Four Keys to Managing Third-Party Risk

By Loraine DeBonis, Director of Marketing & Communications

rules_compliance_gears_social.png

One of the biggest risks facing the U.S. financial system is third-party risk, according to the OCC’s Semiannual Risk Perspective for Spring 2018 released at the end of May. Banks also cite third-party risk management as one of their Top 5 priorities for 2018.  

In April, I had the opportunity to moderate a panel on compliance and risk management in the evolving prepaid market at the Network Branded Prepaid Card Association’s Power of Prepaid conference in Washington D.C. Not surprisingly, one of the key things that continues to get attention at this annual industry gathering is the importance of third-party risk management and of all parties in the value chain working together in the process, including regulators.

A few weeks ago, I caught up with one of my expert panelists, Branan Cooper, chief risk officer at vendor management firm Venminder, to dive deeper into the issue of third-party risk management, how the political environment in Washington is shaping it (or not), and what those working in financial services can do to improve third-party risk management, whether they work at a bank or at a third-party service provider like I do.

Here are four key takeaways:

  1. Collaboration Is Critical: Even when you’re good at it, third-party risk management is hard. And as regulation and fraud threats change, the demands for risk managers are increasing. That’s one of the reasons banks are seeking out help from companies like Venminder. Third-party risk management requires a lot of all the organizations involved—the banks, third-party service providers and even the regulators themselves. It may sound obvious, but collaboration across all stakeholders is essential. A major part of the collaborative approach is open communication in all directions, not just from the banks to the third parties or from the regulators to the banks. We can all work more effectively together when we’re talking to each other and sharing information.
     
  2. Transparency Matters: Another important factor in effective third-party risk management is setting the expectations up front and to have clear roles and responsibilities delineated from the get go. While this may be part and parcel to the contract process, it’s important for everyone to be very clear about expectations not only of the services being provided but also the need for ongoing monitoring to manage risks, as well as how that monitoring will be accomplished.
     
  3. Politics Don’t (Matter): Regardless of what’s happening in Washington or at the state level, third-party risks and best practices don’t change. The risk of new regulations or rulemaking might be reduced under President Trump and a Republican Congress (keep your eyes on the states), but the risks related to security, fraud or regulatory compliance remain intact for banks and their third-party service providers.
     
  4. What You Don’t Know Can Hurt You: In any type of risk management, what you don’t know can definitely hurt you. As a third-party service provider, we take our bank relationships and the accompanying responsibilities very seriously. That’s where the collaboration and transparency mentioned above come into play, but we also go deep into the weeds to really understand the regulatory requirements for ourselves. We couldn’t do our jobs effectively if we didn’t know Reg E error resolution requirements backwards and forwards. It helps that our CEO, Cheryl Slipski, is a former lawyer. And of course, as the rules change, we’re ready. That’s one of the big reasons we are part of the NBPCA.

For more information, listen to the 15-minute podcast here.

Loraine DeBonis is the marketing and communications director for Ubiquity Compliance Solutions, which specializes in dispute and chargeback management, fraud and identity verification services for the financial services sector. Previously, she spent 10 years writing about prepaid and emerging payments for SourceMedia and Paybefore. She can be reached at ldebonis@ubiquitycompliance.com.