What’s that coming over the hill? Third party risk management, it’s a beast.

By Simon Tweddle

As I’ve said a few times now operational resilience has become a cornerstone of regulatory focus, particularly in the context of third and fourth-party risk management. The interconnectedness of financial institutions with their vendors, service providers, and the extended web of subcontractors can introduce complex threat vectors. The Financial Conduct Authority (FCA), Prudential Regulatory Authority (PRA), European Banking Authority (EBA), and the Digital Operational Resilience Act (DORA) have laid down standards and frameworks to govern these risks. Understanding and adhering to these regulations is of course crucial for financial institutions but understanding their third and fourth party risks is the ultimate goal.

Understanding Third and Fourth-Party Risks 

Before delving into regulatory frameworks, I should attempt to define what third and fourth-party risks are. Third-party risks emerge from direct relationships between financial institutions and their vendors or service providers, whereas fourth-party risks arise from the subcontractors of these third parties. These risks encompass a broad spectrum of issues, including cybersecurity threats, operational failures, compliance lapses, and reputational damage. 

The Regulatory Landscape 

Financial Conduct Authority (FCA) 

The FCA emphasises the importance of effective risk management practices in its guidance for firms outsourcing to third-party service providers. The authority mandates firms to have robust governance frameworks, perform due diligence risk assessments, and ensure contractual agreements reflect the risk management and compliance expectations. The FCA’s approach is holistic, focusing on the end-to-end process of third-party management, from due diligence to continuous monitoring. 

Prudential Regulatory Authority (PRA) 

Similar to the FCA, the PRA outlines stringent expectations for firms under its purview, with a particular focus on the systemic implications of third-party failures. The PRA's guidelines are geared towards ensuring that firms maintain the resilience of their critical operations, even in the face of third or fourth-party disruptions. This includes comprehensive testing of business continuity and recovery plans in scenarios of third-party failure. 

European Banking Authority (EBA) 

The EBA’s guidelines on outsourcing arrangements set out to harmonise the European perspective on managing third-party risk. These guidelines require institutions to maintain a register of all outsourcing arrangements, conduct risk assessments, and ensure outsourcing agreements include robust clauses on data protection, access rights, and audit capabilities. The EBA also emphasises the need for financial institutions to consider the concentration risk of outsourcing critical or important functions to a single third party. Many national competent authorities in the EU demand the that a senior manager is named as the “Outsourcing Officer”. 

Digital Operational Resilience Act (DORA) 

DORA represents a significant evolution in the regulatory landscape, introducing a unified framework for digital operational resilience across the EU financial sector. It mandates financial entities to establish comprehensive risk management frameworks that encompass all aspects of digital operational resilience, including third and fourth-party risks. DORA also introduces regulatory technical standards (RTS) that specify the requirements for ICT risk management, incident reporting, digital operational resilience testing, and information sharing among financial entities. 

Integrating Regulatory Requirements into Risk Management Practices 

The convergence of these regulatory frameworks highlights a few critical themes for financial institutions in managing third and fourth-party risks: 

1. Governance and Oversight: Institutions must have clear governance structures for third-party risk management, with senior management involvement and clear lines of accountability. 

2. Risk Assessment and Due Diligence: A thorough risk assessment process is crucial, covering the lifecycle of the third-party relationship. This includes due diligence before engagement and ongoing monitoring throughout the relationship. 

3. Operational Resilience Testing: Regular testing of operational resilience, including the impact of third and fourth-party failures, is a key regulatory expectation. This may involve scenario analysis, penetration testing, and recovery plan testing. 

4. Contractual and Compliance Requirements: Contracts with third parties should clearly outline the responsibilities related to risk management, data protection, and regulatory compliance. Financial institutions must ensure that their third and fourth parties are aware of and capable of complying with relevant regulatory requirements. 

5. Incident Management and Reporting: In the event of an incident affecting a third or fourth party, institutions need to have clear protocols for incident management, including timely reporting to regulatory authorities as required under DORA and other regulatory frameworks. 

Challenges and Considerations 

While regulatory frameworks provide a structured approach to managing third and fourth-party risks, financial institutions face several challenges. These include the complexity of managing a vast network of third and fourth parties, the dynamic nature of cyber threats, and the need for a culture that prioritises risk management and compliance. Additionally, the global nature of many third and fourth-party relationships introduces cross-jurisdictional regulatory challenges. 

