Attention turns to critical third parties and third-party risks
Outsourcing is a valuable and convenient way for firms to access specialist skills and services. Across all industries, critical third parties (CTPs) are essential to the smooth running of their clients’ day-to-day operations, from pay roll to supply chain continuity. These integral third-party relationships come with a range of associated risks, however – as has been highlighted by recent global events.
The pandemic and the war in Ukraine are likely to have exposed some firms to risks they have not even considered yet, including those posed by arrangements with CTPs in sanctioned nation states or former CTPs who still have access to their sensitive data and internal platforms. For the financial sector, these risks could have far-reaching implications.
US financial regulators join forces
Financial regulators around the world have therefore renewed their focus on the third-party due diligence of financial services firms, especially in terms of their operational resilience.
In the US, as in the UK and the EU, regulators have been busy reviewing the rule books to target outsourcing arrangements and reflect changing practices. In 2021, the publication of “Proposed Interagency Guidance on Third-Party Relationships: Risk Management” marked a rare joint effort from the major US financial regulators (the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Comptroller of the Currency).
If the Guidance moves beyond the proposal stage it will apply to, “any business arrangement between a banking organization and another entity, by contract or otherwise.” This framing is deliberately broad, but the aims are clear:
1. Risk-based due diligence is key to safeguarding the sector
The US authorities share the EU and UK regulators’ concerns about the financial sector’s operational resilience.
Not all risk is created equal, so the Guidance places particular emphasis on the due diligence processes applied to CTPs.
2. Contracts: Pay attention to the small print
The Guidance describes in detail the factors firms should consider when negotiating their third-party contracts, including jurisdictional issues in agreements made with organisations not subject to US law.
The security of data that has to be shared across international borders is singled out as an area where firms will need to be particularly cautious.
3. The watchtower must be operational at all times
The US agencies urge continuous monitoring and assessment of all third-party relationships, and that firms entrust this task to those with, “expertise, authority and accountability”.
Because of the time and resources this requires, many firms will need to bolster their existing compliance and monitoring with specialist third-party risk management (TPRM) services.
4. A terminated agreement is not (necessarily) at an end
Even when an agreement with a third-party is terminated, the US regulators want to make sure that firms are not too quick to sever ties.
Beyond changing passwords and restricting access to various data sets, firms also need to consider whether they have (for example) joint intellectual property rights that will need to be disentangled. This process could go on for some time after an agreement is formally at end, and so will likely require ongoing TPRM.
Whether you’re operating in the US or not, the Guidance provides a fascinating insight into the way regulators in most markets are thinking and what their major concerns are. It has points in common, for example, with forthcoming changes to the UK regulations and with the EU’s recently unveiled Digital Operational Resilience Act.
Adopting the Guideline’s recommendation that continuous third-party monitoring be undertaken with “expertise, authority and accountability” should therefore take your organisation a long way towards meeting regulatory compliance in most jurisdictions.