Assessing third party risk management in financial institutions

The financial sector operates in an increasingly interconnected market, with systemic risk a key consideration and driver for resilience.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

Firms must individually remain stable, to avoid disrupting the wider financial services industry and overall economy – in the UK and beyond. We’ve seen the impact of specific banks not being able to adapt in recent history (there have been 562 bank failures since the year 2000), with high profile collapses such as Lehman Brothers around 2008 leading to a period of economic downturn.

While traditional governance around capital and crime (for example KYC, risk-weighted assets etc) remain critical to ensuring banks are financially solvent and protected against crime, such as fraud, corruption, and money laundering, this is no longer enough.

The interconnectivity with and reliance on third parties to support the acceleration of digitalisation, transformation, and implementation of new technologies is introducing a new, complex threat landscape. These threats include Cyber concerns, ESG performance and other non-financial risks that may impact the bank’s ability to continue operating. Incidents such as the global technology failure on 19 July highlight the need for strict third-party risk management.   

It starts with a ‘single version of the truth’

While regulation and policy provide clarity around the bank’s obligations, the practical steps needed to complete more in-depth third-party risk management can be challenging.

Third party risk management is everyone’s job. And when different parts of the bank, and the teams within it, can collaborate it’s easier to meet obligations around understanding and reporting on third parties. Building a consistent foundation with one ‘single version of truth’ for each third party, which can be leveraged throughout the business, is one way to reduce the burden and operational resilience easier.     

But achieving this can be challenging. When it comes to data, financial institutions must invest in the foundational technology, infrastructure, and data strategy of their business, with an immediate, ongoing focus on data management. Institutions still operating in siloes, with legacy technology, and/or with no ‘single version of the truth’ will fall behind. 

The importance of dynamic and accurate data

In an ideal world, issues regarding a specific third party highlighted in one area of the business, can be escalated to others quickly, minimising the scale of disruption. This is especially important in cross-border, global groups where international data is needed.

To be successful at this, data must be kept up to date on an ongoing basis. 

Knowing the need for accurate third-party data on a variety of risk factors is paramount, solely relying on third parties to provide updates on everything, and without verification, puts financial institutions’ resilience at risk. By working with a trusted external data provider, financial services firms can build a dynamic and accurate data foundation. This can be delivered via automated workflows already part of the third-party risk assessment process, with ongoing monitoring and change notification. By working with a data partner, banks can fulfil obligations and improve resilience, without needing to put additional pressure on resources, or build new systems.

Want to learn more about assessing third-party risk, including cyber threats and ESG performance? Join our webinar on Tuesday 3 December.