By Guglielmo Migliori, Senior Research Executive, CeFPro
Vendor & Third-Party Risk is increasingly becoming a greater area of focus for Financial Institutions: the introduction of new regulations, which could impact the oversight requirements, may represent for the industry a very time-consuming practice. Same goes for the introduction of more sophisticated technologies for vendors oversight and data storage – cloud technology is progressing incredibly quickly. Its advantages and opportunities need to be analysed by the industry to gain a clear benchmarking so that risks can be minimised. Not to mentioned the addition of new players in the outsourcing field: fourth and fifth parties have seen their importance grow in the last few months: more attention than ever has to be deployed by financial firms for successful controls.
CeFPro have conducted research among industry experts to collect thoughts on the current trends. Some of the main concerns produced from our research have been highlighted below:
Cloud storage may become an even more time-consuming activity for financial firms. In order to deeply comprehend cloud storage, security and soundness, its services should be clearly defined. Institutions still need to update controls to fully understand where data is stored and maintaining control over access and distribution. Moving towards data storage in the cloud continues to be an industry ‘trend’, increasing the risk of concentration across the industry. Many of the key industry cloud storage providers are global conglomerates, they have the monopoly in the market and more institutions are flocking for cloud services, with this demand, how can financial institutions ensure physical security in a cloud environment? Can they maintain access for onsite reviews to undertake independent reviews of the control environment?
“We need our existing assurance programmes to give us an adequate coverage of every risk presented by cloud service providers. We may encounter some difficulties, because it’s a shared model in many cases. FIs can’t actually gain access to these suppliers”
“Regulators will probably tighten certain aspects up; European authorities are going to incorporate cloud guidelines into the outsourcing guidelines to harmonize the process.”
Something which could help financial institutions in this, it’s a potential standardisation of which kinds of reports, certifications or attestations of compliance sufficiently cover the firm’s needs.
Companies of all sizes will need to address how to better manage their supply chain, looking at 4thand 5thparties and beyond. As an industry a standard must be developed for management of the supply chain and subcontractors, how far to go and how satisfying control requirements for effective oversight. Oversight and visibility across the supply chain is critical, managing third parties could prove futile if there are security vulnerabilities further along the chain, ownership and accountability should still lie with the institution so oversight remains vital.
“I think it’s really about mapping out the process clearly, to really understand who’s accountable for 4th– 5th risk management. There’s a way of articulating risks and their mitigation, is it enough? Another thing from a supplier point of view, the FCA are really keen on is testing of exit plans”
“How should asset managers behave in their oversight performance? Fourth parties are appointed by the third parties they chose, so it would be ideal to compare different firms’ work”.
Another area of focus more broadly than vendor and third-party risk is operational resilience, there is an increased need to understand vulnerabilities of third parties and bringing into the overall resilience programme. The industry must look to understand how third-party risk management plays into operational resilience and should consistently measure the impact. Requirements across regulators are not fully aligned, so understanding where requirements differ and incorporating into operational purposes.
“Third-party risk management links to operational resilience and regulatory requirements: it becomes quite challenging to establish comfortable practices here, given the unclear regulatory environment”.
“How do FIs understand risks and how do they mitigate them? If you’re looking at the operational resilience, as defined so far by the regulators, it is clear there’s a major dependency on third parties to ensure full operational resilience”.
“How are vulnerabilities extrapolated? How do FIs bring them into the overall operational resilience programme?”
In conclusion, there are several challenges which were presented as top challenges for the next months. To develop solutions for them, The Center for Financial Professionals will be hosting the 4th Edition of the Vendor & Third Party Risk Summit, taking place on June 18-19 in London. Please feel free to contact me at firstname.lastname@example.org or +44 (0)20 7164 6582.