The regulatory landscape for third and fourth-party risk management might be considered comprehensive in the round, with the FCA, PRA, EBA, and DORA providing frameworks that emphasise governance, risk assessment, operational resilience, compliance, and incident management. Financial institutions must navigate these requirements thoughtfully, integrating them into their risk management practices to not only comply with regulatory expectations but also to safeguard their operational resilience in the face of increasingly complex and interconnected risks. Achieving this requires a strategic approach that combines robust governance, thorough risk management processes, and a culture that prioritises actual resilience rather than box ticking compliance.

What do firms actually need?

A Strategic Framework for Managing Third and Fourth-Party Risks 

To effectively manage third and fourth-party risks, financial institutions must adopt a multi-faceted strategic framework that encompasses several key components: 

Comprehensive Risk Identification and Classification 

Financial institutions should begin with a comprehensive mapping of their third and fourth-party ecosystems to identify all entities that pose potential risks. This process involves classifying third and fourth parties based on the services they provide, the criticality of those services to the institution's operations, and the inherent risks associated with their operations. This classification serves as the basis for prioritizing risk management efforts and resources. 

Enhanced Due Diligence and Continuous Monitoring 

Enhanced due diligence processes are crucial at the onset of any third or fourth-party engagement. Firms should not only assess the financial stability and reputational standing of their third parties but also evaluate their cybersecurity practices, compliance with relevant regulations, and their subcontracting policies. Post-engagement, continuous monitoring of these parties is essential to detect and address any changes in their risk profile or operational performance promptly. 

Development of Resilient Contractual Agreements 

Contracts with third and fourth parties should be crafted to include stringent clauses on compliance with specific regulatory requirements, data protection standards, and incident reporting protocols. Additionally, contracts should outline the right to audit, allowing firms to verify compliance and operational resilience periodically. These agreements should also detail the expectations for business continuity and disaster recovery capabilities of the third and fourth parties. 

Implementation of Technology Solutions 

To streamline the management of third and fourth-party risks, financial institutions are increasingly turning to technology solutions. These include cloud-based platforms for risk management, which enable real-time monitoring and reporting of risks associated with third and fourth parties. Artificial intelligence and machine learning tools are also being employed to predict potential disruptions and automate parts of the due diligence and monitoring processes. 

Adapting to the Evolving Regulatory Landscape 

The regulatory environment surrounding third and fourth-party risk management is in a state of constant evolution, driven by the increasing complexity of financial services ecosystems and the emergence of new threats. Financial institutions must remain agile, adapting their risk management practices to align with the latest regulatory developments. 

Staying Informed and Engaged 

Staying informed about regulatory changes is crucial. Engagement with industry groups and participation in forums discussing operational resilience and third-party risk management can provide valuable insights into best practices and regulatory expectations. Firms should assign responsibilities within their line of business to work with compliance teams to proactively manage regulatory change rather than wait for the compliance team to ask “what are you doing about this?”

Training and Awareness Programs 

Given the critical role that employees play in identifying and managing risks, including those associated with third and fourth parties, financial institutions should invest in comprehensive training and awareness programs. These programs should cover the institution's policies and procedures for third-party risk management, the specific regulatory requirements applicable to their operations, and the potential consequences of non-compliance. Third-party risks should start to have an equivalence with anti-financial crime and financial risk management. It is probably one of the least understood

And finally…

As financial institutions attempt to navigate the complexities of third and fourth-party risk management, the importance of a strategic approach led by C-suite cannot be overstated. The regulatory frameworks provided by the FCA, PRA, EBA, and DORA offer a solid foundation for these efforts. However, firms must also focus on the continuous improvement of their risk management practices, leveraging technology solutions and fostering a culture of resilience. 

Looking ahead, the landscape of third and fourth-party risk management will continue to evolve, driven by general advancements in technology, changes in the regulatory environment, and the dynamic nature of global financial markets and specific innovations in the fintech sector. Firms that adopt a strategic approach that is proactive to managing these risks will be well-positioned to navigate any complex interdependencies that arise and ensuring their maintain an appropriate level of operational resilience and regulatory compliance at the same time.