compliance support as a single attorney with little or no banking
experience. The range of service provider compliance expertise
and support could be anywhere between these extremes. Another
factor can be bargaining strength. For example, if you want to
join Apple Pay and are negotiating with Apple, you likely have no
bargaining power and will not walk away with strong compliance
controls in that contract. Additionally, depending on the culture
of the service provider, the strength of their relationship with the
institution, and the strength of the contract, communication and
transparency may be open and healthy, difficult, or non-existent.
Whether the third-party’s compliance management system is strong
or weak, and even if there are relationship challenges to overcome,
an integrated and engaged approach can greatly improve the bank’s
opportunity to better understand outsourced risk.
Typical Current State of
Third-Party Risk Management
Given the emphasis on understanding third-party risk, banks
have come a long way in their efforts at information collection,
risk assessment, and even testing of third-party processes and
systems. However, this usually occurs in different ways by various stakeholders. The bank’s Procurement Department will (or
should) have standards for what constitutes approved vendors.
■ ■ ■ Financial conditions;
■ ■ ■ Length of time in business;
■ ■ ■ Management;
■ ■ ■ Competition and more.
The line of business that is engaging the service provider will
want to understand the operational risk. Can they do what they
promise? And, what if they can’t?
■ ■ ■ The bank’s Legal Department will seek to:
■ ■ ■ Protect the institution from liability;
■ ■ ■ Craft contractual rights to audit; and
■ ■ ■ Ensure remedies exist if the third party causes the bank harm.
For technology products and services, the bank’s IT department
will perform its own assessment of:
■ ■ ■ Data security;
■ ■ ■ Vulnerabilities;
■ ■ ■ System performance; and
■ ■ ■ System hardware and software integration.
Much of this upfront due diligence is guided by third-party
risk management policies and procedures. The Third-Party Risk
Management group will typically utilize its own risk assessment
process to qualify doing business with the service provider. While
this process is informed by all the stakeholders’ inputs, much of
the accumulated detailed risk data remains housed in disparate
parts of the organization.
The bank’s Compliance Department is, unfortunately, often
brought in late to discussions about the use of third parties. Compliance officers may be gatekeepers to the final “yes” in the process, but
this often occurs after the business has already made its decision.
Compliance’s contribution to the third-party risk assessment can
be hampered by limited information, and hurried by the business
to merely flag deal-breaker risks before a final go-ahead. The
Compliance risk assessment process too often involves determining what we can make do with, or cobbling together information
from across the organization after the third-party relationship
is already up and running. This may rely on many assumptions
until bank personnel have the opportunity to go onsite to the
service provider to test. A grueling second-degree solution to a
third-degree challenge. Fortunately, there is a better way.
Introducing Criticality Ratings
A key concept in risk assessing third parties is criticality. Bank-
ing regulators use the term “critical activities” extensively in
their published guidance, setting out the expectation for more
comprehensive and rigorous oversight and management of these
relationships. Only in OCC Bulletin 2013-29, “Risk Management
Guidance,” is this term defined: “…significant bank functions (e.g.,
payments, clearing, settlements, and custody) or significant shared
services (e.g., information technology), or other activities that could
cause a bank to face significant risk if the third party fails to meet
expectations; could have significant customer impacts; require
significant investment in resources to implement the third-party
relationship and manage the risk; or could have a major impact
on bank operations if the bank has to find an alternate third party
or if the outsourced activity has to be brought in-house.”
This provides a start, but still leaves much work for the insti-
tution to do to define criticality specifically for their institution.
In fact, the regulators expect to see a bank’s methodology for
determining critical activities. A mature Third-Party Risk Man-
agement department will have such a methodology documented,
and will have the bank’s third parties stratified according to that
The documented threshold for critical vs. non-critical, however,
is usually just that— a threshold that triggers more stringent risk
management activities. For the Compliance Department, this
binary determination may help to narrow which third parties to
focus on, but it doesn’t provide a determination of the degree of
criticality that can be integrated into the compliance risk assessment to help justify control ratings.
The following rating scale is a recommended methodology for
assessing criticality of third-party reliance for compliance. This
There are two
major principles here:
even when functions are
outsourced, banks fully retain
ownership of risk, and banks
are expected to understand
outsourced operations as well
as if they occurred