David DiCristofaro, Global Lead Partner, IT Advisory in Risk Consulting, KPMG LLP
Banks everywhere are under pressure. It is hard for them to grow organically in the post-crisis period, while increased regulation imposes costs and limits capital available for external growth. With turnover stagnant, banks have to concentrate on driving out costs and finding new ways to drive growth.
This is where service providers and other intermediaries play an important role—and where external risk factors come in. And it is why any bank relying on third parties needs to make sure that the controls and compliance bar is set as high at its service providers as it is within the bank’s own systems and procedures.
This is not an option—regulators are increasingly expecting ever more oversight of third parties. Rationalizing relationships by cutting numbers and consolidating external suppliers can help (although there is a fine balance between having a manageable number of suppliers while not being dependent on too small a number). Banks should also focus on the underlying contracts related to their supplier relationships, and on monitoring their suppliers’ organizational control reports or exercising the other kinds of validation procedures over their controls and compliance.
“The resulting exposure from lapses in data security and privacy at third-party providers poses a serious threat to individual banks”
The resulting exposure from lapses in data security and privacy at third-party providers poses a serious threat to individual banks. This risk extends down throughout the banking supply chain, where a security or privacy incident at a bank as a result of a third-party error in one of their suppliers can signal the end of the service provider. And in a worst case scenario, if a major provider whose services were to have a problem, then the domino effect would cascade throughout the world.
I believe that these risks will also impact smaller banking institutions, possibly disproportionately. These institutions may rely more on third parties for their core banking capabilities than a larger bank does, plus they might not have the resources to be as proactive over validation of third-party controls and compliance.
What will banks do in response to these risks? I believe that the industry is forward-looking enough to draw risk out of the service provider community. The major service providers are certainly motivated to step up to the challenge. As their business becomes more complicated, it will be in their best interests to be on the cutting edge of how they mitigate the risk for fear of being shut out of the market. They will find ways to innovate, such as through security analytics, to seek out and prevent risk events occurring.
I think that the right roles already exist within most large banks to mitigate this risk. The challenge will be around governance and communication between the people on the business, technology and compliance sides, and the constantly changing nature of the banking supply chain. The focus will be to own supplier relationships and risk across the supplier life-cycle and across the enterprise—quite a challenge given that often several different functions have a relationship with one supplier over each one of the many aspects of the business. Banks are looking at ways to improve this, and certainly the regulators are expecting it. Many of our clients are on this journey, and I believe that this will be an enduring trend in the management of their technology risk.