When the Federal Deposit Insurance Corporation (FDIC) released its guidance letter to institutions on managing third-party risk following the 2008 financial collapse, the organization held them accountable to a new inescapable mandate: financial activities can be outsourced, but responsibility cannot.
Since then, enhanced due diligence (EDD) has emerged as the dominant framework to evaluate third-party compliance for institutions and credit card companies that may have upwards of 50,000 vendors and partners in their supply chains.
The tension between outsourcing operations and conforming to regulatory oversight is a challenge that will escalate in the coming years. Those financial institutions that move quickly to manage third-party risk and due diligence requirements will be rewarded with growth and a high level of trust in their business operations by both government and private sector customers.
The Stakes Are High
A failure to screen 100 percent of third parties can result in potential regulatory action, litigation, profit loss, or irreparable brand reputation damage. Morgan Stanley is a case in point, with a recent action by the Office of the Comptroller of the Currency (OCC) issuing a $250 million fine to the banking giant for failing to decommission two wealth management data centers.
While technology — including cloud computing — has enabled financial institutions to reduce operating costs and pursue a frictionless banking experience for their customers, it has also increased their reliance on subcontractors. According to the OCC, Morgan Stanley failed to adequately apply due diligence while selecting a technology vendor that ultimately exposed sensitive customer information. This contravened the Interagency Guidelines of Establishing Information Security Standards, set forth by the OCC.
Accounting Today noted recently that “most organizations do not fully understand the risks presented by their third-party relationships, let alone request or assess audit results from every third party under contract” — a fact that we can vouch for based on our remediation experience. Unfortunately, far too often, it takes a reputational crisis or large fine for organizations to review the efficacy of their screening and diligence processes.
Cybersecurity and data privacy are not the only arenas which require enhanced due diligence. Operating in high-risk environments, such as the cannabis or cryptocurrency space, magnifies the need for enhanced risk assessments for third parties.
The Financial Crimes Enforcement Network (FinCEN), along with the OCC and other regulatory bodies, reiterated that the cornerstone of a strong Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program is the adoption of policies that limits the risk for money laundering and terrorist financing.
Any financial institution must know not only its customers and third-party vendors but also the risks they pose to the broader economic landscape.
Defining Enhanced Due Diligence
“Enhanced due diligence is designed to be risk-based, with flexibility in its implementation to allow covered financial institutions to obtain and retain this information based on risk,” FinCEN stated in a document outlining Guidance on Obtaining and Retaining Beneficial Ownership Information.
Third-party payment processors who fail to adequately verify the identities of their merchants pose greater risks for money laundering and fraud. Some aspects of a sound EDD approach to limit regulatory action include reviewing the processor’s promotional materials and completing appropriate background checks on the processor and management/owners. Additional steps include ascertaining whether the processor re-sells its services to a third party or Independent Sales Organizations (ISOs). Finally, a thorough scrub to ensure the processor, and any of its vendors, have not been the subject of material regulatory authority actions or other compliance misfires can help to insulate enterprises from risk.
It’s important to remember that using third parties, including technology vendors, offers significant advantages. These include deploying human capital and gaining access to new products and services. As such, European and U.S. regulatory agencies are doing their best not to stifle competition and innovation.
Enhanced due diligence allows a financial institution to conduct operations in a safe and sound manner without incurring regulatory wrath. It also protects consumers and promotes a strong ethical framework for employees and partners to pursue new revenue channels and opportunities for growth.
The Compliance Journey
One of the first steps in solving third-party compliance woes is to ascertain what share of your third-party network isn’t subjected to even rudimentary due diligence. Another step is to establish a viable method for communicating with them that allows for ongoing monitoring and future auditing. Measuring the gap between compliance and noncompliance enables the leadership team to track metrics and gain actionable insights.
The top levels of management, including both the CEO and CFO, should ideally exercise strong oversight into the due diligence process, which involves collecting and analyzing data to ensure third parties support your strategic and financial goals.
Both these objectives must, of course, align with regulatory and legal requirements.
These laws, statutes, and guidelines are orchestrated by several governmental, industry, and regulatory bodies, including FinCEN, the Board of Governors of the Federal Reserve System, the FDIC, the National Credit Union Administration, the OCC, the Office of Thrift Supervision, and the Securities and Exchange Commission.
As the financial sector moves into a more complex global monetary environment, it favors executives that utilize a managed risk service to execute enhanced due diligence across the supply chain. Doing business with the wrong party adversely affects profits and invites action by European and U.S. regulatory bodies, including guidelines dictated by FinCEN, FCPA, and UKBA. Damage to your brand and reputation may take years to rebuild.
Don’t Risk Your Reputation
In today’s environment, financial institutions have little choice but to outsource a number of technology and administrative operations in order to stay competitive. But outsourcing responsibility is dangerous to your customers and to your business.
The traditionally rigid and siloed risk and compliance industry finds itself in times that demand greater agility and collaboration with related risk disciplines. Meanwhile, many providers of risk management services provide one-size-fits-all solutions that aren’t tailored to a specific industry and that are not backed up by ongoing information gathering and due diligence. IntegrityRisk is here to help you manage this journey toward 100 percent compliance with responsive risk management for all your partners, vendors, and third parties operating in your supply chain.