On 3 September UK Finance was joined by Dave Dadoun from Microsoft and Jonathan Pressman from TruSight for a webinar to discuss third party risk management and specifically shared assurance models. The webinar builds on two blogs, published earlier this year, the first focusing on the regulatory and member position and the second on the benefits of adopting a shared assurance model. TruSight, an industry consortium made up of five financial institutions, has been at the forefront of developing a shared assurance model for customers which then forms the basis of its assessment of third parties such as Microsoft.

The webinar proved to be extremely popular with members and raised several questions to Dave and Jonathan, many of which they did not have the time to answer. We have posted them below with their responses.

As platforms proliferate and open banking accelerates, how is the function of procurement departments transforming?

It appears that more financial institutions are centralising Third Party Risk Management (TPRM) under the procurement department and at the very least they are serving as the coordinator within internal stakeholder groups.

There are a number of assessment questionnaire standards - ISO27001, NIST, SIG, etc.  Is the TruSight assessment cross-mapped to these?

Yes, TruSight has and continues to take a holistic approach to evolving its methodology to ensure we are meeting our customers? needs on a global scale.

How does TruSight help with smaller or more regional service providers, as opposed to large technology providers?

TruSight supports all sizes of service providers. However, it selects third parties based on customer use or demand. Because it is a utility and not a managed service it only assesses third parties where it has multiple customers using the same provider.

How certain can TruSight be that large technology providers are complying with regulations, as opposed to pointing to lots of written material but no single "certification" that shows that an agreement complies with various regulations. How can those suppliers satisfy their customers in this respect?

TruSight educates each customer about the methodology and what the final product looks like before they purchase an assessment. This allows customers to gain comfort around the methodology and ensures it meets their requirements.

How does TruSight and similar firms ensure they are looking at the right things in terms of the various regulations? How certain can a financial institution be certain there are no "gaps"?

In developing and evolving their methodology TruSight maps to global regulatory bodies. Prior to signing agreements with their customers, TruSight conducts practitioner educational sessions and provides all the details about the methodology to ensure the customer gets the detail they need and can identify any gaps in methodology.

How would a utility model, such as TruSight, prevent threats to independence when providing assurance?

TruSight has its own internal team of assessors, so it can mitigate any independence issues.

The FCA has stated that reliance on assurance from international standards such as the ISO 27000 series is unlikely to be sufficient. What is the view on this stance and how will shared audits address this?

It is crucial to ensure that customers review the methodology while also continuing to do thorough review and mapping of the regulations that customers need to comply with.

Are regulators comfortable with virtual reality on-site inspections?

This is a fluid conversation today given the environment in which everyone is living and operating, and we expect more to come on this topic.

To what extent are different international regulations relevant in the UK outsourcing sphere?

They are relevant to the extent that (a) a multi-national is doing business outside the UK (entities are subject to regulations in each jurisdiction they do business) and (b) are relevant from the perspective of alignment and harmonisation. The UK is a leader in this space but making comparisons with other jurisdictions such as Singapore and Australia is useful as a benchmark.

Do you think that the move to a more technological approach to managing suppliers opens up more room for error and removes the human approach around managing a valuable relationship with suppliers?

Automation can help, but is (like AI), designed to augment and not replace human interaction. A hybrid approach can help scale, but the speed of technology clearly can help and augment safety and soundness. Examples of this include automation in patching, which is far more seamless and secure than what humans alone can do.

Do you perform on-site assessments as part of the service or is it purely online form filling?

Microsoft support on-site assessments but there is a cost component. Ultimately institutions must choose what makes sense depending on use cases of cloud, size of their institution, and if information can be obtained virtually and through self-assessments without on-site assessments.

Would smaller companies that procure services from larger firms like Microsoft fare better by using a shared assessment methodology rather than attempting to obtain the information and evidence via an individual assessment approach?

Potentially, but it depends on the resources and skillsets of the institution. Microsoft provides a rich set of resources to enable self-assessments, but this takes time.  Whereas supplier utilities such as TruSight can aid in scale and have depth of expertise, so the quality and richness of the work product done on behalf of the institution is often more efficient and consistent.