Third-party risk management

Tariq Mirza , National Managing Director, Grant Thornton LLPDennis Frio, Business Advisory Services Director, Grant Thornton LLP

Keys to managing third-party risk in financial services

Contents

1 Keys to managing third-party risk in financial services

3 What’s the scope of the challenge?

4 The cost dilemma

5 Third-party risk management framework

7 Internal audit’s role

7 What’s next for financial institutions?

8 How Grant Thornton LLP can help

Third-party risk management 1

The risk is realRecent security breaches and theft of financial information at top retailers, such as Target and Neiman Marcus, have thrown the risks of using third-party vendors into sharp relief. These incidents are not only disruptive, they also result in long-term reputational damage that can seriously affect the bottom line. According to a recent study released by the Ponemon Institute and sponsored by IBM, the average cost of a data breach has reached $3.5 million — an increase of 15% over the past year.

There is no question third parties can provide real value to financial institutions through cost savings, revenue enhancement or greater know-how. As the number and complexity of relationships with foreign and domestic third parties have increased, however, financial regulators have expressed doubts about whether risk is being adequately managed by financial services organizations.

Those institutions that fall short may be subject to civil money penalties and regulatory enforcement actions. Examples include inadequate processes to safeguard confidential information, failure in business continuity planning, or engaging in Unfair, Deceptive or Abusive Acts and Practices (UDAAP).

Introduction

2 Third-party risk management

Financial services organizations need to understand the implications of this regulatory shift. To help them gain clarity, recent releases1 from the U.S. Office of the Comptroller of the Currency (OCC) and the Board of Governors of the Federal Reserve System (Federal Reserve) focus on enhanced bank and bank holding company examination guidance for third-party risk management, and they reflect key changes in regulatory thinking about how firms must manage their third-party risk management process. Most notably, the guidance calls for more comprehensive and robust risk assessment, and monitoring and oversight activities for third parties involved in critical activities or those activities with the potential to expose an institution to significant risk.

1 OCC Bulletin 2013-29, Third-Party Relationships, issued Oct. 30, 2013. See www.occ.gov for more information.

Figure 1: What are the risks?

Risk Description

Information security, data privacy Third party lacks experience/controls to protect the financial institution/customer information from unauthorized access, disclosure, modification or destruction.

Business continuity Third party cannot continuously maintain services in the event of a disruption (e.g., ineffective redundancy procedures).

Financial viability Third party is unable provide acceptable levels of service in the long term.

Country/credit Third party markets/originates certain types of loans on the financial institution’s behalf without sufficient oversight. Credit risk may also arise from country/sovereign exposure.

Contract compliance Third-party products, services or systems inconsistent with institution’s policies and procedures, applicable laws, regulations, and ethical standards.

Legal/regulatory Third party does not possess the necessary licenses to operate or the know-how to enable the financial institution to remain compliant with domestic and international laws and regulations.

Critical activitiesThe OCC defines critical activities as those that:

• Have significant customer impacts

• Cause significant risks to operations if the third party fails to meet expectations (e.g., data privacy, business continuity)

• Require significant investments in resources to implement the third-party relationship and manage the risk (e.g., outsource a business function)

• Could have a major impact on the financial institution’s operations if an alternative third party is needed or if the outsourced activity has to be brought in-house

Most notably, the guidance calls for more comprehensive and robust risk assessment, monitoring and oversight for third parties involved in critical activities.

Third-party risk management 3

Financial institutions that use third parties for critical activities are expected to implement a more rigorous and comprehensive oversight process that includes:

• Board review of the third-party relationships to determine if activities are consistent with the financial institution’s strategic goals, organizational objectives and risk appetite

• Board approval of management plans for using third parties that involve critical activities

• Board review of the due diligence results and management’s recommendations to use third parties that involve critical activities

• Board approval of contracts with third parties that involve critical activities

• Board review of ongoing monitoring of third-party relationships involving critical activities

• Board oversight of actions to remedy significant deterioration in performance or changing risks or material issues identified through ongoing monitoring of critical activities

• Board review of periodic independent reviews of the financial institution’s third-party risk management process

What’s the scope of the challenge?Large financial institutions may have many thousands of third-party suppliers, with their supplier relationship sponsors potentially distributed across many departments. Third-party contracts may not be housed in a central repository, and their provisions for similar services may be inconsistent.

Types of potentially high-risk third-party suppliersAny third-party entity can carry risk, but some may be newer, bigger, more prone to attack or carry more fraud potential:

• IT hosting/co-location data center providers

• Cloud or software-as-a-service providers

• Outsourced financial or operational service providers such as:

– Payroll processors

– Securities settlement providers

– Mortgage servicers

– Remittance processors

• Medical, dental or insurance claims processors

• Others that support operational activities on your behalf and with access to your company’s/client’s data:

– Credit card and prepaid card program managers

– Courier services (e.g., medical files, cash copays)

– Printing and mailing servicers

– Marketing services providers

– Telecom providers

– Help desk or user support providers

4 Third-party risk management

To minimize operational risk and meet regulatory expectations, any organization that entrusts outside entities with sensitive data, intellectual property, client data or proprietary information needs a framework for identifying, assessing and mitigating the risks involved. They will also need to comply with various information security and privacy regulations such as the Gramm-Leach-Bliley Act (GLBA) and the Privacy of Consumer Financial Information Rule (Regulation P).

