On May 13, 2020, we hosted the first session of our Spring Webinar Series – Conquering the Complexity – Managing Third-Party Risk
Myron Mallia-Dare, a technology and business lawyer from Miller Thomson, led this timely, informative discussion with:
This event will be available for replay on June 2, 2020 at 4pm. To Register
While artificial intelligence (AI), blockchain and other emerging technologies are bringing new risks and new third parties to the table, both risks and vendors have taken on increased importance due to COVID-19. Some new risks are temporary, some permanent. COVID-19 may increase the adoption of third-party solutions but may also bring new scrutiny to them.
The new COVID-19 world puts third-party-, enterprise- and business-continuity risk-management programs in the limelight and has exposed holes in programs that might not otherwise have been identified. Firms are at different levels of maturity when it comes to these programs. Those at the forefront are already re-evaluating and making plans to reset; they are going back to basics to ensure that the very foundation of their programs is strong, reflecting on what is a critical vendor, levels of risk, and so on. They are working to identify and address future risks that may arise from COVID-19 and what we have learned from it.
The panelists have seen growth in the use of RegTech solutions, driven by the increasing complexity of risk, and of regulatory requirements and the corresponding cost increases. RegTech is integrating well within financial institutions, primarily as an additive tool, rather than replicative, in contributing to end-to-end risk solutions by better connecting compliance and the overall organization, for example, extending into HR to help automate due diligence and workflow.
Panelists were asked if they have seen a transition from build/partner/license/buy approaches to third-party outsourcing for due-diligence and risk-management RegTech solutions. They observed that financial services firms, traditionally more conservative, are becoming a bit more open to managed solutions in certain areas. Firms that are already in vendor contracts that may expire soon, or that are looking for new options/approaches and are subject to higher levels of risk and regulatory scrutiny, will be more likely to adopt managed services. Firms should also consider their maturity/readiness, as jumping right into AI with no experience is unlikely to be successful. In that case, managed services could be used for lower-risk and less-sensitive functions.
Two COVID-19-created risks relating to compliance and privacy are the very rapid switch to new technologies and remote work/bring-your-own-device (BYOD), and the related challenges of getting remote System and Operational Control (SOC)- and other certifications. Tracking where information resides and how data is transmitted, as well as ensuring privacy requirements, such as GDPR, are upheld during this big shift have become key focus areas for many firms.
With COVID-19 creating direct financial and operational losses, there is additional regulatory scrutiny on non-financial risks, their impact on organizations, and how they are being reflected in the firm’s risk register. Cyber- and fraud risks are huge, and access to technology has monumentally increased the number of bad actors, as well as the ease with which they can take advantage of new digital payment technologies that increase speed and reduce detection, especially given omni (multiple) channels. Furthermore, cryptographic signatures can be exchanged across parties and jurisdictions with few control points that could stop the transfer of or seizure of illegally accessed money. The proliferation of digital identities is a further problem.
Post-COVID-19, expect regulators to move to a much greater focus on work from home, not just of regulated-entity staff, but also of the entities’ third-party vendors’ employees, some of which have already announced permanent work-from-home strategies.
Regulated entities should expect regulators to go beyond current metrics to ask them to validate and confirm conformance to existing compliance requirements, providing more detail of operational-risk frameworks. Regulators will adopt a more evidence-based view of supervision. They will look for resiliency measures, asking what firms have learned from past operational failures, how quickly and successfully problems were remediated, and what the effects were on the firm, their risk models. and scoring. It will be even more critical to keep lines of communication open with regulators, which may expect to see firms more proactively focus on early signs of problems and initiate quick, effective action. There will be a greater focus on vendors and tracking vendor responsiveness (how long they take to acknowledge, remediate and effectively rectify an issue).
Risk-management assessments should be more frequent than annual, with additional monitoring and scrutiny of tolerances. One risk possibly not previously considered in financial services is supply-chain risk; vendor procurement will likely have to be more permanently connected with ongoing monitoring, to identify, say, a change in strategy at the vendor that may affect the service quality/risk profile. There is also culture (and employee-morale) risk – probably a bigger risk than most people think. There are ways to measure conduct failures to assess culture. Point-in-time measures may be less important than trend-based approaches. It is expected that new products to help measure conduct risk in a decentralized work environment will be developed and deployed.
Author: Barbara Amsden, Strategic Advisor to the CRTA