With regulators in the US focusing heavily on Vendor or Third Party Risk, depending on the differing terminology that various financial intuitions use, one can be forgiven for forgetting about Europe. However, it has become a far more prominent area in the UK and Europe over the past few years and its stature is steadily growing. This is best illustrated by the rising interest from regulators to clamp down on the monitoring and management of third party risk, such as fines that have been escalating. The reputational damage that institutions face when third parties do not fulfil their contractual obligations appropriately, for example when there are data breaches or mis-conduct, can lead to dire consequences for that particular financial institution. It is therefore paramount that organisations govern, monitor and manage their third parities optimally to mitigate the risks that vendors or third parties pose.
Due to the growing recent focus on vendor and third party risk in Europe, The Center for Financial Professionals conducted extensive research to assess the main challenges that financial institutions are facing with regards to vendor and third party outsourcing. Three of the most prominent areas that came up during the research was the ability to ensure regulatory compliance, understanding vendor subcontracting for a more informed review of the supply chain and the immaturity of third party risk management and its processes in Europe. This piece will predominantly focus on these three challenges that financial institutions face.
As ever, one of the key challenges for third party risk professionals that came out of the research was regulatory focused: how to ensure regulatory compliance, coupled with aligning the differences across global regulators and jurisdictions. The FCA’s SYSC 8 legislation in the UK outlines much of the criteria financial institutions need to fulfil to manage and monitor their third parties effectively. However, part of the feedback received was that much of the language within the legislation can be open to interpretation. Phrases such as ‘appropriate oversight’ and ‘good governance’ are extremely hard to quantify and can mean different things to different institutions. Certainly clarifying the regulators position and clarifying definitions within the legislation came up regularly during the research. In other words, what are the regulators really looking for? A more consistent approach across firms and the industry as a whole would surely lead to more effective monitoring and management of third parties and understanding of the risks third parties pose. Likewise, a more consistent approach globally would aid the mitigation of third party risks. With different regulators in the UK and Europe, in comparison to the US and Asia, this is by no means an easy task.
Another area of increased focus and interest is around vendor subcontracting, and actually understanding vendor subcontracting for a more informed review of the supply chain. One of the main challenges that constantly appeared was understanding what the subcontract is doing for financial institutions, for example are the subcontractors also outsourcing their services? If this is the case institutions would have to mitigate the risks posed by 4th, 5th and 6th parties. It becomes a question of how far down the supply chain do financial institutions look? Is it a case of just managing their third parties, or managing their third parties vendors as well. The layers of risk become increasingly diluted as you move down the supply chain, so it becomes even harder to monitor third parties than it originally was. Furthermore, financial institutions have to ensure they use the right subcontracting language within the contracts, but this becomes increasingly hard to adhere to when there are so many ambiguous words within third party risk legislation. Does ‘good governance’ of third parties mean organisations have to oversee fourth, fifth and sixth parties, and where do you stop?
Finally, one of the main concerns that research participants raised was over the relative immaturity of third party risk management and in particular its processes. Despite third party risk becoming a recent trend in the UK and Europe, it seems that it is nowhere near as developed as across the Atlantic in the US or even in Asia. Therefore, as it is such a comparatively new area, defining what third party risk management actually represents came out quite regularly. The FCA’s SYSC 8 legislation asks firms to provide ‘good governance’ and ‘reasonable oversight’ of third parties. Some research participants raised concerns over what these terms actually mean. How reasonable is ‘reasonable oversight’? What does ‘good’ governance actually mean? Along similar lines, third party professionals claimed that as third party risk is quite a new area, systems and data are not fully developed. This of course makes it a lot harder to navigate third party risks and in particular monitor and manage them as effectively.
Overall the increased regulatory scrutiny in the UK and Europe in recent times has meant third party risk has become a more prominent area of focus within the financial industry. The research certainly emphasised a slight ambiguity of language within the outsourcing SYSC 8 legislation, but this perhaps highlights the fact that institutions in the UK and Europe are just starting to get their heads around the challenges that third parties pose and how best to mitigate these risks and govern them effectively.
Hear the challenges above, including many more, to be addressed at the Center for Financial Professionals’ Vendor and Third Party Risk Europe Summit, where senior vendor and third party risk professionals, including a keynote address from the FCA, will come together to review vendor and third party outsourcing for better management, understanding and regulatory compliance.
![VRMUK[1]](http://www.cefpro.com/wp-content/uploads/2015/11/VRMUK1.jpg)