When third-party risks become a first concern for regulators and FIs alike, you know you’ve had a rough couple of years. Three back-to-back bank failures, increasing geopolitical unrest, fiscal instability, and growing concerns over sustainability and emerging tech were just some of the major headlines from the recent past. Caught in the cross-hairs of all this tumult are commercial lenders trying to walk the fine line between enhancing their services and enhancing their TPRM (Third-Party Risk Management) oversight. Recent regulatory moves have underscored the importance of getting this balance just right. This blog explores the ever-evolving landscape of third-party regulations and how continuous monitoring can help FIs navigate these changes more efficiently.
TPRM and regulations – Increased scrutiny, shifting frameworks, rising expectations
According to a recent Gartner report, nearly 60% of lenders have increased their dependence on third parties – an uptick of 15% from previous years. What’s more, over 40% of them believe such connections are more important than ever before in enhancing their organization’s profitability. Suffice it to say that FIs and third-party connections are here to stay. Not only that, they will likely continue to expand and become more complicated as the need to digitize and stay competitive grows.
These developments haven’t gone unnoticed by regulatory bodies who have also stepped up their vigilance. In 2022, Reuters monitored over 61,000 regulation-related events. That’s over 230 findings every day. This number is only set to rise with 78% of CROs expecting to see an uptick in supervisory findings on third-party risks in the coming days. Recent joint guidance updates and actions taken by governing agencies such as the U.S. Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Board of Governors of the Federal Reserve System (Federal Reserve) reflect this. These issuances also showcase the progression in regulatory thinking about how firms should manage their third-party risks.
For starters, a joint guidance update by these agencies is an indication that third-party protocols are now being standardized across the industry. Secondly, there is now a clear expectation that banks should take a more tailored, organized approach to TPRM rather than follow an ad-hoc, one-size-fits-all methodology. In addition, this tailored approach should extend to all stages of the third-party life cycle, not just during due diligence. Thirdly, banks must now also stay mindful of fourth and fifth-party subcontractor risks. On the documentation side, FIs must also be able to produce transparent linkages (inclusive of relevant data) between the use of third parties and actual decisions made. Not only do regulators expect this, but Boards of Directors are also demanding it now.
And while these are just guidelines, follow-up actions taken by these agencies have clearly shown that they mean business. In the months following the issuance of these guidelines, both the OCC and the FDIC have cracked down on banks with lax third-party oversight, sending a clear message that FIs are answerable for their third party’s actions. The guidance and recent crackdowns indicate that supervisory focus in this area is growing and that FIs must be prepared to strengthen their TPRM processes.
Continuous monitoring – A proactive strategy that kills two birds with one stone
FIs have traditionally approached third-party risk management defensively – dealing with risks as they arise. Typically, the process is a siloed one that relies on historical sample data, intake questionnaires, and spreadsheets. Such static frameworks are ill-equipped to keep pace with today’s dynamic risk and regulatory landscape as the 2023 banking crisis proved. The recent crisis was a moment of reckoning for a lot of compliance and risk professionals, most of whom (over 60%) said that their current monitoring systems would not have detected such third-party red flags in time. So, it’s clear that banks need to assume a more attacking posture concerning third-party risks. After all, attack can sometimes be the best form of defense.
Here’s where continuous monitoring steps in. As the name implies, it involves banks systematically collecting, analyzing, and evaluating risk-related data daily. It is a proactive approach that enables banks to detect, assess, and remediate third-party risks in real-time or near-real-time. This data-driven approach essentially allows organizations to stay agile and responsive even when the business environment turns volatile – helping them keep risks managed and regulators satisfied.
Compliance benefits of continuous monitoring for financial institutions
Reduce blind spots
Like a toxic relationship, traditional point-in-time third-party risk assessments can blow hot and cold. Typically, an exhaustive pre-screening analysis is followed by casual indifference for a prolonged period. Thereafter, the investigative furor only picks up when it's time for a reassessment or a renewal of the contract. In today’s fast-paced business environment, this creates dangerous blind spots where third-party risks develop unnoticed and lead to operational or reputational harm.
Continuous, transparent, and documented monitoring allows banks to detect issues as they arise, rather than waiting for periodic audits or examinations. This enables proactive intervention and remediation, reducing the likelihood of regulatory breaches and associated fines. In addition, continuous monitoring systems with their use of current data help FIs evaluate third parties based on real-time risk. This in turn enhances decision-making in every aspect of the TPRM process from pre-screening due diligence to contract termination.
Improved coverage and tailored assessments
The reason why cyclical third-party risk assessments are the norm is that a majority of institutions lack the ability to continuously monitor their partners. To be sure, continuous third-party monitoring can be a herculean manual task and one that may seem superfluous amid the primary focus of assessing credit, market, and other financial risks. But thanks to advanced technologies such as artificial intelligence (AI), machine learning (ML), and data analytics, FIs no longer need to choose which risks to focus on.
An added advantage of using tech-backed systems is that they provide FIs with scalability at a very low cost. So, instead of only focusing on the connections that seem riskiest, banks can now monitor thousands of third parties daily without investing additional time or resources in the task. This way, banks can assess all potential risks regardless of the size, location, or service provided by the third party. In addition, advanced systems also produce more objective and customizable assessments. For example, the TRaiCE risk indices can be tailored to address different focus areas for each third party, making the assessments more targeted and consequently more reliable.
Demonstrate compliance culture
Regulators and stakeholders now expect FIs to provide evidence of the decision-making process. Continuous monitoring provides banks with a comprehensive audit trail of monitoring activities, enabling them to demonstrate to regulators, auditors, and stakeholders that they have effective controls in place to manage risks. This makes it a crucial and powerful tool for responding to governing bodies. Moreover, equipped with Early Warning Systems and real-time alert mechanisms, banks can showcase their proactive stance by considering future risk scenarios and implementing supplementary safeguards.
Not only that, continuous monitoring systems also allow FIs to create a streamlined and transparent risk management process that fosters accountability within the organization. In the end, regulatory compliance is not just about ticking boxes. Rather, it is a mindset that demonstrates a culture of compliance and trust both to people within and outside your organization and continuous monitoring goes a long way in helping organizations cultivate that.
Conclusion
Continuous monitoring may not be a panacea that will do away with all TPRM and regulatory challenges that FIs face today. Nevertheless, when combined with traditional financial stability assessments, it can aid banks in identifying risks before they show up in financial statements or, equally crucially, before they catch the attention of regulators.
Need help with monitoring your third-party relationships? Check out how TRaiCE helped a West Coast chartered commercial bank create a TPRM process that is both less resource-intensive and more secure.
