Fintech partnerships appeal to banks for a range of reasons, including the ability to adopt a new technology customers want without a dramatic internal overhaul or the opportunity to add new sources of fee income. But bank leaders also need to understand the risks inherent to fintech partnerships. Jame Sloan, chief risk officer at BrightFi, shares some best practices bankers can adopt to better understand and manage third-party risks.
Third-party risk management, or TPRM, is a perpetual hot topic in banking and financial services.
Banks are outsourcing and using third parties for a range of products, services and activities as the financial services landscape becomes more digital and distributed. A common refrain among regulators is that “you can outsource the activity, but you can’t outsource the responsibility.” Banks can engage third parties to do what they can’t or don’t want to do, but are still on the hook as if they were providing the product or service directly. This continues to be a common area of focus for examiners and has been identified as an area for potential enforcement actions in the future.
Given the continuing intense focus on third party activities and oversight, one word comes to mind as the most critical component of TPRM compliance: structure. Structure is critical in the development of a TPRM program, including each of its component parts.
Why is it so critical? Structure promotes consistency. Consistency supports compliance. Compliance mitigates risk and liability.
Banks with a consistent approach to TPRM conduct risk assessments more easily, plan for third party engagements, complete comprehensive due diligence, adequately document the relationship in a written agreement and monitor the relationship on an ongoing basis. Consistency, through structure, ultimately promotes compliance.
Structure will become increasingly important in TPRM compliance, given that the Federal Reserve Board, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency issued proposed interagency guidance on TPRM last summer. While the guidance has not been finalized as of this publication, the concepts and substantive components have been in play for some time; indeed, they are based largely on the OCC’s 2013 guidance and FAQs on the topic.
Generally, the proposed guidance contemplates a “framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships.” Like other areas of risk management, this framework should be tailored based on the risks involved and the size and complexity of the banking organization. Fortunately, interagency guidance will enhance the consistency of the regulatory examination of TPRM compliance across banks of all sizes and charter-types.
The proposed guidance outlines the general TPRM “life cycle” and identifies a number of principles for each of the following stages: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring and termination. The first three stages of this TPRM life cycle benefit the most from a structured approach. These three stages have more stated principles and expectations outlined by the banking agencies, which can be broken down effectively through a properly structured TPRM program.
So, when looking at improvements to any TPRM program, I suggest bank executives and boards start with structure. Going forward, they should consider the structure of the overall program, the structure of each of the stages of the life cycle outlined by the banking agencies and the structure of compliance function as it relates to TPRM. An effective strategy includes implementing a tailored structure at each stage. If executives can accomplished that, they can streamline compliance and make it more consistent throughout the program. Structure provides certainty as to internal roles and responsibilities, and promotes a consistent approach to working with third parties.
Risk culture plays a role in every conversation and decision within a financial institution, and it is the key determinant as to whether a bank performs in a manner consistent with its mission and core values. Risk culture is a set of encouraged, acceptable behaviors, discussions, decisions and attitudes toward taking and managing risk.
Third-party risk management (TPRM) is a fairly new discipline that has evolved over the past few years from legacy processes of vendor or supplier management functions previously used by companies to manage processes or functions outsourced to third parties. A “third-party” now refers to any business arrangement between two organizations.
The interagency regulatory guidance (The Federal Reserve Board, OCC, FFIEC and CFPB) says a bank cannot outsource the responsibility for managing risk to a third-party especially when additional risks are created. These risks may relate to executing the process or managing the relationship.
The recent Center for Financial Professionals (CFP) Third Party Risk Management survey “Third Party Risk: A Journey Towards Maturity” underpinned the issue around risk culture given the resourcing dilemma that most organizations face. Getting top-down support and buy-in was an issue posed by respondents in the survey. One respondent stated, “The greatest challenge ahead is to incorporate third party risk management goals into the goals of the first line of defense.” Another respondent stated, “Challenges will be to embed this into the organization, including [the] establishment of roles and responsibilities.” In particular, TPRM teams found it challenging to get buy-in from the first line of defense for the management of cyber risk and concentration risk.
Effective TPRM can only be achieved when there is a risk-centric tone, at the top, middle and bottom, across all layers of the company. Clear lines of authority within a three-lines-of-defense model are critical to achieving the appropriate level of embeddedness, where accountabilities and preferred risk management behaviors are clearly defined and reinforced.
Root cause analyses on third-party incidents and risk events (inclusive of near-misses) should be better used by organizations to reinforce training and lessons learned as it relates to duties performed by the third party. Risk event reporting and root cause analysis allows leadership to identify and understand why a third party incident occurred, identifies trends with non-performance of service-level agreements with the third party, and ensures appropriate action is taken to prevent repeat occurrences as it relates to training, education or communication deficiencies.
Risk culture is paramount to achieving benefits from the value proposition of an effective and sustainable TPRM program, and also satisfies regulators’ use test benchmarks.
Roles and responsibilities must be clearly defined and integrated within a “hub and spoke” model for the second-line TPRM function, the first line third-party relationship managers and its risk partners. Clearly, there is a need for financial institutions to (1) implement a robust training and communication plan to socialize TPRM program standards, and (2) ensure first-line relationships and business owners have been provided training.
Risk culture mechanisms that facilitate clear, concise communication are fundamental components for a successful TPRM program – empowering all parties to fulfill responsibilities in an efficient, effective fashion. The challenge of managing cultural and personnel change components cannot be underestimated. As a result, the involvement of human resources, as a risk partner, is critical to a successful resource model. With respect to cultural change, a bank should observe and assess behaviors with current third-party arrangements. The levels of professionalism and responsibility exhibited by key stakeholders in existing third-party arrangements may indicate how much TPRM orientation or realignment is required.
Key success factors to build a robust risk culture across TPRM include:
Clear roles and responsibilities across the three lines of defense and risk partners within the “hub and spoke” model for risk oversight.
Greater consistency of practices with regards to treatment of third parties. Eliminate silos.
Increase understanding of TPRM activities and policy requirements across the relationship owners and risk partners.
Indicators of a sound TPRM culture and program include:
Tone from the top, middle and bottom – the board and senior management set the core values and expectations for the company around effective TPRM processes from the top down; and front-line business relationship manager behavior is consistent from the bottom-up with those values and expectations.
Accountability and ownership – all stakeholders know and understand core values and expectations, as well as enforcement implications for misconduct.
Credible and effective challenge – logic check for overall TPRM framework elements, whereby (1) decision-makers consider a range of views, (2) practices are tested and (3) open discussion is encouraged.
Incentives – rewarding behaviors that support the core values and expectations.
Setting a proper risk culture across the company is indeed the foundation to building a sound TPRM program. In other words, you need to walk before you can run.