Management in the Banking Sector and Beyond
It’s not hard to understand why third-party risk has become a board-level concern and is one of today’s largest risk management trends. Third parties are an essential part of doing business globally, but they also pose huge threats. Companies are feeling the pressure, and nowhere is it stronger than in the banking and financial services industry.
From GDPR to emerging statutes like those posed by the European Banking Authority, the regulatory environment is tough and getting tougher. Information security is a major concern, with data breaches from British Airways and Ticketmaster as just two recent dramatic examples. And even the third-party risk management function itself is changing drastically, becoming a more strategic and enterprise-wide function, requiring new learning curves.
So how can banks and other firms cope? Let’s look at three top drivers shaping risk management in the banking sector today and across global organizations, along with advice for dealing with them.
Why Third Party Risk Management in the Banking Sector and Today’s Organizations Is So Needed
1. Regulatory Scrutiny Is Increasing, from GDPR and Beyond
Regulatory compliance, always a hot button issue, has escalated sharply with the General Data Protection Regulation (GDPR) and, in Europe, new outsourcing guidance from the European Banking Authority. Enforcement of financial crime statutes like the UK Bribery Act, which imparts personal as well as corporate accountability consequences, also is increasing, putting pressure on the capabilities of risk management in the banking sector.
Third parties and GDPR compliance
GDPR needs no introduction: It’s hard to imagine a global business who hasn’t dealt with the May 2018 data protection and privacy legislation. Yet, for obvious reasons, given its European focus and province, GDPR has reached complete fever pitch in Europe.
Leaving fear aside, GDPR raises practical concerns of efficiency and effectiveness. From meeting all-new reporting requirements to facilitating the work of new data protection officers to providing timely notification of data breaches, the regulation is creating huge new workloads for banks and corporations that in many cases were already hampered by legacy data infrastructures and risk management processes.
Third parties are especially challenging because they were not the primary focus of the first round of compliance efforts. Yet businesses that control personal data are responsible for making sure their third parties that process data do so in a way that is GDPR compliant. A lapse by a data processor can result in regulatory repercussions for the data controller, making managing third-party GDPR risk a significant concern.
GDPR addresses third party compliance in two specific areas: Article 28 (EU GDPR Processors) and Article 30 (Records of processing activities.)
- Article 28 requires that businesses must formalize their relationships with data processors via a contract.
- GDPR Article 30 lays out extensive new requirements for documentation of data processing activities.
Both require a strong understanding of how data flows through your organization, including the type of personal data you hold, where it is stored, who has access and who it is shared with. They also require an in-depth mastery of GDPR requirements related to third parties.
Tackling these requirements manually is a losing battle. Standard questionnaires don’t map to GDPR and trying to assess all third parties manually is ineffective, inefficient and directs focus away from strategic goals. Key risk management trends we’re seeing reveal that success requires a risk-based approach that starts with data, examines all third parties and uses thoughtful automation that’s geared specifically toward GDPR goals.
What to expect from the EBA’s Guidelines on Outsourcing Arrangements
A second pressing area of regulatory impact is the upcoming guidance on financial services outsourcing from the European Banking Authority, going into effect in June 2019.
The EBA describes itself as an “independent EU authority which works to ensure effective and consistent prudential regulation and supervision across the European banking sector.” Its objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.
The new legislation establishes a single framework for managing outsourcing relationships and requires detailed oversight of all of a financial institution’s service providers. It also represents a substantial expansion of the 2006 CEBS guidelines, which the new directive will replace.
The guidelines are much tougher than in the past. According to the EBA, Directive 2013/36/EU (CRD) includes more exacting requirements for financial institutions around governance, including outsourcing, and its article 74 mandates the EBA to develop guidelines on its governance arrangements. Directive 2014/65 (MiFID) and Directive 2015/2366/EU (PSD2) contain explicit provisions regarding outsourcing by investment firms and payment institutions.
Given the tight timelines, financial institutions don’t have much time to audit current processes and implement the EBA’s management framework. The sooner they can get started, the better, both for compliance purposes and for risk reduction.
And, as with GDPR, an automated approach marrying regulatory expertise and technological ease will boost efficiency and effectiveness, driving down cost and risk – and driving up value.
2. Information Security and Cyber-Risk Are Driving Heightened Vigilance
Cambridge Analytica. British Airways. Ticketmaster.
It’s clear that information security is a hotter topic now than ever, threatening reputation, revenue and long-term financial stability. And third parties are one of the biggest risk factors.
The United States is the most ready to deal with the threats, followed by South Korea and Japan. (See Figure 1.) In a recent study of 1,300 global enterprises by ESI Thoughtlab and the WSJ Pro Cybersecurity, sponsored by Opus and a group of other like-minded companies, we learned:
- Data sharing among suppliers was ranked as the number one cyber-vulnerability, selected by 57% of all respondents.
- Attacks through partners and vendors are the fast-growing risk – expected to grow 247% over the next two years.
- In financial services, new technologies and devices (such as IoT) also rank as a huge threat, selected by 52%.
Figure 1 Source: The Cybersecurity Imperative, 2019
Despite the risks, many companies are only assessing a portion of their third parties – or just aren’t sure. Add in the emerging challenges of Nth party risks – your third parties’ third parties – and the picture is riskier still.
These are recommended steps you can take to reduce risk:
- Assess and monitor all third parties in an automated, risk-based, controls approach – risk often comes from unexpected places, not just large or critical partners.
- Adopt a best-practice control framework such as the NIST Cybersecurity Framework to guide your efforts.
- Establish clear board and cross-functional communication and ownership – organizations who have engaged their boards have reduced the incidence of third party data breaches by 18%, according to recent Opus/Ponemon Institute Research.
3. Vendor Management Is Giving Way to Strategic, Enterprise-Wide Third Party Risk Management
Traditionally, third party management has been owned by areas like procurement, with the function often going by “vendor management” or “supplier management.”
This is still true, but in recent years, third party risks have broadened so much that “supplier” alone is narrow, and strategic procurement leaders have recognized the importance of partnering across the enterprise to address the broadening risks.
Forward-looking enterprises and financial institutions are embracing holistic, strategic third-party management – compliance and risk management as a team sport. In this model:
- A chief risk officer or other central leader often assumes responsibility for third party risk
- Procurement, while involved, is part of an enterprise team that coordinates and communicates around risk
- Senior leadership, up to the board, has a voice and say in third party risk priorities and outcomes
- Risks are assessed holistically across all third parties in a risk-based approach – from performance to information security to data privacy to anti-bribery/anti-corruption and beyond
- Data and technology about suppliers, partners and vendors technology are managed, not in silos, but in coordination for a single view of third parties and their associated relationships and risk
Ongoing communication, coordination and reporting are essential – suppliers, partners and contractors are viewed not as the province of one silo but as a vital resource to the organization that is managed accordingly – and as a real resource for growth.
If there’s one overall message from risk management trends in third party risk, it’s this: Don’t go it alone. Whether you’re tackling financial legislation, grappling with GDPR or a CISO partnering with your compliance colleague to stand up to cyber-risk, manual efforts are ineffective.
The world around us will continue to shift, and automation combined with expertise is a winning formula, especially for risk management in the banking sector. At Opus, we offer Hiperos 3PM, an award-winning software platform that automates third party risk management. Get in touch with us to setup a demo.
Looking for further risk management insight? Get a copy of the Cybersecurity Imperative report, a landmark global cyber-risk study produced by ESI Thoughtlab, WSJ Pro Cybersecurity and a group of prominent organizations, including Opus.