With increasing customer demand for digital functionality, companies find themselves relying more on third parties to provide the necessary technological support and expertise. In a 2015 report, Significant Others: How Financial Firms Can Manage Third Party Risk, PricewaterhouseCoopers (PwC) tackles how financial institutions are adapting to this changing landscape. As the report explains, there is broad exposure to this risk in the industry: “[i]n today’s environment, it would be nearly impossible to find a financial institution that doesn’t contract with third parties to perform many essential functions.” This high exposure brings high costs, from service interruptions and security breaches to the mishandling of customer data and regulatory violations.
Because financial institutions exist in a highly regulated industry, it is difficult to skirt responsibility for the acts of third parties. According to PwC’s report, “[r]egulators have made it clear that financial institutions cannot outsource their controls, and that they expect firms to hold their third parties to the same high standards that firms themselves must meet.” However, a 2014 PwC survey indicated that such controls are lacking. Only 51% of respondents monitored their affiliates, and even fewer—36%—monitored their subsidiaries. And, although nearly all respondents indicated that they have some monitoring system for their venders, almost half of responding firms said that they rely entirely on these third parties to monitor their subcontractors.
Not only do robust controls bring these firms in line with regulatory expectations, but they also produce tangible business benefits; only 37% of respondents who regularly monitored third parties experienced service disruptions or breaches, compared to 56% of those respondents who only monitored third parties on an ad hoc basis. Furthermore, the information gathered by merely setting up such controls can be immensely beneficial: “[a]rmed with a more thorough, accurate view of the role third parties play across the organization, financial institutions can use the data analytics to support strategic business decisions.” When asked to estimate the financial benefits received from implementing such controls, 19% of respondents indicated a benefit of more than $1 million, with 6% estimating more than $5 million captured by effective third-party monitoring.
Ultimately, PwC’s recommendation for effective third-party risk management is threefold:
- Governance—producing and maintaining clear policies and procedures with consistent involvement of senior management
- Process and tools—taking inventory of all third-party relationships, identifying those that contain the most risk, and concentrating institutional resources accordingly
- Enablers—developing a strong support system for risk-management controls through training, communication, and technology