Regulations, Third Party Risk, Third Party Risk Management

The World is Looking to the US for Third Party Risk Guidance

As more organizations here in North America and overseas increasingly utilize third party vendors with a global presence to perform critical functions, process key transactions and provide exposure to sensitive proprietary information, those organizations with mature third party risk (TPR) programs are receiving a loud call to provide assistance to those new to the TPR field.

This issue is also not a US-centric challenge; organizations globally are struggling with standardization as well. In my recent travels speaking to various industry groups regarding the importance of performing due diligence on third party vendors within the US, the United Kingdom and Canada, I began to witness first-hand how this topic is increasingly on the minds of all those at the C-suite and board levels, regardless of industry. I have conversed with dozens of senior executive professionals who have made one thing abundantly clear; which is that if you are in a regulated industry, the regulators are very serious when they say they are coming to check on your organization’s cyber and business resilience strategies, including your strategies that involve vendors.

Speaking in June at a Centre for Financial Professionals (CEFPRO) conference in London, Robin Jones, of the UK’s Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) discussed the fact that innovation in technology is receiving the strongest emphasis in the prudential specialists’ unit and that the unit is focused on those issues that surround events that involve an organization’s third parties. ((The Prudential Regulation Authority (PRA) is responsible for the prudential supervision and regulation of banks, building societies, credit unions, insurers and investment firms.
)) He further added that his unit is paying renewed focus on technology resiliency and outsourcing (termed “TRO”) and that the FCA’s Cyber Risk Team is monitoring these elements for soundness and risk.

Jones further indicated the risk spotlight for his group includes:

  • Technology and association risks.
  • Cyber risks.
  • Monitoring the growth of Fintech product innovation and new ways to deliver services, which is defined by the FCA as a “new bank unit” that brings both benefits and risks along with innovation, including risks associated with use of the Cloud.
  • Ensuring financial organizations are aware of UK guidance, such as the FCA’s SYSC 4.1: Business Continuity and SYSC 8: General Outsourcing, which includes transition to new suppliers and concentration risk.

Jones additionally noted that the FCA will continue to review financial organizations to “ensure appropriate risks are identified and managed” at both the organization and third party processors levels.

So serious and important is this matter that one head of procurement from a large British bank pointedly said to me after my presentation, “We are looking to you (i.e., the US) for guidance on this topic.” A moment of clarity set in indicating the United States is leading the way in third party risk tools, techniques and strategies, and has been for quite some time. The call from our cousins across the pond – as well as other internationals – must be heard and we, for the good of all industry, must be willing to assist in sharing ideas and collaborating on strategies to address this important type of risk.

I received a similar reception speaking at various engagements in Canada, which included the International Association of Privacy Professionals (IAPP) Privacy Conference in Toronto and the Payments Canada conference in Calgary. Organizations from a variety of industries at both conferences additionally evidenced that they were either unaware of third party risk completely or, for those who understood it, were challenged as to how their roles can assist in mitigating this risk. Various participants at the CEFPRO conference shared that they produced their own internally customized solutions of approaching third party risk, but no evidence of standardization could be detected. And, while guidance is sought from regulators by industry members, it was interesting to note that an onsite poll taken at the CEFPRO conference indicated that attendees prefer government to publish principles instead of rules, by an enormous margin of 70% to 30%.

For the good of both industry and consumers worldwide, it is our duty to assist organizations new to third party risk by adopting and promoting standardized strategies, tactics and tools that are of benefit to all of us, to ensure that third party exposed processes and data are truly handled with care.

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

Originally posted on the Huffington Post blog.