Exactly what is the role vendor and third-party risk management plays in operational risk management for Fintech companies?
This has become an ever-more important question in recent years as corporate internal practices have come under greater scrutiny, as scenarios within conduct and reputation risk have left some companies exposed to regulatory judgment. Managing this is not only important from an overall risk management perspective, but it’s also necessary in order to satisfy the expectations of stakeholders and consumers.
The need for increased monitoring and controls over third parties and vendors is part of the pursuit of greater operational resiliency. Failures within its supply chain can have adverse impacts on a company. Each enterprise has its own appetite for risk, and therefore may have its own thresholds as to what is acceptable from a supplier, but there is still an overall increase in the level of prevailing risk which all companies must acknowledge and address.
Read More: Today’s Most Innovative Fintech Solution: A Refresh of an Industry Mainstay
Based on our conversations of late with multiple risk management experts and professionals, we can identify some of the factors contributing to that increase that are specific to the area of financial services technology, or fintech.
- The changing technological environment within firms, particularly those in financial services, has created a shifting landscape. How does this impact risk management? It’s apparent there is a broad new battleground between risk and security professionals and the array of cybercriminals who are targeting these organizations and institutions.
- These firms cannot afford to ignore technological advances, for both competitive and regulatory reasons, but with each advance comes a new vulnerability, and that’s certainly the case if they are working with fintech providers to enhance the tech tools they are able to offer to their clients and customers.
- The supply chain, especially when it comes to the multiple providers who may be supporting a financial firm’s fintech stack, goes beyond third-party vendors, of course, and as it extends to the fourth and fifth parties – and beyond – who are supporting the primary provider’s technology platform. As that chain lengthens, the opportunities increase for fraudsters, black hat hackers, and others to find chinks in your company’s armor.
- Why? Because as financial services companies become more proficient at preventing vulnerabilities they can directly identify and mitigate, these malefactors seek out security gaps or other opportunities among its fintech vendors, or those vendors’ vendors, they can attack.
Read More: The Future of Emerging Payments: Connecting Cash with Digital
How to manage third parties?
There are various steps a company can take to defend itself against risks created by third-party vendors, and these begin with assessing the very need for outsourcing.
- Outsourcing risk assessment: First, a risk assessment should be conducted to inform management and the company board of the risk/benefit tradeoff of outsourcing to a third-party provider, versus simply keeping a project in house. This involves exploring the credentials and track record of the vendors available in the market, and whether or not there will be sufficient oversight established between company and provider.
- Due diligence: The process of evaluating and choosing a vendor must be excruciatingly thorough, from drafting a proper RFP through making final appraisals of competing providers. References and financial information should be freely provided by competent vendors, and their bona fides when it comes to risk mitigation and security should be extensive.
- Contracting: One way of mitigating risk is, of course, by stipulating responsibilities and accountability in the contract a company draws up with its vendor. Everything from scope of work to compensation, KPIs, and contingency actions in the event of any issues must be included.
- Monitoring: The fintech vendor should have no objection to providing the level of transparency and governance its customer, the financial institution, seeks, because it’s not the vendor’s bottom line and reputation that will suffer the most in event of a problem. Oversight should be on a sliding scale; if KPIs and compliance thresholds are not being met, the client firm should be able to ratchet up its oversight.
- Governance tools: There are also solutions available expressly designed to help enterprises monitor various aspects of their digital operations which are touched by third parties. One example? Tag auditors, which track how third parties and their vendors who are involved with your website might be accessing and sharing the data – which can include consumers’ personal data – it collects.
- Business continuity and contingency plans: In case of the worst, it’s essential to have contingency plans in place in the event a vendor error or failure impacts services. These should be drawn up between the client company and vendors, but other measures that can be put in place should also include identifying backup providers.
By following these steps, a company will be able to identify and manage its risk from third parties.
Read More: Top 5 Digital Banking Trends For 2020