How can third party services be made more accountable

8 minute read 25 Apr 2019
By

EY UK

Multidisciplinary professional services organisation

8 minute read 25 Apr 2019

Show resources

Organisations today share critical responsibilities with third parties. Therefore, it is imperative to have a fit and proper risk management framework. 

Third parties play an important role in the financial services sector. Given the complexity of their operations, organisations are typically unable to provide all required service and business operations themselves on an in-house basis. Or at least they may not be able to do so to the high standards that a third party, which is able to concentrate on a small number of services, can provide. With the rapid emergence of new technologies aligned with greater customer expectations, the need for third parties continues to increase. Given the importance placed upon third parties, it is no surprise that they are increasingly relied upon to provide critical components of a financial institution’s range of services. However, with this reliance comes the added risk to an organisation given the shared responsibility for services and transfer of data. As a result, there is an increasing need for oversight and governance of third parties to manage those risks, and where it is deemed appropriate, to mitigate them as far as possible. The risks to organisations of not managing their third parties properly could include a loss of customer data or the inability to process customer payments, amongst many others.

The implications for customers who have placed their trust in any financial institution is significant and the potential harm that could arise from such an incident should not be downplayed. Any organisation affected in such a way should expect significant reputational damage and, where organisations are deemed to have been negligent, supervisory action by regulators. Such incidents do not necessarily follow on from an incident experienced by an organisation’s third parties, but while the possibility exists, a robust third-party risk management function is crucial in managing an organisation’s risk levels. Moreover, the expectations from customers and regulators are that organisations are responsible for their third parties and that they cannot transfer the risk or, following an incident, culpability. With this in mind, organisations must be conscious that the performance of their third parties will directly reflect upon them. A service can be outsourced, but a risk cannot. In order for each organisation to have confidence in their third parties, they need to be managed correctly.

This paper will lay out some of the regulatory drivers that require organisations to manage their third parties and the associated challenges. It will also delve into what a ‘good’ third party risk management function should look like and different approaches that organisations are taking, as a result of the increasing complexity that they are experiencing.

  • Regulatory expectations

    The European Banking Authority’s (EBA) revised guidelines on outsourcing arrangements provide an insight into the risks of outsourcing, as well as suggested methods of understanding, addressing and minimising these risks. The principles can be applied across industries and carry an underlying theme of building ‘trust’ in the financial sector. The guidelines also outline the fact that regulatory and customer requirements do not change when using third parties as part of the operating model, and that operational resilience is required for a robust internal management to understand dependencies between an organization and its third party service provider. 

  • Challenges in the marketplace

    There are several challenges associated with managing the risks resulting from using third parties, but there is no standard best-practice model available for organisations to draw upon or benchmark their programme against. Organisations though, can aim to mitigate these challenges by building TPRM programmes. There is also a need to understand regulatory changes, establish the full population of service organisations used by the primary organisation and follow a suitable operating model to manage third parties on a case-to-case basis. 

  • Predictions for the future

    Financial institutions need to account for how other companies use and protect their data and manage sustainable operations, especially for critical services. Since 2013, there has been an increased volume of onsite assessments being performed. As organisations continue to enhance the methodologies used to understand the risks of third parties, there is a greater focus on technology integration and board reporting capabilities. Risk governance requirements are routinely cited in new regulations, and the focus of future partnerships is on consumer compliance, cyber, enterprise resilience and IT security.

Summary

As organizations expand, they may be unable to provide all services themselves. Partnering with third parties is thus a natural choice, but one that opens the door to risks in today’s digital wold. This document throws light on the importance of maintaining control over the partnership, as well as some regulatory drivers for organizations to follow. 

About this article

By

EY UK

Multidisciplinary professional services organisation