About the author

Sarah Peeling

Sarah joined the company in 2011 as a network manager, covering the Americas and Europe. She was responsible for performing the on-site due diligence visits to local agent banks, as well as managing the sub-custodian monitoring program on behalf of our clients. She has more than 25 years of experience within the global custody industry, having worked for several large custodian banks across operations, client services and network functions. Sarah has been a Regional Head for the European team and is one of the company’s senior network managers. As an Associate Director, Sarah now has an oversight role for the Global Network Management function. She works within Client Relationship Management to ensure efficiencies across the network management process to meet our client deliverables.

Across all industries, critical third parties (CTPs) are essential to the smooth running of their clients’ day-to-day operations, from payroll to supply chain continuity. These integral third-party arrangements come with a range of associated risks, however – as has been highlighted by recent global events.

The pandemic and the war in Ukraine are likely to have exposed some firms to risks they have not even considered yet, including those posed by arrangements with CTPs in sanctioned nation states or former CTPs who still have access to their sensitive data and internal platforms.  

For the financial sector, these risks could have far-reaching implications.  

Post-Brexit reforms and the UK financial sector 

In response, financial regulators around the world have renewed their focus on the third-party due diligence of financial services firms – especially in terms of their operational resilience.  

For the UK, this also means accommodating the requirements of the Financial Services and Markets Bill once it becomes law. Although the main aim of the Bill itself is broad regulatory reform to reflect the UK’s departure from the EU, the UK’s supervisory authorities (the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority) have jointly published a discussion paper looking at what they’ll be able to do with the new powers they’ll enjoy in relation to CTPs. 

The paper proposes a range of measures to, “oversee and strengthen the resilience of services provided by critical third parties.” 

This concern with CTPs is understandable. There are very well-established, large and reputable firms that would be surprised by the scale of the risk they’re exposed to through their CTPs.  

Despite the risks posed by these ‘known unknowns’, and the regulators’ attempts to mitigate against them, some firms continue to fall foul of existing third-party monitoring requirements.

The consequences of ignoring third-party due diligence 

Take, for example, the case of Julius Baer International Ltd (JBIL). In December 2022, the FCA hit the investment and wealth management company with a Final Notice and a fine of more than £18 million.  

The FCA found, among other failures, that JBIL’s third-party risk monitoring policies and procedures were inadequate. As a result, the firm could neither identify potential conflicts of interest, nor could it identify and manage the risks it was exposed to through its third-party intermediaries. 

JBIL’s case highlights not just the consequences of neglecting third-party monitoring, but also the standards to which the supervisory authorities hold firms in the financial sector.  

The regulators recognise that no policy or procedure can completely protect a firm from third-party risk. However, it is equally clear that firms are expected to demonstrate that they are continuously and rigorously monitoring all these relationships. And while that may be a reasonable requirement, it is also a demanding one that – ironically – most firms will be able to meet only with the assistance of a specialist CTP. 

Orbit Diligence

Orbit Diligence

Automate your DDQ and RFI processes for a wide range of use cases, accessing a library of off-the-shelf questionnaires and risk frameworks.
Learn more