December 14th, 2020 • Kimberley Allan • Reading Time: 6 minutes

There’s little debate that 2020 has been a rather unique year. While many businesses stalled or slowed down as they sought to navigate through the challenges presented, the regulators did not. Indeed, the pandemic exposed or exacerbated many of the weaknesses in third-party relationships and operational resilience that regulators had long been highlighting as concerns.

Regulatory guidance published in 2020 has only added to the rising tide of regulatory expectation for financial service firms. This has included a number of documents that have either focused on, or included some significant reference to, how firms manage their third and fourth-party ecosystems.

Much has happened in the seven years since the US Office of the Comptroller of the Currency (OCC) published its call to action for financial services firms about the third parties they work with in the form of OCC Bulletin 2013-29. The OCC has since issued supplementary guidance on Examinations Procedures for Third Party Relationships and answered questions to help firms better understand the expectations they have for program management. Meanwhile, multiple regulators around the globe have worked on their own third-party risk management and outsourcing rules and guidance. The topic of operational resilience has also gained prominence among regulators, and it is already having a significant impact on third-party risk management.

In contrast to regulatory expectations, many firms still struggle with programs that have been slow to mature. Programs that are hindered by lack of budget, insufficient resources, manual processes, and outmoded technology or in-house built systems that are inflexible and quickly outdated.

Most of these firms will struggle to keep pace with the volume and velocity of regulatory change and increased expectations around managing third-party and fourth-party risk. As you combine this heightened expectation from the regulators with the operational complexity of third-party management, it becomes clear that better automation – from the way data is gathered to AI decision-making support – is now forming an essential part of how a firm should approach its program management.

Ramping up regulatory change

A variety of documents have been published by international bodies and national regulators over the past 18 months that encompass third-party risk management. And the financial services industry can expect no let-up here. These documents can be roughly divided into three groups. The first are documents that explicitly focus on outsourcing and, in more advanced forms, on third-party risk management. The second include broader corporate compliance expectations, but encompass third-party management as a key component piece. The third set of documents cover operational resilience, and regulators take great pains to point out that third-party risk management plays a significant role in this area, too.

Outsourcing and Third-Party Risk Management

Historically, regulatory concerns have focused on cybersecurity, data privacy, and IT failures due to poor change management within outsourcing relationships. Today, those concerns are expanding well beyond technology to encompass a wide range of risks – a trend only intensified by the Covid-19 pandemic. Recent materials published include:

• Financial Stability Board’s Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships – This new discussion paper, published in early November 2020, is important because it was published after the Covid-19 pandemic had started, and it takes the impact of the pandemic on third-party relationships into account in substantive ways. The paper suggests that regulators might want to replace the term “outsourcing” with “third-party relationships”. It also specifically calls out challenges around the ability of financial firms and regulators to obtain access, audit, and information rights for third parties and in the identification of fourth or nth parties. Overall, the paper provides direction on the future of regulatory thinking, globally, around third-party risk management. Read an overview of the FSB Paper on the Impact of Third Parties and Outsourcing.
• IOSCO’s Principles on Outsourcing – This consultation report, published in May 2020 by the International Organization of Securities Commissions (IOSCO), came out slightly earlier in the pandemic. It expands the kinds of financial organizations in scope for compliance with its principles, and notes significant changes in the way financial organizations engage in outsourcing ever since the principles were last revised, in 2009.
• UK PRA’s Outsourcing and Third-party Risk Management – Published by the UK’s Prudential Regulatory Authority, this consultation paper broadens the nature of the vendor relationships that are in scope and says that prescribed responsibilities under the Senior Managers and Certification Regime (SMCR) for outsourcing should be allocated to the Chief Operations senior manager function. This means that the COO position would have personal accountability for third-party risk management within the firm.
• ESMA’s Draft Guidelines on Outsourcing to Cloud Providers – The European Securities Markets Authority published these proposed guidelines in June 2020. The document proposes robust governance requirements for financial firms outsourcing to cloud providers. While regulators understand the advantages of moving to the cloud, they also have concerns about the way relationships are structured, data is held, and technology is implemented. ESMA aims to publish its Final Report on the Guidelines by Q1 2021.
• U.S. SEC’s Office of Compliance Inspections and Examinations’ Cybersecurity and Resiliency Observations – Published in January 2020, this document is more of an overview of best practices around IT for financial services firms, including extensive comments about vendor risk management.
• U.S. FFIEC’s Security in a Cloud Computing Environment – The US’s Federal Financial Institutions Examination Council document, issued in April 2020, doesn’t put any new rules in place, but is instead highlights best practices that regulators would like to see when they examine firms’ relationships with cloud providers.

