Organisations today share critical responsibilities with third parties. Therefore, it is imperative to have a fit and proper risk management framework.
Third parties play an important role in the financial services sector. Given the complexity of their operations, organisations are typically unable to provide all required service and business operations themselves on an in-house basis. Or at least they may not be able to do so to the high standards that a third party, which is able to concentrate on a small number of services, can provide. With the rapid emergence of new technologies aligned with greater customer expectations, the need for third parties continues to increase. Given the importance placed upon third parties, it is no surprise that they are increasingly relied upon to provide critical components of a financial institution’s range of services. However, with this reliance comes the added risk to an organisation given the shared responsibility for services and transfer of data. As a result, there is an increasing need for oversight and governance of third parties to manage those risks, and where it is deemed appropriate, to mitigate them as far as possible. The risks to organisations of not managing their third parties properly could include a loss of customer data or the inability to process customer payments, amongst many others.
The implications for customers who have placed their trust in any financial institution is significant and the potential harm that could arise from such an incident should not be downplayed. Any organisation affected in such a way should expect significant reputational damage and, where organisations are deemed to have been negligent, supervisory action by regulators. Such incidents do not necessarily follow on from an incident experienced by an organisation’s third parties, but while the possibility exists, a robust third-party risk management function is crucial in managing an organisation’s risk levels. Moreover, the expectations from customers and regulators are that organisations are responsible for their third parties and that they cannot transfer the risk or, following an incident, culpability. With this in mind, organisations must be conscious that the performance of their third parties will directly reflect upon them. A service can be outsourced, but a risk cannot. In order for each organisation to have confidence in their third parties, they need to be managed correctly.
This paper will lay out some of the regulatory drivers that require organisations to manage their third parties and the associated challenges. It will also delve into what a ‘good’ third party risk management function should look like and different approaches that organisations are taking, as a result of the increasing complexity that they are experiencing.