Interest in Financial Services Third Party Risk Rising

Interest in Financial Services Third Party Risk Rising

ConnectedBusinessThere’s certainly been a lot of talk about third party risks recently. There’s been the fallout from the Target breach, and the role a subcontractor played in that incident. Then there was the U.S. Department of Homeland Security incident, where the DHS reportedly exposed private documents of at least 114 contractors that bid for work at the agency, as well as plenty of discussion surrounding third-party risk and the critical infrastructure, too. And there’s also been considerable attention given to third-party risks as it relates to financial services companies.

However, when it comes to outsourcing to offer innovative services, keep costs low and streamlining operations, few industries outsource as much as financial services. And it seems the primary regulators of the banking industry is taking notice.

The Federal Reserve Board (FSB) recently issued direction on third party risk in its report, Guidance on Managing Outsourcing Risk [pdf]. In the report, The Federal Reserve board highlights three key risks associated with outsourcing in financial services. But the reality is that these risks apply to virtually any enterprise that closely partners or outsources:

  • Compliance risks arise when the services, products, or activities of a service provider fail to comply with applicable U.S. laws and regulations.
  • Concentration risks arise when outsourced services or products are provided by a limited number of service providers or are concentrated in limited geographic locations.
  • Reputational risks arise when actions or poor performance of a service provider causes the public to form a negative opinion about a financial institution.

In the report, the FSB board report spoke to the need for conducting risk assessments, due diligence in the selection of service providers, contractual considerations, oversight and monitoring of service providers, as well as business continuity and other very important considerations.

Also, This past fall the Office of the Comptroller of the Currency (OCC and part of the U.S. Department of Treasury), issued risk management guidance for third party relationships. The OCC advised banking institutions to effectively manage third party risk by:

  • [Establishing] plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party.
  • [Conducting] proper due diligence in selecting a third party.
  • Written contracts that outline the rights and responsibilities of all parties.
  • Ongoing monitoring of the third party’s activities and performance.
  • contingency plans for terminating the relationship in an effective manner.
  • Clear roles and responsibilities for overseeing and managing the relationship and risk management process.
  • Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.
  • Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.

Interestingly, both the OCC and the FSB called out, specifically, the need for ongoing monitoring of the third party’s continued performance.

For example, in its Guidance on Managing Outsourcing Risk report, the FSB called for continued monitoring of internal controls, “For significant service provider relationships, financial institutions should assess the adequacy of the provider's control environment,” and should there be findings that reveal increased risk, the report calls for escalation of oversight activities: “If the service provider delivers information technology services, the financial institution can request the FFIEC Technology Service Provider examination report from its primary federal regulator. Security incidents at the service provider may also necessitate the institution to elevate its monitoring of the service provider,” the FSB writes.

The challenge here is that by the time potential issues, gathered through on-site audits, questionnaires, or signs of breach, it’s probably too late and the organization has already – or is on the brink – of suffering a security breach. And much of the data that will reveal this is available through public observation, whether it be through malware or botnet communication or other types of evidence that would reveal degradation of security posture over time.

By continuously monitoring, from externally visible data points, for evidence of security controls and good tech hygiene that are slipping it’s not only quite possible – but probable – that you’ll see signs of your partner or service provider heading toward a serious breach long before they do.