One thing that was apparent during the COVID pandemic was that banks are very creative by nature and able to step up to meet the needs of their customers and the communities that they serve. This has led to the rapid ascension and adoption of digital products and services that consumers can access 24/7.
With this comes a great responsibility for understanding the risks that are associated with those complex technological advancements while safeguarding against those bad actors trying to sabotage the system. Rest assured that there are keys for that, and it all starts with a trusted partner.
As banks leverage the expertise of the third-party partners, it’s important to have in place a Third-Party Vendor Risk Management Program designed to fit within the bank’s overall strategic plan, short and long-term goals, and business objectives.
Based on the bank’s directional compass, it’s common to weigh the risk versus reward scenario for the opportunity to pursue these digital advancements. As this starts the risk management process, be sure to take into consideration the relevant risks associated with any relationship, including the generally accepted banking risk categories (such as Credit, Interest Rate, Liquidity, Transaction, Compliance, Strategic, and Reputation.)
- The due diligence process will further examine those risks determined to be key from the above considerations as the bank will want to tailor this based on the complexity of the third-party relationship (such as a core system provider versus a one-time digital marketing campaign.) At a minimum, consider the following:
- The third-party’s experience in performing the proposed product or service. It’s important that the bank can verify the expertise with other sources while also completing its own research into available resource (such as the Better Business Bureau, Google, etc.)
- Determine whether the third-party’s business model appears to support longevity and can withstand changes in the market (such as those due to an unexpected pandemic…who saw that coming?)
- Thoroughly review the financial picture of the third-party and any closely related affiliates as credit risk is an important factor for long-term sustainability.
- Much like the compliance risk faced by banks, ensure privacy and security measures are functioning as designed especially when dealing with “non-public personal information”, including through analysis of audit reports commonly referred to as “SOC” (service organization controls) reports.
- The last thing standing in the way (assuming all the boxes are checked) is a safe and sound contract that spells out the responsibilities for both parties and is positioned to protect the bank, related parties, and its customers. Remember, it’s important to have an exit strategy in case the bank’s strategic direction change and the bank needs to pivot.
By implementing and following a consistent and repeatable third-party risk management process, the bank will put itself in the best position to meet its strategic goals and objectives while positively impact its customers and community it serves. Now, that’s nothing but net, when partners work together…Swish!