By Justin Handley
It is no secret that the OCC has stepped up efforts around how banks oversee third-party risk and is cracking down on firms that cannot demonstrate cohesive and effective end-to-end management of their suppliers, especially around critical processing.
It has been a theme for years, and yet many are still unprepared and continue to grapple with their third-party risk controls. Banks of all sizes are exposed to significant third-party risks, and ensuring they are well placed to manage them is woven throughout the OCC’s FY 2024 Bank Supervision Operating Plan, as well as plans for other regulatory bodies. All banks need to have a solid understanding of what they should be monitoring for, what agencies they need to worry about, as well as the nuances of the rules and how those affect their particular set of businesses. In today’s world, risk related standards, rules, regulations and best practices are constantly changing and require significant, real-time maintenance to keep up.
The costs of getting it wrong can be high both in terms of financial and reputational costs. For instance, following an OCC examination in July 2023, American Express was fined a $15 million civil penalty for failing to properly govern and oversee a third-party affiliate. Additionally, matters requiring attention are not uncommon and the cost of addressing one can be substantial, potentially impacting the bank’s reputation and financial stability.
Another point not to be overlooked is that an actual risk event has no upward bound in terms of costs and can have significant and lasting implications depending on the type and severity.
Every scenario presents its unique challenges, and while each bank is progressing through a different phase of solution development, a number of common issues often emerge:
- Multiple systems used for activities such as sourcing, vendor qualification/selection, and ongoing vendor monitoring/management.
- Multiple stakeholders without clear boundaries.
- Insufficient active management of non-critical vendors.
- Lack of comprehensive reporting.
- Underdeveloped third-party operational resilience capabilities.
A mixed bag
In some instances, the operating model itself may also contribute to, or be the root cause of many of the third-party risk control issues. If the underlying model is flawed, efforts to improve TPRM will likely fall short of expectations.
Many banks continue to use an eclectic mélange of systems, offline tools and manual interventions that may prove inadequate in the eyes of regulators. Internally, the results of these jumbled approaches are a pointedly fractured ownership over the end-to-end process, siloed risk domains, complex and manual procedures, a heightened risk of error, and painful “temporary” workarounds.
Beyond having effective systems and processes, it takes a village of people to effectively manage third parties and getting everyone onto the same page is not as easy as it might sound. Activities are broadly split across procurement/sourcing, vendor management, and third-party risk, all of which need to work efficiently together. Unfortunately, they regularly operate in isolation following a fairly linear assembly line process where each step is unceremoniously thrown over the fence to the next team. They also tend to own their own procedure documents and manage updates in at least a partial vacuum. This tends to produce competing priorities and process gaps where critical steps are missed, and issues are only caught after the fact when it is more difficult to resolve.
It is not just a question of systems and silos; sometimes a lack of focus on more unassuming risk areas leads to blind spots or increased likelihood of a failure. Despite the OCC’s focus on critical processing, a common weak point sits with non-critical vendors. They generally don’t get the same level of urgency during ongoing monitoring activities but still pose risks to the bank. An important tenant of managing third parties is understanding changing risks over time, so the periodic re-reviews certainly play an outsized role. However, some of these non-critical third parties could still have negative impacts if they fail to deliver or suffer a risk event themselves. Actively managing non-critical vendors between assessments with real-time alerts, reviewing and maintaining nth party relationships and understanding their connectivity across the organization and its other external parties is extremely important given the typical numerical bias of non-critical to critical third parties.
Further considerations are also warranted when third parties (both critical and non-critical) are on global contracts operating in a number of different jurisdictions where the US division only utilizes some of the services and may not be the primary consumer. Monitoring across global relationships requires coordinating between various business groups as well as managing and communicating alerts or issues at a parent level to all concerned parties.
In line with this, it’s one thing to capture the information, but being able to look at the firm’s holistic exposure to third parties through reporting is something else entirely. Capturing data across multiple systems and tools not only creates a reconciliation/mapping headache, but also limits the ability for risk managers to effectively assess risk. For instance, evaluating nth party exposure across the universe of third parties could prove impossible if linkages aren’t established in a single, extractable location.
Additionally, downstream/upstream considerations also need to be addressed. Third-party data often flows down to other non-TPRM areas or up into a consolidated view across multiple lines of business. As a result, it needs to have a common understanding (for example, terminology) for everyone and align with how it is used by other systems or teams.
Another crucial factor to consider as part of the TPRM approach is the heightened scrutiny around operational resilience, especially when it comes to third-party engagements. Banks increasingly rely on third-party vendors to support their core and critical operations; however, this dependency has introduced an increasingly complex web of challenges, necessitating a robust framework for third-party operational resilience covering contracting, contingency & exit planning, and resilience testing to name a few.
Next steps
One of the most comprehensive approaches to minimizing these issues is overhauling or replacing the existing TPRM system and the associated processes to fit within the new system guardrails. It is important to note that over-customization attempting to rebuild existing processes as-is will almost certainly strain expected budgets and timelines. On the flip side, too little modification will generate fervent pushback from the business units having to support the changes.
The good news is there have been many recent advancements in this area with numerous possible TPRM solutions that handle all, or most of the supplier lifecycle (and others with active alert monitoring). For example, “low code” or “configuration” solutions, when properly applied, offer lighter development requirements, faster implementation and release cycles, more control over the ongoing maintenance or updates, and possible reductions in the number of online and offline systems required to administer a comprehensive TPRM program. Specifically addressing operational resilience, the right system can support the adoption of best practices to bolster these capabilities, ensuring the continuity and reliability of the financial institution.
- Clear contractual agreements. Develop comprehensive contracts that not only outline service expectations, but also establish contingency plans and termination provisions that protect the firm in case of disruptions.
- Contingency and exit planning. Assess the firm’s tactical and strategic options and develop playbooks to address both short-term and long-term stress scenarios when the third-party is unable to continue providing the service.
- Resilience testing. Conduct regular third-party resilience tabletop exercises to simulate disruptions and validate the effectiveness of response and recovery plans. The third-party should be included in these exercises to the extent possible.
Ultimately, banks need to progress to the point where they do not have one team and one system owning the onboarding process, another team and system owning risk management, and additional teams or systems owning other individual parts of the process. The goal should be to consolidate a series of disparate online and offline tools into fewer or even a single flexible TPRM solution that removes unnecessary manual tasks, eases communication channels with suppliers and bolsters reporting and insight gathering while enhancing the banks overall risk controls.
As third-party risks continue to increase and evolve in concert with added regulatory pressures to effectively manage them, it is imperative to get started early. Banks should look to enhance or replace existing TPRM systems, strengthen operational resilience capabilities, while concurrently updating policies and procedures across risk domains and the entire supplier lifecycle. Failing to identify and address deficiencies creates the potential for an actual risk event, significant fines or the issuance of an MRA. At the same time, there is opportunity to optimize the bank’s operating models and improve processes for risk areas that should alleviate bottlenecks and pain points while reducing overall third-party assessment duration.
Justin Handley is a senior consultant at Capco.