Missing Ingredients of Shared Due Diligence Services

By Krista Shonk

Professional chefs and home cooks know that a prized recipe will be mediocre if the dish omits key ingredients. The food may be palatable, but it does not live up to its potential. The same holds true for attempts to standardize the collection of due diligence information on third parties—sometimes referred to as “shared” or “collaborative” due diligence.

While it is tantalizing to think about eliminating duplicative efforts to gather and validate information about third parties and their control environment, many shared due diligence services are missing some key ingredients. For there to be widespread adoption of shared due diligence, products must offer a strong value proposition, provide more detailed information about a third party’s information security and compliance with laws and regulations and be affordable for community banks.

Increasing efficiency and effectiveness

In recent years, banks have dedicated significant resources to identifying and managing risks presented by third parties. As third-party oversight programs mature, banks are evaluating how to increase the programs’ efficiency and effectiveness. Some banks have embedded third-party relationship managers within each business unit; others have re-evaluated their third-party population to determine whether service providers designated as “critical” or “high-risk” truly warrant that designation and the accompanying level of oversight; still others have aligned the risk assessment and contracting functions to ensure that identified risks are properly addressed and mitigated in vendor contracts.

>>Did you know?

An ABA survey of community banks found that 94 percent of respondents would consider collaborating with other banks to conduct third party due diligence. However, 28 percent said that the immature marketplace is the primary challenge to shared due diligence efforts.

Participating in a shared due diligence service is another strategy that banks are considering, particularly in light of the OCC’s favorable treatment of collaboration, which the agency highlighted in a recent bulletin. A recent announcement by a consortium of banks planning to standardize and house the collection of third-party due diligence information generated additional interest in the shared due diligence concept.

Shared due diligence: where we are now

Banks, consultants and others have attempted multiple times to craft a common due diligence questionnaire that banks may present to prospective or existing third parties. The questionnaires typically focus on matters involving information security, privacy and business resiliency. In some cases, shared due diligence providers house the collected information in a central location where banks can access it and perform their own assessment of the third party based on the bank’s risk appetite and the particular services purchased from that third party. Many vendors are struggling to deal with a high volume of bank due diligence requests and are highly supportive of efforts to eliminate due diligence redundancies.

What shared due diligence doesn’t do

A quarter of community banks responding to a recent ABA third-party risk poll said that conducting risk assessments is their most significant third-party risk challenge. But while shared due diligence services reduce the administrative paper chase, they will not eliminate or supplement a bank’s third-party risk analysis.

Rather, banks must evaluate the due diligence information about the third party and assess how the third-party’s controls compare to the bank’s own risk and control environment. The OCC bulletin specifies that banks participating in collaborative due diligence arrangements must undertake certain responsibilities individually, including:

  • Assessing the risks of doing business with particular third parties as well as the ability of the bank to monitor and control those risks;
  • Conducting ongoing benchmarking of the third party’s performance against the contract or service-level agreement;
  • Evaluating the third party’s fee structure to determine if it creates incentives that encourage inappropriate risk taking;
  • Monitoring the third party’s actions on behalf of the bank for compliance with applicable laws and regulations; and
  • Monitoring the third party’s disaster recovery and business continuity time frames for resuming activities and recovering data for consistency with the bank’s disaster recovery and business continuity plans.

Bankers talk pros and cons

Recently, ABA’s third-party risk management peer group discussed the strengths and weaknesses of shared due diligence services. Some of the participants have contracted with shared due diligence providers, while others have researched multiple product offerings but ultimately determined that they did not offer a sufficiently strong value proposition. Bankers identified pros and cons in several areas:

  • Reductions in due diligence collection. Bankers do not expect that shared due diligence will eliminate their collection of third-party due diligence information. However, they would like for shared due diligence to reduce their information collection effort by specified percentages. Ideally, bankers want a due diligence platform that collects 80 to 90 percent of the due diligence information that they require about a third party.
  • Information security. In many cases, the level of information collected on a third party’s information security is too generic and requires deeper bank involvement than peer group participants prefer.
  • Legal and regulatory compliance. A similar weakness exists in the information collected regarding a third party’s compliance with laws and regulations.
  • Onsite verifications. Some bankers are intrigued by the onsite verification of third-party procedures and internal controls that some due diligence services provide. Others are not interested in this feature because outsourcing onsite reviews hinders the bank’s ability to build relationships with the third party.
  • Cost savings. The bankers resoundingly agreed that shared due diligence services result in limited actual cost savings. Staff is still needed to analyze the due diligence information and follow up on additional information when necessary. However, on the positive side, shared due diligence does help bank staff to focus on information analysis as opposed to information collection.
  • Speed to market. Speed to market is the most significant benefit that large banks are seeking from shared due diligence. By contrast, a recent ABA poll found that only 5 percent of community banks consider speed to market to be a key reason to subscribe to shared due diligence services.
  • Wait and see. Most of the peer group participants continue to be interested in shared due diligence and have spoken with multiple industry providers. However, banks are waiting for an industry leader to emerge prior to signing on with a shared due diligence provider.

The experiences of these banks will be important to the evolution of the ongoing effort to standardize and streamline due diligence collection.  As best practices for shared due diligence emerge, institutions will be able to focus their efforts on analyzing due diligence information (as opposed to chasing paper), making better decisions and implementing controls that will protect their institutions. In the meantime, banks should not shy away from pointing out the “missing ingredients” necessary to make the business case for engaging a shared due diligence provider.

KRISTA SHONK is VP for Regulatory Compliance Policy at ABA.

Third-Party Tactics, a regular feature on the ABA Banking Journal site, explores leading practices and practical tips for third-party risk management.