It is no secret that the US Office of the Comptroller of the Currency (OCC) has stepped up efforts around how banks oversee third-party risk and are cracking down on firms that cannot demonstrate cohesive and effective end-to-end management of their suppliers, especially around critical processing.
It has been a theme for years – and yet many are still unprepared and continue to grapple with their third-party risk controls. This begs the questions of why this is the case and what are the next steps to resolve these long-outstanding issues to avoid regulatory ire and actual risk events.
Banks of all sizes are exposed to significant third-party risks and ensuring they are well placed to manage them is woven throughout the OCC’s FY 2024 Bank Supervision Operating Plan, as well as plans for other regulatory bodies.1 With this in mind, all banks need to have a solid understanding of what they should be monitoring for, what agencies they need to worry about, as well as the nuances of the rules and how those affect their particular set of businesses. In today’s world, risk related standards, rules, regulations, and best practices are constantly changing and require significant, real-time maintenance to keep up.
The costs of getting it wrong can be high both in terms of financial and reputational costs. For instance, following an OCC examination in July 2023, American Express was fined a $15 million civil penalty for failing to properly govern and oversee a third-party affiliate.2 Additionally, Matters Requiring Attention (MRA) are not uncommon and the cost of addressing one can be substantial, potentially impacting the banks reputation and financial stability.
Another point not to be overlooked is that an actual risk event has no upward bound in terms of costs and can have significant and lasting implications depending on the type and severity.
Every scenario presents its unique challenges, and while each bank is progressing through a different phase of solution development, a number of common issues often emerge:
In some instances, the operating model itself may also contribute to, or be the root cause of many of the third-party risk control issues. If the underlying model is flawed, efforts to improve TPRM will likely fall short of expectations.
Systems. Many banks continue to use an eclectic mélange of systems, offline tools, and manual interventions that may prove inadequate in the eyes of regulators. Internally, the results of these jumbled approaches are a pointedly fractured ownership over the end-to-end process, siloed risk domains, complex and manual procedures, a heightened risk of error, and painful ‘temporary’ workarounds.
Stakeholders. It takes a village to effectively manage third parties and getting everyone onto the same page is not as easy as it might sound. Activities are broadly split across procurement/sourcing, vendor management, and third-party risk, all of which need to work efficiently together. Unfortunately, they regularly operate in isolation following a fairly linear assembly line process where each step is unceremoniously thrown over the fence to the next team. They also tend to own their own procedure documents and manage updates in at least a partial vacuum. This tends to produce competing priorities and process gaps where critical steps are missed and issues are only caught after the fact when it is more difficult to resolve.
Non-critical Vendor Management. Despite the OCC’s focus on critical processing, a common weak point sits with non-critical vendors. They generally don’t get the same level of urgency during ongoing monitoring activities but still pose risks to the bank. An important tenant of managing third parties is understanding changing risks over time, so the periodic re-reviews certainly play an outsized role. However, some of these non-critical third parties could still have negative impacts if they fail to deliver or suffer a risk event themselves. Actively managing non-critical vendors between assessments with real-time alerts, reviewing/maintaining nth party relationships, and understanding their connectivity across the organization and its other external parties is extremely important given the typical numerical bias of non-critical to critical third parties.
Further considerations are also warranted when third parties (both critical and non-critical) are on global contracts operating in a number of different jurisdictions where the US division only utilizes some of the services and may not be the primary consumer. Monitoring across global relationships requires coordinating between various business groups as well as managing and communicating alerts or issues at a parent level to all concerned parties.
Reporting. It’s one thing to capture the information, but being able to look at the firm’s holistic exposure to third parties through reporting is something else entirely. Capturing data across multiple systems and tools not only creates a reconciliation/mapping headache, but also limits the ability for risk managers to effectively assess risk. For instance, evaluating nth party exposure across the universe of third parties could prove impossible if linkages aren’t established in a single, extractable location.
Additionally, downstream/upstream considerations also need to be addressed. Third-party data often flows down to other non-TPRM areas or up into a consolidated view across multiple lines of business. As a result, it needs to have a common understanding (e.g., terminology) for everyone and align with how it is used by other systems or teams.
Operational Resilience. There is heightened scrutiny around operational resilience, especially when it comes to third-party engagements. Banks increasingly rely on third-party vendors to support their core and critical operations; however, this dependency has introduced an increasingly complex web of challenges, necessitating a robust framework for third-party operational resilience covering contracting, contingency & exit planning, and resilience testing to name a few.
The good news is there have been many recent advancements in this area with numerous possible TPRM solutions that handle all, or most of the supplier lifecycle (and others with active alert monitoring). For example, ‘low code’ or ‘configuration’ solutions, when properly applied, offer lighter development requirements, faster implementation/release cycles, more control over the ongoing maintenance or updates, and could reduce the number of online and offline systems required to administer a comprehensive third-party management program. Specifically addressing operational resilience, the right system can support the adoption of best practices to bolster these capabilities, ensuring the continuity and reliability of the financial institution.
Ultimately, banks need to progress to the point where they do not have one team and one system owning the onboarding process, another team and system owning risk management, and additional teams/systems owning other individual parts of the process. The goal should be to consolidate a series of disparate online and offline tools into fewer or even a single flexible TPRM solution that removes unnecessary manual tasks, eases communication channels with suppliers, and bolsters reporting and insight gathering while enhancing the banks overall risk controls.
Partnering with Capco who has a deep understanding of third-party risk management, regulatory frameworks, system selection/implementation, and program governance can fast-track a banks’ response and deliver superior outcomes in contrast to going it alone. Contact us to find out more.
A version of this article was published by ABA Banking Journal. Click here to read.
REFERENCES
1 https://www.occ.gov/news-issuances/news-releases/2023/nr-occ-2023-109a.pdf
2 https://www.occ.treas.gov/news-issuances/news-releases/2023/nr-occ-2023 78.html#:~:text=WASHINGTON%E2%80%94The%20Office%20of%20the,efforts%20to%20retain%20small%20business
