Conducting Effective Third-Party Risk Management

Tasuku Itoh


April 2, 2024

Third Party Risk Management

To meet customer demands, balance costs and stay compliant, financial institutions increasingly rely on third-party partnerships. In fact, according to a 2023 survey by EY, 98% of U.S. financial services firms have partnerships with third-party vendors, sometimes numbering in the thousands.

With so many partners, risks can become difficult to manage. As banks collaborate with third parties, they share more sensitive data outside their organization, increasing the risk of data breaches, cyberattacks, AML violations and unethical conduct. Not having sufficient visibility into a vendor’s risk profile can harm the entire organization. Recognizing this risk, the FDIC recently released updated guidance on third-party relationships in collaboration with the Federal Reserve Board (FRB) and the Office of the Comptroller of the Currency (OCC). The guidance encourages banks to build a comprehensive third-party risk management framework by identifying, mitigating and assessing their most critical relationships.

With the new guidance, financial regulators are sending a clear signal that they are increasingly scrutinizing third-party risk management (TPRM) and the controls that banks have in place. This has been further demonstrated by a number of fines and enforcement actions issued against banks over this issue. For example, in October 2020, Metropolitan Commercial Bank was assessed $30 million in penalties for a third-party oversight related to a third-party partner providing prepaid credit cards that were being used for fraud during the COVID-19 pandemic. In July 2023, American Express was fined $15 million by the OCC for a matter relating to its relationship with a third-party affiliate that did not have proper call monitoring and customer complaint controls in place. In May 2023, the FDIC also entered into a consent order with Cross River Bank, a go-to banking partner of many fintech companies, over claims that the bank engaged in unsafe lending practices and did not conduct adequate oversight of third-party lending partners. The consent order specifically detailed that the bank must engage in a highly detailed third-party risk assessment before entering into new third-party relationships.

Third-Party Risk Trends

One of the primary consequences frequently associated with third-party risk is the increased vulnerability to data breaches. Financial losses from such breaches can be significant. According to IBM's 2023 Cost of a Data Breach Report, the average cost of a data breach reached an all-time high of $4.45 million in 2023. However, data breaches are only one example of third-party risk. Banks that do not implement an effective third-party risk management strategy expose themselves to a variety of other risks, including: 

  • Strategic: If a third-party partnership, especially on a major product, goes unfavorably, it could lead to a loss of customers and competitive edge.
  • Operational: If a vendor’s capabilities fail to come through on a major operational project, especially one involving data, an organization can find itself unable to process critical transactions, and increasingly susceptible to errors and fraud.
  • Compliance: Partnering with a company that has failed to comply with relevant laws and regulations can have far-reaching effects including regulatory scrutiny and fines. 
  • IT and Cybersecurity: If a misconfiguration, faulty software update or data loss occurs, it can lead to a service outage, financial harm and reputation damage.

According to a 2022 KPMG study, nearly three-quarters of respondents experienced at least one significant disruption to business caused by a third party within the previous three years. Many TPRM departments face insufficient budgets, ineffective technology and limited personnel resources to handle what have historically been slow, manual processes. In order to better address third-party risks, organizations must proactively adapt their strategies. The following factors that will change the future of TPRM:

  • New regulatory frameworks: In addition to the FDIC’s updated guidance, financial institutions also must consider broader regulatory frameworks that also expose them to third-party risk.  For example, compliance with ESG initiatives can be complicated by suppliers that may not have as strong of an environmental commitment. Banks that do not follow the guidance to put a comprehensive TPRM program in place will expose themselves to scrutiny and fines.
  • Emerging risks: Cybersecurity, operational and compliance risks continue to grow. In Deloitte’s 2023 Global Third-Party Risk Management Survey, nearly 62% of risk leaders rank technology investments and IT security risks as a top third-party risk. If a third-party vendor fails to protect itself against cyberattacks, systems failures or does not comply with regulations, the bank partnering with it can suffer the same losses. 
  • Technology investments:  Organizations use emerging technologies like AI, machine learning and blockchain to develop sophisticated third-party risk management. AI and ML can automate due diligence, risk assessment and continuous monitoring tasks. According to Deloitte, the financial services vertical is leading other industries in investment in technology and automation for TPRM, placing it second only to improving overall risk methodology.

Developing a Third-Party Risk Management Strategy

The Deloitte survey found that companies that invest appropriately in TPRM are better equipped to navigate current and future challenges. An effective TPRM program can help financial institutions identify, assess and mitigate risks associated with third-party vendors, and allowing financial institutions to better protect customers, data and their bottom line. To implement an effective third-party risk management strategy, financial services companies should:

  • Start with data: One of the most significant security vulnerabilities in third-party relationships is data sharing and tracking. Deploying real-time data insights within and outside the organization can help monitor and flag unusual activity immediately. 
  • Get the right people involved: As third-party relationships are so far-reaching, TPRM should involve representatives from almost every part of the bank from compliance to sales to account managers who hold the relationships with the vendors. As regulators increasingly scrutinize these relationships, executive leadership should step up and take an active role in managing them.
  • Conduct thorough due diligence: Due diligence best practices and vendor risk management software can help organizations assess partners’ business, financial condition, risk profile and security. Ideally, this information should be gathered before beginning the relationship. 
  • Segment your vendor risk: Not all vendor risk profiles are created equal. Separate your vendors into tiers based on risk exposure. The riskier a relationship is, the more closely it should be monitored.
  • Assess operational resilience: Evaluate your organization’s ability to withstand cyberattacks by using cybersecurity monitoring tools to investigate the security of third-party systems and networks for signs of suspicious activity.
  • Create an incident response plan: This plan should include steps to mitigate the impact on your organization and on customers. Software can model various scenarios and help create a plan, while penetration testing can simulate real-world incidents. 
  • Commit to continuous monitoring: Regularly review each third party’s performance, risk profile and security vulnerabilities.

Tasuku Itoh is a global GRC strategist at Nomura Research Institute.