7 questions bank boards should ask about third-party risk

Mike High

As banks and credit unions integrate new technology, the number of software and fintech vendors in their ecosystems keeps growing. This mounting complexity makes comprehensive third-party oversight a major challenge.

Most bank boards and audit committees receive regular updates on the state of their third-party risk management (TPRM) programs. But with complexity growing and changes happening faster than ever, it might be time to do more.

To help you challenge your TPRM program and examine its effectiveness, ask these seven questions:

1. How can we be sure our third-party inventory is complete?

You can’t manage third-party risk if you don’t know who your third parties are. This insight might seem obvious, but that doesn’t mean applying it is easy. According to a 2020 third-party risk management study published by Prevalent and Shared Assessments, 52% of third-party risk leaders and decision-makers surveyed said a complete inventory of vendors was one of their top needs to help address challenges.¹

To solve this challenge, many banks start with a comparison to accounts payable. By reviewing your accounts payable, you can confirm that you’ve considered all payees for vendor risk management purposes.

Once you have a complete list of payees, apply your vendor identification criteria and determine whether each payee requires third-party oversight. Bank leaders for each line of business or product should review the list and confirm that all key relationships are included, especially those third parties that aren’t vendors. Your organization should repeat this process at regular intervals, usually about once per year.

2. Are we covering all types of third-party risk?

Ask whether your organization has a standardized process in place for vendor selection and due diligence. If not, you’ll need to build one. If there is a process, you should understand what the process involves and ask whether it’s adaptable enough to handle different vendors and the various levels of risk they present.

Your process for initial due diligence should, at minimum, review the following:

Financial stability. Is the third party at risk of failure, or does poor financial health create concerns about unstable operations and controls?
Compliance. Does the third party comply with the laws and regulations that apply to the processes it is responsible for?
Business resiliency. Can the third party provide appropriate continuity in the event that it or the bank experiences a disruption?
Fraud. Does the third party have controls in place to prevent fraud? Has the bank confirmed that no bank employee has a conflict of interest or is a personal beneficiary of the transaction with the third party?
Information security and privacy. Can the third party appropriately protect bank data and prohibit unauthorized sharing, disclosure, or use? Does it comply with all privacy laws?
Operational risk. Can the third party meet operational agreements to maintain quality?
Country risk. Does the third party operate in or transfer data to countries that expose bank data or processes to unacceptable risk?
Subcontracting/fourth parties. Does the third party share bank data with a fourth party or subcontract material portions of the work?

3. How will we identify and remediate third-party issues?

Many banks struggle with third-party issue identification and remediation. As you review and analyze third-party due diligence, you should identify control gaps and assign a severity to quantify the risk associated with each gap. Your organization should have remediation timelines in place so you can address and correct issues based on their severity.

To achieve consistency in terms of issue remediation, you should have a remediation policy in place that assigns roles and responsibilities to the various contributors in your TPRM program. Traditionally, business relationship owners drive the remediation process with the third party, then subject-matter experts confirm the fixes. Having a centralized repository for tracking issues, remediation plans, and their due dates helps unify the different parties involved in the process.

Once your organization has centralized and documented activities related to third-party issues and remediation, you can start reporting those activities to the board. When the board understands the issues that might exist with critical vendors, they can make better decisions.

4. Do our third-party contracts protect us?

When a third-party data breach or other incident exposes you to potential harm, your vendor contracts should offer some degree of protection. A strong contract can’t help a tarnished reputation, but it might help minimize some of the financial damage.

Bank boards should ask for a copy of the bank’s contract checklist and confirm that it includes:

Right to audit. The bank should have the right to formally audit at least once a year as well as after any confirmed incident.
Right to monitor. The bank should have the right to gather feedback from the third party whenever the threat or compliance landscape changes or when the bank receives notice that the third party might have experienced a risk incident.
Right to terminate. The bank should be able to terminate the relationship with notice based on changes to the organization’s needs and risk tolerance.
Nondisclosure. The vendor should keep information provided by the bank confidential and formally compel all employees and subcontractors to honor confidentiality.
Incident and data breach notification. The vendor should notify the bank no more than 48 hours after an incident has occurred and provide appropriate details to support the bank’s response.
Data jurisdiction. The vendor might need to be restricted from transferring the bank’s information across borders without approval.

