Risk Intelligence

Next generation third-party risk management (TPRM) for financial institutions

Qifei Zeng

Risk Intelligence Manager, Third-Party Risk
  • Explore the latest trends and challenges financial institutions are facing in relation to next-generation third-party risk management.
  • In a time where financial institutions struggle with increased regulatory scrutiny and a complex risk landscape, discover how to drive effectiveness and efficiency.

Over the past decade, financial institutions (FI) have greatly increased their use of third parties (e.g., merchant payment processors, cloud service providers, financial technology companies). FIs increasingly see third parties as a competitive advantage. Meanwhile, emerging third-party risks makes risk-based, enterprise-wide third-party risk management (TPRM) more important than ever. Ongoing budget cuts combined with increasing threats to business continuity, compliance, reputations, and cyber security necessitates improving the effectiveness and efficiency of FIs’ TPRM programmes.

Latest TPRM trends and challenges 

While third parties are playing an increasingly vital role in FIs, FIs are in turn struggling with significant TPRM challenges. The following are emerging trends and challenges observed:

  • Growing reliance on third parties. FIs are increasingly adopting technology from third parties to improve their competitiveness and enable innovation. This is leading to the sector's growing reliance on technology-based services provided by third parties.[1]
  • Increased regulatory scrutiny. Regulators globally are increasing the pressure on FIs to better manage their third-party risks. Recent interagency guidance[2] on third-party risk management in the US called upon financial institutions to apply specific principles to the varies stages of the third-party lifecycle. A common theme amongst this and other regulatory guidelines is “resiliency as a supervisory priority”, making it imperative for FIs to carefully review the full array of critical activities outsourced to third parties and implement mitigating measures to maintain operational resiliency.
  • Increased third party-caused disruptions and reputational damages. According to a recent KPMG survey, 72 percent of the FI respondents are experiencing ‘significant disruption, monetary loss, or reputational damage because of a third-party incident within the last 3 years.[3] For instance, the hack of a software vendor caused a downed system.
  • Limited resources. With the economic uncertainty, many FIs are reducing the spending for TPRM programmes. While TPRM’s remit is expanding, FIs still lack the depth and breadth of TPRM capabilities needed to effectively manage the significant challenges they are facing. 
  • Expanded universe of third-party risks. The third-party risk landscape has been increasingly complex, confronting FIs with new risks.[4] In particular, cyber security has become a crucial area for TPRM, with rising data breach incidents compromising FI data. TPRM has also evolved from focusing solely on the immediate contracting party to a more expansive view, to include the Nth parties to better identify potential sanctions and concentration risks. Additionally, FIs are increasingly challenged to integrate ESG risks in their TPRM framework, as sustainability has become an overarching goal globally. 

Opportunities to drive effectiveness and efficiency

As FIs grapple with increased regulatory scrutiny, expanding third-party networks, complex risk landscape and potential reputation threats with limited budget and resources, driving effectiveness and efficiency should be prioritised in FIs’ TPRM agenda.

Stages of the Risk Management Lifecycle

Image illustrates the lifecycle of a third-party service relationship typically includes planning, due diligence and selection of a service provider, contracting, ongoing monitoring, and termination

Source: Board, FDIC and OCC

The lifecycle of a third-party service relationship typically includes planning, due diligence and selection of a service provider, contracting, ongoing monitoring, and termination.[6] With the rise of emerging technologies, there are opportunities for FIs to innovate how they manage third-party risks and reduce the cost of compliance:

  • Data synchronisation across varies systems. One of the typical challenges faced by many FIs is data silos. Each business unit uses its preferred tools, leading to manual efforts to gather isolated islands of information for decision-making. Implementing a unified third-party onboarding platform that auto-aggregates data across the third-party ecosystem allows different teams to collaborate seamlessly and enable speedy decisioning.
  • Automate a risk-based workflow. A risk-based approach tailors TPRM efforts based on risk levels of third parties, optimising compliance resources to pinpoint critical, high-risk third parties. Automating a risk-based workflow allows organisations to significantly decrease process time while increasing the volume of assessments. 
  • Screening beyond sanctions and corruption risks. As the third-party risk universe expands, the traditional screening solution that solely focuses on financial crimes, sanctions, and corruption is no longer meeting the need for effective and efficient TPRM. Screening solutions that cover emerging risk areas helps FIs broaden the risk coverage efficiently and enables a more consistent approach in risk identification and assessment. 
  • Continuous monitoring and dynamic risk scoring. Continuous monitoring and dynamic risk scoring of third parties involves an ongoing management of risks and threats throughout the TPRM lifecycle. It allows for accurate, real-time risk scoring for third parties, leading to a potential reduction of review volume, and quicker risk mitigation on an ongoing basis. 
  • Leverage innovation from your enhanced due diligence provider. Nowadays many due diligence providers are utilising new technologies (e.g., AI) to enable faster delivery of due diligence, with broader coverage of jurisdictional expertise than FIs have in-house. Additionally, next-gen providers can deliver machine-readable risk data that can be directly fed into FIs’ systems, reducing manual efforts by in-house analysts.
  • Mapping of Nth parties. The increased use of third-party technologies in FIs have caused increased exposure to concentration and operational risks, as many of the technology providers in the sector shares the same underlying technology / data infrastructure. Therefore, FIs should have appropriate controls for the critical Nth parties to strengthen operational resilience.[7] Incorporating supply-chain mapping capabilities will provide better visibility of the vendor landscape at scale and uncover potentially risky vulnerabilities faster and more accurately.

As FIs become increasingly reliant on third-party technologies in an evolving risk landscape, driving effectiveness and efficiency in TPRM is critical. There are tremendous benefits to be gained from embracing the innovation made possible via new technologies – enabling increased breadth of risk insight and depth in the most critical areas, while reducing manual efforts.

 

1. Newsletter on third- and fourth-party risk management and concentration risk (bis.org) 

2. https://www.fdic.gov/news/financial-institution-letters/2023/fil23029.html 

3. TPRM challenges continue for financial services institutions (kpmg.com)

4. Federal Register :: Interagency Guidance on Third-Party Relationships: Risk Management

5. ESG risks in banks (kpmg.com)  

6. Federal Register :: Interagency Guidance on Third-Party Relationships: Risk Management 

7. Newsletter on third- and fourth-party risk management and concentration risk (bis.org)

Stay updated

Subscribe to an email recap from:

Legal Disclaimer

Republication or redistribution of LSE Group content is prohibited without our prior written consent. 

The content of this publication is for informational purposes only and has no legal effect, does not form part of any contract, does not, and does not seek to constitute advice of any nature and no reliance should be placed upon statements contained herein. Whilst reasonable efforts have been taken to ensure that the contents of this publication are accurate and reliable, LSE Group does not guarantee that this document is free from errors or omissions; therefore, you may not rely upon the content of this document under any circumstances and you should seek your own independent legal, investment, tax and other advice. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon.

Copyright © 2023 London Stock Exchange Group. All rights reserved.