Corporate Compliance and Third-Party Risk Management

Third-party risk management is an integral part of broader compliance programs. One of the reasons regulators focus so much on third-party risk is that is often a weak point in an organization’s compliance efforts and where failings are more likely to occur. FCPA Compliance is a case in point – the vast majority of enforcement actions involve third-parties (like agents or brokers).  The DOJ recognizes this, and their most recent guidance on corporate compliance programs includes expectations that impact third-party risk management programs and practices.

• U.S. Department of Justice’s Evaluation of Corporate Compliance Programs (updated June 2020) The DOJ issued its updated guidance in June 2020. As well as broader requirements that involve TPRM (such as the regulators’ expectation that the corporation’s compliance program is adequately resourced and empowered), it also includes expectations specific to how the corporation manages third parties. For instance, does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?

Operational Resilience and Third-Party Risk Management

With the rise of a much broader range of third-party relationships involved in more and more processes, regulators are keen to ensure that firms apply emerging best practices about operational resilience there, too. Many financial firms are beginning to see the logic in this. In a survey conducted recently by ORIC, an operational risk loss event database for insurers, most firms ranked third-party risk among the top five areas of focus within operational resilience programs. The survey also found that 57% of firms understood the need to develop third-party management further or increase the consistency of its application. Recent regulatory work on operational resilience includes:

• OCC Bulletin 2020-94. Operational Risk: Sound Practices to Strengthen Operational Resilience. This is an intra-agency paper released October 30, 2020, by the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC). The paper notes that this isn’t new guidance, but rather a consolidation of existing guidance to help firms address internal and external operational risks that threaten widespread disruption. An entire section of the paper is devoted to guidance on mitigating the potential operational risks associated with third parties. You can read our update on this paper here.
• BCBS’s Principles for Operational Resilience – The Basel Committee on Banking Supervision published a consultation on its principles for operational resilience in August 2020, at the same time it published a paper, Revisions to the principles for the sound management of operational risk. The operational resilience document specifically calls out “third-party dependency management” and makes it clear that it envisions such relationships as an integral part of firms’ approach to operational resilience.
• UK FCA’s Building operational resilience: impact tolerances for important business services –The UK Financial Conduct Authority published this consultation in December 2019. The FCA has been working on its operational resilience framework longer than most other regulators. It calls out the importance of third-party relationships throughout the paper, and specifically talks about outsourcing and cloud computing as well. The next version – which may or may not be the final text – is expected to incorporate feedback firms gave during the Covid-19 pandemic.
• The European Union’s Digital Operational Resilience Act – In September 2020, the EU adopted a whole package of digital measures, including the Digital Operational Resilience Act (DORA). The proposal has a whole section on third-party risk requirements for financial services firms. More controversially, it proposes regulating certain types of data and technology service providers to the financial services industry for operational resilience and other areas.
• US FFIEC’s Interagency Statement on Pandemic Planning – The US’s Federal Financial Institutions Examination Council published this document in the early days of the Covid-19 crisis, in March 2020. This document updated existing guidance on incorporating pandemic planning into business continuity arrangements for financial services firms and includes a specific section on third-party relationships.

Keeping up with the pace

It will be almost impossible for financial services firms to implement the range of approaches these regulatory proposals outline and manage future regulatory change around third-party risk management using manual systems or outdated technology. The direction that regulators are setting is clear – they want financial services firms to put more policies, operational processes, and governance in place around their third-party relationships, as well as to build more operational resilience within those relationships.

To meet this challenge, financial services firms need to think more strategically about their third-party risk management programs, including investment in software to support better automation and AI. Only automation and AI will enable firms to be agile enough to keep pace with regulatory change and mature fast enough to meet expanded regulatory expectations.

Share with Your Friends: