TPCRM
September 9, 2024

Third-party risk management in finances and banking: a look at current challenges and guidance

As many industries have found, technology vendors can often improve both the quality of corporate processes and the services or products offered — all while reducing costs. However, because financial institutions are often working under stricter regulations and market expectations, it’s not as easy for them to keep pace with everybody else.

That’s not without good reason: banking and financial institutions play a critical role in securing our whole society. Trustworthy payment channels, coupled with strong protections against money laundering and fraud, help us keep our economy dynamic and competitive. Consumers, for their part, expect their funds to be secure and available — and vendors that want to be a part of this system need to be able to offer similar assurances.

On the other hand, fintech startups are pushing the envelope in financial services with new, innovative offerings. While some don’t hesitate to accelerate their growth by relying on vendors, even if it means accepting some risk, regulators have been taking notice as these companies become larger.

The unavoidable challenge, then, is making sure that vendors are working in accordance with the standards you need or – better yet – collaborating with your vendors to allow them to keep working with you as regulations change. Furthermore, many vendors will require some level of connectivity to your corporate network or access to your data — and that’s why third-party cyber risk management (TPCRM) programs are critically important.

An overview of the issues

Let’s take a brief look into the major issues related to TPCRM in the financial and banking sector. They are:

  1. Ensuring vendors have the appropriate security measures in place according to the role they have in the business
  2. Managing risks associated with services offered through partnerships (also called Banking-as-a-Service, or BaaS)
  3. Properly accounting for emerging risks from shared infrastructure and cloud adoption

Ensuring that vendors have the appropriate cybersecurity measures is at the core of third-party cyber risk management. Attackers have learned that vendors can be an entry point to a more valuable target, so every business must make sure that their vendors are on the same page when it comes to cybersecurity.

This is a broad subject for a blog post, but the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) released a thorough document in 2023 with guidance for all kinds of third-party relationships (68-page PDF).

The next issue, managing risks associated with services offered through partnerships, has also become an important topic for regulators. This practice not only allowed banks to expand their services and cater to a wider range of customers but also encourages fintechs to not build their own banking infrastructure, which banks might understandably see as a positive outcome. Naturally, such arrangements are becoming more widespread.

In the United States, the Federal Reserve, the FDIC, and the OCC have also worked together on this issue. In late July, the agencies released a joint statement (PDF) on “Arrangements with Third Parties to Deliver Bank Deposit Products and Services.”

The statement warns banks that a partner “may be incentivized to promote growth in a manner that is not aligned with the bank’s regulatory obligations,” and that “multiple levels of third-party and subcontractor relationships, where the bank does not have direct contracts […] may pose challenges to the bank’s ability to identify, assess, monitor, and control various risks.”

Finally, the challenge in cloud adoption reflects the complexity of the preexisting IT infrastructure. With credit cards and online payments, financial institutions have played a major role in every other business currently thriving on the web. Unsurprisingly, many systems have been built and provisioned over the years to make this possible, and moving all this infrastructure at once isn’t easy.

Cloud services don’t always offer an exact counterpart to what businesses already have – or it’s not economical to plan a 1:1 migration. Regulators also worry that cloud adoption might increase systemic risk, as it could lead to a scenario where just a few providers are responsible for the entirety of a country’s (or even the world’s) financial channels.

The European Central Bank (ECB) released a draft document in June with guidance for “outsourcing cloud services to cloud service providers.” It recommends banks to be mindful of concentration risks and lock-ins, among many other things.

In the United States, the Department of the Treasury is working with the Financial Services Sector Coordinating Council (FSSCC) to release a series of guides — the first one being “Cloud Outsourcing Issues and Considerations.” The document states that financial institutions may not have enough bargaining power to request special contractual clauses from cloud service providers and offers mitigation strategies.

The liability question

Regulators tend to be unanimous on this: a financial institution can be held liable for problems arising at partners or service providers. In a series of slides, the FDIC goes even further, stating that “the board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships as if the activity were handled within the institution.”

While it’s still possible that regulations develop in a different direction — allowing for more flexibility to share liabilities, thus shifting some of the burden to vendors — financial institutions cannot avoid managing third-party risks if they want to remain competitive, relevant, and efficient. Contracts or other written guarantees are not enough, especially when vendors have subcontractors and a complex environment themselves.

The solution is to work with partners and ensure a consistent security posture across your entire environment.

Where to go from here?

A solid financial system is critical to all economic activities. Banks can play an active role in shaping the upcoming regulations for relationships with third parties and should strive to do so.

Some agencies we cited here regularly publish drafts of their documents for public consultation. Dealing with regulation is always challenging, but the reward for designing and adhering to effective rules is a better security environment for the whole industry. That’s why it’s important to contribute when the opportunity presents itself.

Aside from that, maintaining a robust third-party cyber risk management program is a must, as many regulators already made clear. Everything the business learns through this program will inform future decisions — not only for IT but for the business as a whole — and make things safer in the long run.