Part One: The regulatory and firm position

Today, third parties provide more critical services to the financial services industry than ever before. At the same time, there is increased regulatory scrutiny to ensure that financial institutions are performing effective due diligence on the overall security and privacy risks of their third-party vendors.

As regulatory and business environments become more complex, perhaps it is time for a fresh look at how third-party risk is managed. Today's challenges provide a strong incentive for financial institutions to transform their approach to managing risk to make it more efficient and effective. Embracing current technologies, particularly the cloud, and coming together as an industry to adopt a standardised global assessment methodology can help financial institutions achieve this transformation.

Regulators Require Appropriate Risk Assessments and Due Diligence, But Favour Modernised Approaches at Scale

Regulators require financial institutions to conduct appropriate risk assessments, due diligence, and manage risk of third-party outsourcers, including cloud providers. The level of oversight and due diligence may vary depending upon the systemic importance of the institution, as well as the particular use cases at issue, and whether it is critical to the underlying institution's operations.  Furthermore, regulators do not mandate any one way to conduct such due diligence and have adapted and modernised approaches to consider scalable ways to conduct due diligence with the advent of cloud computing.

Two examples of how standardised and scalable approaches are recognised by regulators, including guidance issued by the U.S. Office of the Comptroller of the Currency (OCC) and the European Banking Authority (EBA) are as below.

OCC Supports a Standardised Approach

In a March 6, 2020 Bulletin, the OCC expressly recognises that if financial institutions ?are using the same service providers to secure or obtain like products or services, banks may collaborate to meet certain expectations, such as performing the due diligence?.  Furthermore, such tools and resources may provide for 'standardised approaches to perform due diligence and ongoing monitoring of third-party service providers by having participating third parties complete common security, privacy, and business resiliency control assessment questionnaires.? 

EBA Modernises Approach to Risk Assessments

The EBA Guidelines, which took effect on September 30 2019, similarly require an assessment and due diligence of outsourcing.  Importantly, the EBA guidance seeks to harmonise approaches among regulatory bodies within Europe. The EBA guidance codifies modern approaches to conduct risk assessments and audits, including ?pooled audits organized with other clients of the same service provider, and performed by them and these clients or by a third party appointed by them, to use audit resources more efficiently and to decrease organisational burden on both the clients and the service provider?.

These scalable approaches recognise that standardised mechanisms to conduct risk assessments are appropriate, without in any way diminishing the obligations or level of due diligence and oversight required of financial institutions when assessing cloud services. This is distinct from custom outsourcing models, which do not lend themselves to this approach. Consequently, cloud not only offers efficiency in terms of delivery of the platform of services, but also in managing risk, if done through models like those offered by TruSight. We will go on to explain more about risk management in our next blog post for UK Finance.