The cost dilemmaThird parties can deliver tremendous value through cutting costs, reducing headcount, providing better service and efficiency, and giving organizations the ability to pivot quickly. That said, a third-party strategy can be costly if mismanaged. While financial services companies are under increased pressure to reduce costs, they are also under increased pressure to demonstrate that their third parties are in compliance with laws and regulations. The upfront and ongoing compliance costs can offset the benefits of using third parties, and finding the right mix is a challenge for most large financial institutions.

Example: Third-party mortgage servicingThird-party risk management was an important focus for remedial action in the consent orders for the top mortgage servicers, including third parties who perform or provide:

• Mortgage default management — these third parties support a number of key processes, including foreclosure, bankruptcy, loss mitigation and third parties that file legal documents on behalf of the institution.

• Forced placed insurance — this area is prone to abuse, particularly when the loan servicer owns or is affiliated with the insurer.

• Debt collectors — large financial institutions may stratify their delinquent loans by days outstanding. Regardless of the collection strategy, it is important that debt collection practices conform to regulatory expectations:

– Perform certain debt collections internally 30–90 days past due

– Outsource to debt collector No. 1 for 90–180 days past due

– Outsource to debt collector No. 2 for more than 180 days past due

Third-party risk management 5

Third-party risk management frameworkThe OCC and the FDIC, along with the other banking supervisors, expect the boards of directors and management of financial institutions of all sizes to properly oversee and manage third-party relationships. Their guidance can serve as a useful starting point for any financial institution looking to set up a third-party risk framework.

In the OCC bulletin released last fall, the agency defines the third-party risk management life cycle (see figure 2). Fundamentally, financial institutions should adopt risk management processes that are commensurate with the level of risk and complexity of their third-party relationships.

The solution for managing third-party risk is a strong oversight program.

The bottom line: Financial institutions can outsource activities to third parties, but they cannot outsource the risk. Each institution is responsible for managing third parties to ensure that all of their activities are conducted in compliance with applicable laws and regulations.

3 tips for contracts with third-party service providersFor financial services companies, any third-party contracts should include:

1. The third party’s specific performance responsibilities and duty to maintain adequate internal controls for its services

2. The third party’s responsibilities and duty to provide adequate training on applicable consumer protection laws and the institution’s policies and procedures to supplier employees or agents

3. Acknowledgment of the financial institution’s authority to conduct periodic on-site reviews of the third party’s controls, performance and information systems to confirm contract compliance

A successful risk-management program must be top-down in scope, and includes oversight at every stage of the relationship — from selection to ongoing monitoring to contingency plans for termination.

Figure 2: The third-party risk management life cycle

Ongoing monitoring Source: OCC 2013-29 Bulletin.

Documentation and reporting

Oversight and accountability

Due diligenceand third-party

selection

Contract negotiation

Termination

Planning/risk identification

Ongoingmonitoring

Independent reviews

6 Third-party risk management

10 keys to a successful third-party risk management program

1. A detailed inventory of all third parties with whom the firm has a relationship: Start with your vendor master list and, accounts payable payment reports, but you may also use enterprisewide surveys and data algorithms to reconcile data.

2. A comprehensive catalog of specific customer risks to which third parties can expose you: Many institutions don’t fully understand all the risks from their third parties. A master risk register, tied to the issues that the regulators (Consumer Financial Protection Bureau, FDIC, Federal Reserve and OCC) are actively pursuing will help kick this off.

3. A risk-based segmentation of the supplier base: Not all suppliers or their services carry the same amount of risk. Devote the most effort to activities defined as critical by the OCC. Tiering your third parties will ensure those marked as high risks will be treated in a similar fashion.

4. Rules-based due diligence testing: Again, treating every third-party relationship the same way doesn’t make sense. Carefully designed rules can help firms focus their investigation on critical areas.

5. A disciplined governance and escalation framework: At many firms, third-party risk management does not have a natural owner. Establishing one and giving that group the right decision-making powers are essential.

6. An independent review of critical activities to set a baseline for your third-party risk management processes.

7. Streamlining your third-party relationships: Company mergers, acquisitions and lack of corporatewide sourcing activity may have produced duplicate third parties and services and a rationalization initiative will not only save you money but lower your risk potential.

8. Integrated technology and Management Information System (MIS) workflow to increase your efficiency and accuracy of your risk assessments: Purpose-built, off-the-shelf applications have matured over the last few years and may be the right answer for your third-party risk management needs. Building your own can be difficult.

9. Identifying an internal audit central point of contact (CPC) for third-party risk management, similar to other enterprise risks: The CPC should be your leader in understanding what the regulators are looking for, so you can find and address weaknesses before your examiners do.