Required controls. The contract should define the information security, compliance, privacy, employee oversight, and operational controls the vendor must implement to mitigate the bank’s risk.
Performance standards. The contract should define, in detail, the performance standards or service-level agreements the vendor is expected to meet.
Indemnification. The contract should define the obligations under which your vendor must compensate your organization for losses or damages.
Term. The contract should have a defined term, with formal re-review and execution required at periodic intervals.
Insurance. The vendor should carry general liability and cybersecurity liability coverage as well as any other insurance types (such as automobile insurance) that are necessary based on the relationship.
Subcontracting and fourth parties. The contract should specify key fourth parties (usually those that will access bank data or support key operations) and define a formal approval process should those fourth parties change.

5. Do we monitor our third parties for changing risks?

The landscape of risk is always changing, so your third-party risk management program needs to keep up. Beyond changes to the third parties and organizations you rely on, the landscape can shift due to regulatory changes, new laws, data breaches, and major vulnerabilities. To prepare for new risks, the board should find out how the bank monitors for changes in risk and ask what the control environments look like at the organization’s third parties.

Recently, Crowe third-party risk specialists gathered survey data from risk leaders in the financial services industry (to be published as part of a forthcoming TPRM benchmark study) that shows that at least 50% of respondents apply a mix of financial health and cybersecurity ratings tools for continual monitoring. By knowing how the risk landscape is changing and by staying informed about critical third-party activity between due diligence cycles, organizations can mitigate emerging sources of third-party risk.

6. Does our technology help us or hurt us?

Most companies have a partially automated platform for risk management. Usually, some activities and documents live online in a centralized platform while other activities remain in manual processes. When your TPRM specialists pull from multiple locations to gather necessary information, confusion, inefficiency, and gaps in monitoring tend to result.

Mature risk management technology should create a central hub of information for all third parties. You can tie all your TPRM activities to this database and quickly see what reviews have been done, what evidence is pending, which vendors have been fully evaluated and closed out for the year, and what the reporting metrics look like for the vendors that have received third-party risk assessments. Your technology also should track unresolved issues and gather feedback from your third parties when risks change.

7. Are we ready for an unexpected third-party termination?

In a perfect world, your organization would never experience performance-related issues with a critical third party or do business with a third party that ends up suffering a financial or reputational failure. In the real world, these types of failures and issues are likely over time – if not inevitable. So, how can you make sure you’re prepared?

One key is to develop documented exit strategies for critical third parties. An exit strategy is critical because if a third-party relationship goes south – or if you just decide to pursue a different direction at the vendor’s contract termination date – your organization will have a contingency plan in place. Exit strategies might involve using other third parties, discontinuing the activity, or bringing the service in-house.

Let's connect

Crowe employs a global team of hundreds of specialists who devote their time to third-party risk management. If you have questions or concerns about your third-party risk management program, get in touch. We can apply our deep financial services industry knowledge and expertise to assess your TPRM program and build a road map for improvement. We also help execute due diligence and risk assessments, review contracts for key clauses, and assist with ongoing monitoring.

If poor technology automation is at the core of your TPRM issues, we can help. Crowe implements third-party risk and GRC technology solutions that can make your process more efficient and effective. Visit our third-party risk page to learn more.

¹“2020 Third-Party Risk Management Study: The 3rd Rail of Security & Compliance,” Prevalent & Shared Assessments, April 8, 2020, https://www.prevalent.net/content-library/2020-third-party-risk-management-study-the-3rd-rail-of-security-compliance/

Mike High

+1 954 489 7423

mail