Securing the Keys to Your Kingdom Involves a Comprehensive Third-Party Risk Management Strategy

Financial Services|Risk Advisory/Internal Audit

By James Yard


Has your financial institution fully evolved its oversight of third parties from traditional brick-and-mortar strategies?  Improving cybersecurity is a major priority at the federal level, as vendor and third-party relationships are becoming increasingly connected to the critical infrastructure of financial institutions. 

Financial institutions of all sizes continue to use more third parties to support and grow their business.  With these complex relationships comes risk that needs to be managed.  Third parties can affect your company through business interruptions, costs associated with non-compliance with regulations, and reputational or business risk from data breaches.  It is management’s job to assess, manage and monitor these risks.  Most organizations are focusing more time at the board and senior management level dealing with these risk factors, and involving the expertise of their risk management and internal audit professionals to develop a practical solution to manage the risk.

In late 2013, the Office of the Comptroller of the Currency and the Federal Reserve released updated guidance on managing outsourcing risk, which means banking institutions should prepare now for increased scrutiny of their vendor management programs.  This guidance is geared towards banking and financial institutions and provides suggested improvements on current third-party risk management process.  The guidance clarifies and provides more direction in the following areas:

  1. Developing plans to identify risks and detail how third-parties will be selected, assessed and monitored.
  2. Performing proper due diligence.
  3. Negotiating written contracts to clearly define responsibilities.
  4. Monitoring third-party activity and performance.
  5. Terminating a relationship if certain criteria are not met by the third party and ensuring a smooth transition to a new third party.
  6. Assigning roles for the oversight and management of third-party relationships and risk management.
  7. Maintaining proper documentation and reporting.
  8. Conducting independent reviews of the risk management process.

Who are your key business partners?  What data do you share with them?   How sensitive is the data they handle on your behalf?   Could a loss of data pose a significant risk to your company?  Can they access your systems?  What controls are in place at these business partners to protect your data?  Are responsibilities and liability for loss defined in your agreements?  Are losses insured at adequate levels?  These and many more questions should be considered during the evaluation of risk factors facing your institution.  

Solutions to the assessment, oversight and monitoring may vary and should be tailored to the specific risk factors facing your institution.  Thoughtful consideration needs to be given to the assessment to ensure it is sustainable for your organization.  Schneider Downs has industry specific experience to advise financial institutions on their third-party risk management programs.

© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.