Webinar: RCSA – Now and the future with Yiorgos Polymeris
The Office of the Comptroller of the Currency (OCC), the Securities and Exchange Commission (SEC), and other regulatory agencies are increasingly scrutinising 3rd party risk management. The agencies are demonstrating a lower tolerance for insufficient programs to control and manage critical risk areas by increasing the penalties for program deficiencies.
The European Banking Authority (EBA) requires firms to demonstrate by the end of 2021 that they have effective controls in place to monitor the outsourcing of critical operating functions —including sub-outsourcing and the location of critical services. The Bank of England (BoE), Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA) policy statements on operational resilience have also just been released in March 2021.
There is a growing need for firms to adopt more robust and effective 3rd party risk management programs. That can help institutions better identify potential threats, as well as develop the controls needed to reduce the chances of being penalized later.
Here is a rundown of the key issues firms should be thinking about when assessing outsourcing risk.
To have a complete understanding of the risks associated with any outsourcing arrangements, risk managers need to have visibility across an entire organization. That means mapping out from front-to-back how critical business functions are delivered and how outsourced arrangements fit into that. Risk managers need to understand which individual senior manager is responsible for a particular outsourced activity, what they are doing to mitigate outsourcing risk and how they are documenting that to maintain a proper audit trail evidencing sound risk management.
EBA guidelines on outsourcing arrangements state that as part of the overall internal control framework, firms should have a ‘holistic institution-wide risk management framework extending across all business lines and internal units’.
That also extends to how firms offboard vendors or systems that are no longer in use. Morgan Stanley, for instance, was hit with a $60 million fine last year from the OCC for failing to properly oversee the decommissioning process of two of its wealth management business data centers in the US. In part that was because it failed to adequately assess the risk of subcontracting that decommissioning work.
“Oversight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk,” said Andrew Smith, director of the Federal Trade Commission (FTC) Bureau of Consumer Protection. “If you’re a financial company, vendor oversight is not just a good idea, it’s the law.”
The FCA and PRA fined one UK bank almost £1.9 million for failing to manage its outsourcing arrangements properly.
Increased regulatory focus on operational resilience means firms have to understand the risks that outsourced service providers could pose to their operations if something went wrong. That could be anything from a 3rd party suffering a software systems outage to being unable to fulfil contractual obligations. For instance, country and wider political risks could lead to outsourced call center operations suffering from insufficient staff to handle customer calls.
Firms need to be wary of concentration risk among outsourced service providers, partly because of the systemic risks to the wider financial system, but also because it can reduce an individual firm’s ability to assert sufficient control over that service provider. Additionally, firms need to better prevent, adapt, respond to, recover and learn from operational disruptions to ensure business continuity.
Regulators expect firms to have adequate control measures in place to mitigate the risk of such disruptions in order to maintain operational resilience and to limit the impact on customers.
The BOE, FCA and PRA have in March 2021 finalised their policies’ on operational resilience, which are largely aligned. The Basel Committee on Banking Supervision also in March issued its principles for operational resilience to ensure banks are able to absorb shocks from operational risks such as pandemics, cyber incidents, tech failures or natural disasters.
Firms need to carry out a thorough risk assessment of any potential conflicts of interest before engaging with a new outsourcing provider, and then continually monitor that risk should any circumstances change while the services are being provided.
In the US, the Department of Justice directs prosecutors to examine if firms are carrying out proper due diligence when onboarding 3rd parties, including if a 3rd party has any relationships with foreign officials. Other checks firms need to carry out on service providers include checks agianst the sanctions and embargos lists.
Firms must conduct detailed risk assessments that include scenarios of potential events that could severely impact their operations, whether that is caused by processes, systems, people or external events.
For instance, the cargo ship that was stuck in the Suez Canal had a huge impact on global supply chains. This both underscores the need to imagine and plan for unexpected events, and highlights the need to identify potential bottlenecks in systems and processes that could have serious knock-on effects if something caused a blockage.
Another scenario firms need to consider is 4th party risk. If a 3rd party provider is reliant on other suppliers or vendors to deliver services, how reliable is that 4th party and what measures does the 3rd party provider have in place to manage those risks? Where appropriate, financial institutions should ensure contracts with 3rd parties prevent them subcontracting critical services to a 4th party unless approved to do so.
It will be important to build operational resilience and safeguard business continuity through forward-looking scenario analysis informed by data-driven risk intelligence through networked insights and regulatory and event-driven horizon scanning.
The PRA expects firms to have identified their important business services and impact tolerances by March 31 2022. “In order to achieve this, and to identify any vulnerabilities in their operational resilience, firms should have mapped their important business services and commenced a program of scenario testing,” the PRA said.
Regulatory scrutiny around outsourcing is only likely to intensify as business models become increasingly dependent on 3rd party providers, be it fintech, regtech or other types of outsourcing activities. To that end, firms need to ensure that 3rd party risk management is forward-looking rather than reactive. And when choosing an outsourcing partner, firms should not base their decision solely on price. Low-cost providers might seem appealing from a budget perspective, but if that provider has poor compliance standards, it could end up costing more later through fines or reputational damage leading to a permanent loss of business.
Acin’s unique data-driven network insights can enable you to see how your control designs compare to your peers in similar scenarios, helping you better assess your risk tolerance and your risk appetite. Learn more about how Acin can help you enhance your outsoutsourcing risk management: [email protected]
 https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf?retry=1 (page 22)
 https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2164689/531e7d72-d8ff-4a24-a69a-c7884fa3e476/Guidelines%20on%20Internal%20Governance%20%28EBA-GL-2017-11%29_EN.pdf?retry=1 (page 33)
Published: 14 July 2021