Spotlight on
Third-Party Risk Management
June 9, 2023
Third-Party Risk Management (“TPRM”) is the process of managing risks associated with engaging in business and strategic arrangements with external parties (e.g., vendors, technology partners, banking partners, etc.) to perform business activities in support of the business’ own operations or business strategy.
Why are TPRM frameworks important for financial services?
Failure to establish a TPRM framework may result in financial losses, reputational damages, regulatory actions, legal liabilities, operational disruptions, and increased regulatory scrutiny. These outcomes can harm the financial services’ economic stability, user trust, operational capabilities, and regulatory compliance. Establishing an effective TPRM framework mitigates these risks and ensures the exchange's success, sustainability, and growth.
-
Risk Mitigation: Review and assess risks associated based on the KYC information collected from third-party vendors such as custodians, wallet providers, payment processors, and compliance vendors.
-
Information Security Compliance: Evaluate third-party vendors' security practices and compliance standards.
-
Business Continuity Plan: Assess third-party vendors' resilience and business continuity capabilities to minimize downtime and maintain uninterrupted operations.
-
Regulatory Compliance: Evaluating the compliance practices of the third-party vendors and ensuring they have a robust Compliance practice.
-
Reputation & Trust: Demonstrate security, compliance, and risk management commitment.
-
Scalability & Growth: Provide a structured approach to manage third-party relationships and associated risks.
A birds-eye view of a TPRM framework for financial services
The critical elements of a TPRM framework should include a comprehensive risk-based approach to managing third-party vendors throughout their lifecycle.
1. Initial Third-Party Engagement
Initial Third-Party Engagement refers to the initial business interaction with the third-party vendors and to establish the expectations, rights, and responsibilities for both parties. Guidances are designed to assist the business team in collecting critical information about the third-party vendor’s business and risk profile, as well as to raise any issues or concerns to Compliance at an early stage.
2. Third-Party Due Diligence
Third-Party Due Diligence is crucial in collecting relevant information to assess the potential risks associated with onboarding third-party vendors. The due diligence process includes filling out a third-party questionnaire form, reviewing relevant documentation, interviewing key stakeholders, and, if necessary, performing on-site visits. An escalation mechanism will need to be established for those with a higher risk of money laundering and terrorist financing.
3. Third-Party Risk Assessment and Selection
The Third-Party Risk Assessment provides a holistic view of the risks and internal controls necessary for effective risk management. Factors to consider include:
-
strategies & goals;
-
legal & regulatory compliance;
-
financial condition;
-
business experience;
-
qualifications, risk management;
-
information security;
-
information systems;
-
operational resilience;
-
incident reporting & management processes;
-
physical security;
-
reliance on subcontractors;
-
insurance coverage; and
-
contractual arrangement with other parties.
The financial services must ensure that the risk criticality associated with the third-party relationship falls within its risk appetite.
4. Contracting
The contracting phase involves drafting and negotiating contracts and service level agreements (“SLAs”) with third-party vendors. Key elements to consider in the contracting phase include data protection and privacy requirements, compliance with relevant laws and regulations, intellectual property rights, termination clauses, and dispute resolution mechanisms.
5. Ongoing Monitoring
Ongoing monitoring must be dynamic to make sure that the third-party risk assessment remains up-to-date. The third-party vendor’s risk profile may change upon conducting periodic due diligence, trigger event reviews, QA testing, and monitoring of the agreed SLAs. Effective ongoing monitoring framework and governance oversights enable timely identification and escalations of potential risks and remediation actions to mitigate potential adverse impacts.
6. Termination/Offboarding
Termination/Offboarding is a formal process to terminate or offboard any third-party vendors. Key factors are defining an exit management strategy, preventing sensitive data leakage, and ensuring a seamless transition for an alternative third-party vendor. The phase should involve a number of key stakeholders from compliance, legal, operations, product, and data security to close out any outstanding issues formally.
Common Mistakes When Designing a TPRM Framework
When developing a TPRM program for financial services, it is crucial to avoid specific mistakes due to the distinctive characteristics and risks inherent in the financial industry. The following are examples of mistakes that a financial service may make when designing a TPRM program:
-
No SME experience;
-
Lack of technical knowledge or technology vendors;
-
Lack of accountability, controls, and metrics;
-
Lack of documentation and reporting;
-
Lack of independent review;
-
Inadequate training and awareness; and
-
Insufficient oversight and ongoing monitoring.
Avoiding these mistakes and adopting a TPRM framework tailored to the specific risks of the financial industry will reduce overhead costs, increase operational efficiencies, and prevent any regulatory fines and actions in the future.
AUTHORS
Ivan Chan,
Manager, StrategyBRIX
Derek Cheng
Senior Associate, StrategyBRIX
We've got you covered!
StrategyBRIX excels in this space, possessing the experience and expertise to help fintechs navigate these types of problems. The team has decades of combined experience within the compliance space assisting fintechs and other financial institutions to undergo large transformations of their compliance programs. Feel free to reach out to see how we can help.