The use of third parties has indeed helped financial institutions to grow revenues, cut costs, and improve the customer experience. However, these proven upsides have come with equally apparent downsides: more frequent operational setbacks such as major service interruptions, mishandling of customer or employee data, and non-compliance with laws and regulations. With the right approach to managing risk, firms can turn third parties into strategic assets.
Laurel Sykes, Chief Risk Officer, SVP Risk & Compliance Dept. at Montecito Bank & Trust, recently shared with marcus evans how to secure prosperous partnerships through efficient sourcing and documentation:
What challenges do you face when identifying and monitoring third parties who perform critical activities?
LS: Probably the biggest challenge in identifying third parties who perform critical activities is in the subcontracting of services, also known as 4th party risk. We know who our online banking provider is, for example, but what we won’t know unless we dig is who THEY may be relying on to provide ancillary products and services, such as personal financial management.
A close second is in identifying the activities actually performed by the third party. It would be hard NOT to find out about third parties providing significant bank functions, such as payments or settlement, because those projects take a significant amount of time and cross-functional support to implement. But what about third party relationships that don’t present as “critical” at the outset of the relationship who later become someone the institution needs to worry about?
Let’s say the Line of Business has written a business case that describes how they will use a third party vendor for data analytics by segment, with no individual client data, for example. Later down the road, they engage the same service provider in a new project where they will be providing client-level data that could end up having a significant impact on customers in the event of a breach. If it wasn’t contemplated at the outset and initial due diligence gathering, then we have to rely on secondary controls to catch the change in relationship. Ongoing monitoring may pick it up, or maybe you have a Data Leakage Protection (DLP) program that catches large amounts of client data leaving the institution. You may also pick it up in a review of accounts payable where you notice a spike in the fees paid to the third party. That is why the whole risk management lifecycle is so critical in managing third party relationships.
And let’s face it, we all still struggle with collecting the documentation from third parties necessary to effectively perform ongoing monitoring. How many times have we all heard “We aren’t required by regulation to have an SSAE16 performed, so we do not have one to provide you…”?
Rounding out my top 4 biggest challenges is modifying third party monitoring programs to keep pace with the ever-changing cyber security environment. Financial institutions, by nature, house a significant amount of sensitive client data. We have to continue to evolve our cybersecurity strategies all the time to protect that data. The issue is that many third party service providers haven’t yet evolved to the level they need to be in order to effectively protect any data that might be shared with them. It would be fantastic if one day all third party providers had to self-assess their practices using the FFIEC Cybersecurity Assessment Tool (CAT). Until then, financial institutions must do all that they can to monitor relationships with third parties to hold them accountable to the necessary standards.
What technology do you use to simplify your information management processes?
LS: We are currently undergoing a thorough RFP process to select the right vendor to fit our needs. We’re happy to share the name once we’ve signed with the service!
What are some of the difficulties that emerge when preparing third party documentation or audit reports?
LS: Preparing, or collecting? Our biggest challenge is in collecting third party documentation as part of ongoing monitoring when there is no carrot in front of the third party, such as a new contract negotiation or pending contact expiration. If you don’t write your documentation requirements into the contract at the outset, and if it isn’t agreed upon by the third party when that contract is signed, good luck getting it later! We also often hear “audit reports are confidential” and have to rely on them to provide an excerpt or other response that may not always tell us what we needed to hear before signing. It’s ironic that we can obtain a copy of a regulatory exam by the FFIEC on a core systems provider once we have signed the contract, but until then, we’re in the dark unless there is a formal enforcement action.
Which channels do you prefer to use for communication updates with stakeholders? Why?
LS: We currently rely on emails as they can be saved and retained to document our third party due diligence files. If you didn’t document it, it didn’t happen, right?
Laurel Sykes is the SVP and Chief Risk Officer for Montecito Bank & Trust and is responsible for the Bank’s compliance, risk management, anti-money laundering, information privacy, and fraud departments. She has been a banker for almost 25 years, the last 18 of which were in risk management. She’s a Certified Regulatory Compliance Manager (CRCM) and acts as the Bank’s Vendor Management Officer, with support from the Bank’s Vendor Management Oversight Committee.
Join Laurel at the 2016 Edition: Third Party Risk Management for Banks Conference, June 7-8, 2016 in Chicago, IL. View the conference agenda to check out Laurel’s case study topic. For more information, please contact Tyler Kelch, Digital Marketing Manager, marcus evans at 312.894.6310 or Tylerke@marcusevansch.com.
About marcus evans
marcus evans conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers. Our global reach is utilized to attract over 30,000 speakers annually; ensuring niche focused subject matter presented directly by practitioners and a diversity of information to assist our clients in adopting best practice in all business disciplines.
Timely, incisive articles delivered directly to your inbox.