10. Organizing your third-party risk management program across three lines of defense: 1) business owners — they own the risk and implement actions for risk identification and mitigation; 2) third-party oversight — they establish the policies and procedures, provide oversight for key risks, and identify opportunities for improvements as guidelines change; and 3) internal audit — they provide an independent, systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Third-party risk management 7

Internal audit’s roleTo be truly effective, a risk management program must include an audit or periodic monitoring function. Not only should you perform due diligence on the front end to thoroughly screen service providers and gain assurance that their practices and procedures are up to standards, but you must continually monitor the relationship so that once-sound practices don’t veer off course. Since third-party risk management is an enterprise risk, internal audit is in a unique situation to perform monitoring activities and to report on its organization-wide findings. Business lines generally only see their own set of suppliers, so enterprisewide risk management is a useful step.

The leading risk management practice is to have an internal auditor:

1. Serve as a CPC for third-party risk management similar to other enterprise risks.

2. Set the audit standard for third-party risk audit programs.

3. Serve as subject-matter expert on third-party risk management within audit.

4. Direct reviews of enterprise third-party risk management in internal audits.

5. Influence/coach design and execution of business and control functions within internal audits.

6. Develop a point of view on the overall design and operating effectiveness of the company’s third-party risk management process.

7. Communicate and report that point of view to management and the chief audit executive; for third-party relationships deemed critical activities, the report should be to the company’s board of directors.

Tip: Reducing the number of third partiesThe number of third parties used by an organization for a given category of spending should be a key focus area for internal audit. The sourcing team should move toward identifying preferred suppliers for each spending category and eliminating those that don’t fit defined criteria.

What’s next for financial institutions?Regulatory exams are increasingly focused on third-party service providers, so now is the time for financial institutions to assess their current third-party oversight programs and implement a program that meets regulatory requirements. Institutions will continue to use third parties to maintain flexibility and keep costs in line, but balancing these advantages with the proper level of oversight can be a challenge. Of primary importance is avoiding the potential for significant noncompliance penalties that major financial institutions have faced recently.

Financial institutions are still looking for the right formula, but need to avoid building costly solutions without developing a well-considered strategy. Although there are some off-the-shelf technology packages available, financial institutions are not all alike, and tailoring those products may be costly in terms of time and money. Institutions have been known to try a number of solutions before they find the right formula for efficient and cost-effective risk management procedures.

Of primary importance is avoiding the potential for significant noncompliance penalties that major institutions have faced recently.

8 Third-party risk management

How Grant Thornton LLP can helpOur team helps financial institutions design new or upgraded third-party risk management programs or enhance existing ones. There are a variety of tasks that could require an outside perspective, and we encourage you to contact us to discuss the best course of action for your success.

Grant Thornton services that can help financial institutions manage third-party relationships include:

• Royalty, licensing, distributor and percentage rent — identify lost revenue for the intellectual property owner.

• Franchise compliance — assess a franchisee’s compliance with the provisions of the franchise agreement, including identification of underreported sales, operational inefficiencies, and sales and income tax noncompliance.

• Third-party audits — assess compliance with various provisions of purchase and sales agreements across the supply chain, including most-favored customer/nation clauses; cost-plus or time and materials agreements; conditional pricing arrangements; and rebates, discounts and other conditional incentives.

• Data privacy and information security — assess third-party service provider compliance with data privacy and security provisions of contractual agreements, and compliance with privacy and security regulations [i.e., Health Insurance Portability and Accountability Act (HIPAA), GLBA, Regulation P, and Payment Card Industry Data Security Standard].

• Regulatory compliance — assess third-party service provider compliance with regulations such as the Electronic Funds Transfer Act, Fair Debt Collection Practices Act, HIPAA, Real Estate Settlement Procedures Act and Foreign Corrupt Practices Act, among others; provide an attestation report on compliance or controls over compliance.

• Sustainability — assess compliance with sustainability frameworks. Many companies are adding supplier/vendor code-of-conduct requirements related to such areas as labor practices, greenhouse gas emissions, conflict minerals and waste products.

• Relationship management — create relationship management systems, including the use of our proprietary integrity framework.

Third-party risk management 9

ContactsTariq MirzaNational Managing DirectorBank Advisory and Regulatory ServicesT 202.251-8677E tariq.mirza@us.gt.com

Dennis FrioDirectorBusiness Advisory ServicesT 646.825.8470E dennis.frio@us.gt.com

Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information about the issues discussed, consult a Grant Thornton LLP client service partner or another qualified professional.

Grant Thornton LLP is a member firm of Grant Thornton International Ltd (GTIL). GTIL and its member firms are not a worldwide partnership. Services are delivered by the member firms. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. Please visit grantthornton.com for details.

© 2014 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd

Connect with us

grantthornton.com

@grantthorntonus

linkd.in/grantthorntonus

About Grant Thornton LLPThe people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest-quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the world’s leading organizations of independent audit, tax and advisory firms. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity.

In the United States, visit grantthornton.com for details.