FOR FINANCIAL SERVICE PROVIDERS, MANAGING VENDOR AND THIRD-PARTY RISKS IS CRITICAL

By Rich Cooper, Director of Global Accounts, Fusion Risk Management

 

Regulators Will Hold Firms Responsible; Good News is Technology Is Here to Help

 

Everyone knows there are inherent risks in markets. Investors know and accept the risk that their investments may lose value. For the financial services companies that facilitate and stand behind the trades of ordinary investors, there are risks largely unseen by the public that must be reckoned with on a constant basis.

 

Financial Service (FS) providers (banks, brokers, asset managers, etc.) must work with a variety of vendors and third parties to be competitive in attracting investors as well as keeping their clients’ business. They range from back-office and IT outsourcing vendors to third-party trade-clearing, settlement and money-transfer providers. The economic services provided by the finance industry encompass a broad range of businesses that manage money, including credit unionsbankscredit-card companies, insurance companies, accountancy companies, consumer-finance companies, stock brokeragesinvestment funds, individual managers and some government-sponsored enterprises. Many of these relationships are intricate and multi-layered with risks imbedded in every layer. A vendor or third party providing direct services to you as an FS provider may also have several relationships with others that could put your direct relationship at risk.

 

Just this month (December 2019), the Bank of England (the Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published proposed new expectations to strengthen operational resilience in the financial services sector. This is major next step in evaluating “operational resilience” in the Financial Sector (in the UK defined as UK banks, building societies and investment firms (banks); and the Society of Lloyd’s and its managing agents (insurers) collectively called “Firms” and  also Financial Market Infrastructure collectively called “FMI’s”). It likely will become policy in the UK in 2021, The European Union and Singapore by 2022 and possibly the U.S. soon as well.

 

The Federal Financial Institutions Examination Council (FFIEC) in the US came out with new guidance as well this month. The guidance notes: “Business Continuity Management (BCM) is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services. Disruptions such as cyber events, natural disasters, or man-made events can interrupt an entity’s operations and can have a broader impact on the financial sector. Resilience incorporates proactive measures to mitigate disruptive events and evaluate an entity’s recovery capabilities. An entity’s BCM program should align with its strategic goals and objectives. Management should consider an entity’s role within and impact on the overall financial services sector when it develops a BCM program.”

 

Two areas that present the most significant risk management and compliance challenges to FS providers are:

  1. Financial Market Infrastructures (FMI). These are critically important institutions responsible for providing clearing, settlement and recording of monetary and other financial transactions. A payment system is a set of instruments, procedures and rules for the transfer of funds between or among participants. An example is the SWIFT network for global banking and payments. In the US, the Federal Reserve Board supervises most market infrastructures.

 

  1. Outsourced Technology Services. FS providers that rely on third parties to provide operational services need those vendors to have sufficient resources and recovery capabilities in the event of a disruption. The FFIEC, which has a handbookfor business continuity management (BCM) planning, warns that: “Financial institutions should recognize that using such providers does not relieve the financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner.”

 

The primary concern of regulators is the “systemic risk” that individual vendors and third parties present to the overall health of the financial/economic eco-system. Recall the snowball effects that the failures of several large broker-dealers and investment banks had in precipitating the great financial crisis of 2008. Regulators are also concerned that the FMIs, if not properly managed, can result in significant violations of consumer laws and regulations and expose an institution to supervisory enforcement action, as well as financial, legal and reputational risks.

 

This is the most important point to remember – as an FS provider, you OWN THE RISKS.

 

So, what can you do to mitigate your risks?  As best practice, you should:

  • Mark all of your vendor and third-party relationships from end-to-end. As an example, in payments and settlements, you vitally need to understand who your third parties are, where they are and what risks they may present. You need to plan on how you can mitigate those risks to the greatest extent possible.
  • Make sure everyone in your organization who is responsible for these risks is informed – including C-suites and boards. The FFIEC handbook emphasizes that “the responsibility for properly overseeing outsourced relationships lies with the financial institution’s board of directors and senior management.”
  • FS providers should do a deep dive into their current systems, their limitations and their liabilities. Many firms still have legacy systems with risks assessments built into spreadsheets or printed documents. State-of-the-art BCM systems allow for information inputs from across the organization with advanced technologies employed in risk assessments.
  • Some firms keep their databases in silos (i.e.: equity trading department; mutual fund department) where one silo can be unaware of the risks of the other, putting the entire firm in jeopardy. A holistic system that covers the enterprise and allows prompt reporting to the board level is not a luxury. It is a must for today’s FS providers.
  • Your system must be stress-tested constantly and vigilantly. Game-playing scenarios are helpful in identifying “what if’s?” as well as planning work-arounds for potential disruptions.
  • Identifying “acceptable risks” is important as well. A one-hour outage may not be desirable, but it may be acceptable and not have any regulatory ramifications for your firm. But a 72-hour outage would be vastly different, as access to cash reserves and insurance may be limited or non-existent and your legal liabilities could be piling up.

 

If you think this is complex, you are right. Operational disruptions to the products and services that firms and FMIs provide have the potential to cause harm to consumers and market participants, threaten the viability of firms and FMIs and cause instability in the financial system.  There are new regulations on the way to mitigate this risk to the economy and managing 3rd (and fourth) parties is a key area of discussion.

 

The infrastructure of financial institutions and FS providers is much like a tapestry whose resilience depends on the strength of the weave. But don’t be deterred by the complexity. The good news: there are technology-empowered platforms that can help you manage your vendor and third-party risks.

 

An effective outsourced business continuity management program will provide the framework to successfully manage your vendor and third-party risks now. It will employ up-to-date technology; will break down silos, and will identify, measure, monitor and mitigate the risks that otherwise may keep you up at night.

 

spot_img

Explore more