Major Risks by Third Party Vendors in the Financial Industry

December 14, 2021by Smarsh

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Financial institutions have come a long way since the days when a simple bank vault was enough to protect your most valuable assets. These days, banks face risks ranging from the climate crisis to COVID-19 to financial crime to cybercrime. Worse, many of these challenges are heightened by the fact that banks need third-party partners to operate successfully.

And that means the relationship between risk management and financial institutions has evolved with the times.

Here’s a look at a few major challenges in risk management for banks today and what you can do to mitigate them.

Why Banks Rely on Outside Vendors

In a perfect world, you could rely solely on your own teams to deliver the solutions you need. That way, you could manage every last detail in-house and not have external variables introducing new risks.

Unfortunately, that’s not the world we live in.

Today’s financial industry relies on third-party vendors to fulfill a variety of needs, allowing them to provide services that would otherwise be out of reach and deliver a better customer experience. For many banks, it comes down to one of four reasons:

  1. Saving money

  2. Increasing efficiency

  3. Scaling internal teams

  4. Introducing new innovations

Third-party vendors can offer just about any service, from marketing to loan servicing. But one way or another, third-party providers allow banks to focus on their core mission and deliver a stronger experience to customers.

Even so, many banks remain wary of third-party vendors. They know that such vendors can provide key services, but they remain leery of bringing in outside contractors. This is for one reason: outside vendors introduce new challenges into the equation that must be accounted for.

Risk Management and Financial Institutions: Common Challenges

Think of your bank like a fence, protecting valuable information. As legend has it, the Mongols finally succeeded in breaching the Great Wall of China after a century of effort not because they smashed through it or climbed over it, but because they bribed the gatekeeper.

Similarly, every entrance to your bank provides a potential weak point unless it’s properly secured. Here’s the catch: the more access points there are, the more weak points there are, and the more people accessing them, the greater the risk that one of them will compromise the whole system.

On average, 89 vendors access a company’s network every single week, touching an average of 4.6 devices. That’s a lot of potential access points and a lot of people who can leave them vulnerable.

Here’s a look at a few of the biggest challenges that third-party vendors pose to your bank.

 

Cybersecurity

Once upon a time, bank robberies were the name of the financial crime game. These days, it’s cybercrime.

Cyberattacks have been on bank boards’ radar for a while. But with recent attacks like the SUNBURST attack, the need for improved cybersecurity has become more pressing than ever before. Unfortunately, this is also an area where banks need the most improvement.

To go back to our wall metaphor, every entrance point presents a potential security challenge. The problem is that even if your own cybersecurity practices are quite strong, a vendor with weak cybersecurity practices can flush all your efforts down the toilet. It’s no longer enough to have strong in-house cybersecurity practices–you need to ensure your vendors’ practices are equally strong.

The good news? Financial regulators have released guidance to help you get there, like the OCC’s Advanced Notice of Proposed Rulemaking in 2016. You can also use several established frameworks provided by regulators, like the NIST Cybersecurity Framework.

 

Compliance

Another key area of concern is regulatory compliance. Regulators have made their stance on the matter quite clear: a bank can outsource services, but it never outsources responsibility. Any noncompliance by a third-party vendor will be treated as noncompliance by the financial institution relying on the vendor’s services.

In other words? You’re not just on the hook for your own behavior. You’re also on the hook for your vendors’ behavior.

The best way to handle this is by treating it as a responsibility from the very beginning. That means a rigorous due diligence process and thorough vetting of all potential new vendors to ensure their compliance practices are aligned with yours. Your vendor contracts should also explicitly spell out expectations and compliance responsibilities.

Of course, your work does not end when you bring a new vendor on. Once a vendor becomes a regular partner, you need to perform continuous monitoring to ensure that they continue to remain compliant over time.

 

Reputation

What’s in a name? For a bank, your reputation is contained within your name. And while your reputation doesn’t come with a dollar value, it does affect who’s willing to do business with you.

Reputation is an area that’s difficult to measure numerically but nonetheless has an outsized impact on your business. After all, it’s not enough just to run a great bank. People have to trust that a bank will deliver on its promises. And every time a bank falls short–for example, when a vendor’s bad practices result in a breach–your reputation takes a hit.

When you’re conducting due diligence, it’s easy to focus solely on the operational aspects, like a vendor’s cybersecurity protocols and their response to a crisis. However, you also need to examine the vendor’s reputation. For example, a vendor involved in litigation may bring sloppy practices to the table, which in turn impact your reputation once you work with them.

Similarly, pay careful attention to how the vendor responds to crises. Embarrassments can still happen despite your best efforts, and when they do, you want a vendor who can handle it gracefully.

Your Partner in Risk Management in Financial Institutions

We know that risk management for banks is no small task. After all, you have an institution to run. But you can’t afford to neglect risk management either–not if you hope to stay in business for years to come.

We take the headache out of risk management by providing financial sector risk management solutions that make it easy to ask the right vendor the right question at the right moment. So if you’re ready for risk management without the hassle, get in touch today to learn more about how our solutions can help.

Share this post!

Smarsh
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Contact Us

Tell us about yourself, and we’ll be in touch right away.