Could a third-party provider be the weak link in your institution’s operations? It’s possible, according to the Office of the Comptroller of the Currency’s (OCC) recently published Semiannual Risk Perspective.
The OCC notes that operational risk remains “elevated” and specifically highlights several instances where third-party relationships are a potential source of operational risk.
First, the agency reminds banks that cyber criminals don’t just go after banks. They also go after their vendors, looking for an alternate way to sneak into a bank’s systems. The key to managing this threat is “understanding connections, system interfaces, and access entitlements” with third-parties so that appropriate controls can be introduced to manage and mitigate risk. In short, a bank should limit the scope of system and data access of a vendor to what it needs to perform its duties and who at the vendor’s company will be given that access.
Concentration & Systemic Risk
As the industry contracts, so does the vendor marketplace. This vendor consolidation means that many institutions rely on the same third parties for core systems, operations support, merchant card processing, asset management products and services, and denial-of-service mitigation, among other products and services, the OCC says. This can pose a systemic risk as the failure of one vendor can impact a large number of institutions.
The solution, the OCC says, is appropriate risk management practices.
Fraud & Third-Party Vendors
Financial fraud is on the rise making effective fraud detection and response programs essential. The OCC notes that this is “especially important” for banks that rely on third-party providers for fraud prevention and detection.
There may be fewer regulatory changes, but compliance management systems (CMSs) still play an important role, the OCC says. For instance, some banks have discovered third-party vendor management issues with the help of “enhanced management attention.” Meanwhile, as with all third-party relationships, banks that outsource compliance need strong due diligence and effective oversight of the vendor. Learn more about compliance risk.
Effective Vendor Risk Management
The solution to all these risks is proper vendor management. Financial institutions need to conduct due diligence to be aware of a third-party vendor’s financial condition, reputation, risk management, information security, resilience, physical security, and incident reporting and management programs. Contracts must address reporting, audits and remediation, data confidentiality, outsourcing and foreign-based third parties, and business resumption and contingency plans to give institutions confidence in a vendor’s strength. Regular monitoring is necessary to understand the vendor’s internal controls. Institutions can maximize the benefit of these steps by implementing an organized and efficient vendor management system.
Don’t enter a third-party relationship blindly. Make sure you have the tools necessary to identify, measure, monitor and control third-party risk. Your operations depend on it.