Taking on some measure of risk is just part of doing business. However, financial institutions face a particularly high level of risk since protecting their customers’ money and personal data is critical for remaining a viable financial service provider and is required under banking regulations. One big risk that may not be immediately obvious is the use of third-party providers by the financial institution’s vendor partners.
In the article The Five Stages of Third-Party Risk Management for Financial Institutions, Forbes points out that third-party risk is actually one of the biggest risks businesses face. Third-party risk management (TPRM) – the process of assessing, monitoring and managing risks that come from engaging with external parties – is essential for minimizing risk and mitigating financial losses.
“TPRM provides a systematic way to identify, assess, and monitor risks associated with engaging third parties. In turn, it allows financial institutions to make informed decisions about whether it is safe to enter into or continue a relationship with other organizations or businesses, even those outside the industry.” – Forbes
While financial institutions are subject to thorough and ever-evolving federal and state regulatory guidance, rules and scrutiny to ensure they are protecting their customers against bad actors, their vendors and their sub-contractors are not always bound by the same rules. It’s up to the bank to ensure that their providers – both primary and third-party – have sound financial business practices in place.
The price to pay for the lack of third-party risk management can be high, and the costs of data breaches have skyrocketed in recent years. And it’s not just large companies that are at risk, according to Forbes.
“Small businesses are often even more vulnerable to third-party risks because they typically don’t have the same resources to devote to TPRM as larger enterprises do.” – Forbes
Third (and fourth!) parties and the contract
While there are limits to what a bank can do contractually to compel a vendor to provide due diligence information or to impede their ability to add or change sub-contractors, it’s still important to be aware of their use of third parties to provide crucial services, according to PRI Director of System Evaluation Mike Neale.
It’s reasonable, however, for financial institutions, no matter their size, to expect their vendors to successfully manage their own third-party risk, and it’s acceptable to ask questions about their use of vendor management programs.
The NContracts article Managing Fourth-Party Risk: What You Need to Know says there are generally two regulatory expectations of financial institutions when diving into the question of third-party risk management.
“First, a financial institution’s vendors should be contractually obligated to inform your institution if they are subcontracting a critical function to a vendor – or if that vendor changes. Good vendor management requires good contract management, and that includes negotiating contracts that ensure your institution is aware of key partners, especially if they are foreign-based. Second, evaluate the strength of critical and high-risk vendors’ vendor management programs. Do they perform due diligence on their vendors? Do they have a robust third-party risk management program? How do you know?” – NContracts
The time to address these important questions and document the use of third-party vendors is during the contract evaluation process.
“Consider a vendor’s present and past use of sub-contractors during the evaluation phase and be sure you’re documenting the risk considerations within your governance program and regulatory requirements,” Neale said. “By understanding at the outset the security protocols of any third parties involved, the institution can work on managing their risk while negotiating their contracts.”
Again, the answer here starts with good contract management.
Competitors as third parties
Neale said a third-party issue he is seeing more and more frequently is the use of a competitor bank as a sub-contractor. For example, an institution may be considering a vendor to provide a financial service, and that vendor, as part of their service, provides a debit card from another bank to the end user. In some cases, the contracting bank is not given the option of becoming the card issuer, effectively opening the door for a competitor to disintermediate transactions in the bank’s own market.
“We advise banks to be very thoughtful around the vendor selection process, especially if the vendor’s sub-contractor is directly competing with the bank,” Neale said. “Is the product important enough that you are willing to let a competitor inside that can use any information they collect from delivering the service to market to your clients?”
While some products, such as a prepaid card, would be more difficult for a typical community bank to provide, it is not uncommon for a vendor to deliver a service in which a bank could easily be a component provider. Neale’s recommendation is to look for vendors that allow the contracting bank the opportunity to provide any services they can as a “sub-contractor.”
Financial institutions have a keen interest in risk management when it comes to vendors and their sub-contractors. To manage their own risk, they need to be aware of their vendors’ own third-party risk management practices. They also should understand any possible downsides of using a third-party vendor that is also a competitor. Uncovering these issues is a vital part of good contract management and are pitfalls that experts like PRI can help their clients avoid.
Resources
The Five Stages of Third-Party Risk Management for Financial Institutions – Forbes
Managing Fourth-Party Risk: What You Need to Know – NContracts
PRI specializes in identifying profitability improvement areas for financial institutions through revenue growth, cost control, streamlining processes, and effective use of technology. Contact us to learn more about our personalized approach to propel growth and improve profitability.
Other Recent Articles
- Maximizing System Utilization: Ditch Paper and Manual Processes
- Leading the Way Inspired by Efficiency
- The Invisible Expense: Tackling Hidden Costs in Digital Transformation, Part 2
- The Invisible Expense: Tackling Hidden Costs in Digital Transformation, Part 1
- Ringing in Your New Year with Project Management
- Let’s GROW in 2025: PRI Annual Meeting Focuses on Team Growth and Southern Charm