Third-party risk management remains a top priority for US federal and state regulators, who have recently imposed enforcement actions against financial institutions. This resulted in millions in civil money penalties for violations of the Bank Secrecy Act (BSA) and for weak third-party risk management controls.

Recent actions illustrate that regulators are increasingly holding financial institutions accountable for their third-party relationships, including fintech entities. Regulatory agencies expect that institutions are establishing risk-based practices to conduct adequate due diligence on these third parties and continually monitor, assess and control the risks of these relationships.

Financial institutions must meet higher risk management standards

Throughout the last 18 months, regulators have stepped up their focus, issuing detailed guidance and several consent orders and on third-party risk management.

In June 2023, The Office of the Comptroller of the Currency (OCC), Federal Reserve Board, and the Federal Deposit Insurance Corporation (FDIC) released interagency guidance on third-party risk management for financial institutions. This guidance is to be used as a roadmap that lays the foundation of regulatory expectations. It aims to effectively manage risks associated with their third-party relationships and best practices.

Less than a year later, the OCC issued a consent order against a south Atlantic regional bank after identifying weaknesses in its third-party risk management program.

The FDIC determined a northeast fintech engaged in unsafe and unsound banking practices. It issued a consent order relating to, among other things, the bank’s failure to have internal controls and information systems appropriate for its size. The order also addressed the nature, scope, complexity and risk of its third-party relationships.

The FDIC also issued a consent order instructing a midwestern regional bank to develop appropriate policies and procedures for third-party risk management. It also called for the improvement of due diligence and monitoring of third parties who complete anti-money laundering (AML) and countering the financing of terrorism (CFT) responsibilities.

Third-party risk management is critical to financial crimes compliance (FCC)

Institutions often rely on third-party service providers to run their FCC controls. Historically, third-party services were limited to identifying negative news, sanctions screening and transaction monitoring. Recently, these services have expanded to include processes such as customer identity verification, electronic data proofing, generative artificial intelligence in enhanced due diligence case management, alert investigations and risk assessments.

Institutions might have stringent ongoing internal process monitoring. However, without extending those standards and practices to third parties, firms risk onboarding the wrong customer, closing the wrong alert, or failing to file a suspicious activity alert. Institutions that conduct adequate due diligence or periodic vendor risk assessments can avoid compliance risks introduced by third parties.

Despite the benefits gained from using third parties, it is essential that financial institutions recognize retain and manage FCC risks imposed by third parties. To do this, they must implement a third-party risk management program that facilitates managing risks and monitoring third parties’ activities to help ensure compliance with their regulatory obligations.

Third-party risk management program best practices

The lifecycle for helping ensure adequate oversight and management over third-parties incorporates three key risk management components: due diligence review, ongoing monitoring and risk assessments.

Due diligence review (prior to third-party onboarding):

Many financial institution scan enhance their standard compliance review as part of due diligence during the contract phase with a new third-party relationship. As described in recent interagency guidance, this includes evaluating the effectiveness of a third party’s overall risk management, including policies, processes and internal controls. It also involves checking their alignment with the policies and expectations surrounding the activity.

Due diligence should also include a review of the technologies they employ to verify whether the party is potentially introducing new or other risks. The financial institution’s compliance unit can conduct initial testing to check the quality of the services provided. This is also done to help ensure that the third party is set up to operate within the risk tolerance threshold of the institution.

Ongoing monitoring:

The interagency guidelines establish standards for information security, safety and soundness for ongoing monitoring of best practices. Regulators expect financial institutions to monitor third parties’ performance throughout the relationship. This is done to help ensure they perform to expectations, identify any necessary changes in the relationship, and enable resulting changes to risks and their controls. Key risk management activities in the ongoing monitoring phase include:

• Monitoring key risk indicators (KRIs) and key performance indicators (KPIs) to confirm the quality of continuing third-party services.
• Reporting metrics to the appropriate governance committee or BSA officer regularly.
• Conducting appropriate testing.
• Investigating and determining the root cause, as well as monitoring remediation if KRIs or KPIs are breached.
• Monitoring risks, issues and concerns from the third party, as well as adherence to service level agreements.

Risk assessments:

A financial institution can better determine its risk profile to more accurately identify financial crime compliance risks by enhancing existing annual AML and BSA risk assessments.  They can identify risks imposed by third parties and introduce controls to mitigate the risks. They can also map relationships to regulatory requirements and document key third-party data points.

Not all third parties can warrant as much due diligence and monitoring, but an assessment of overall third-party risks can help an institution determine the appropriate risk-based approach.

Improve third-party risk management with IBM® Promontory

Our team of subject matter experts improves and enhances third-party risk management programs. Our advisory services can help your organization assess third-party risk management policies and procedures. We can also assess your AML program’s coverage of third-party risk management to help ensure they are commensurate with your organization’s risk tolerance.

IBM Promontory can help you develop an AML due diligence and ongoing monitoring program to maintain compliance with AML laws by third parties acting on behalf of your organization. IBM Promontory can assess your contract templates used with third parties to help ensure they address AML controls. Also, IBM Promontory can develop governance, reporting and risk mitigation procedures for third parties that have a role in running AML controls.

In collaboration with IBM, IBM Promontory is uniquely positioned to provide automated data analysis, AI-generated summaries and clustering, and AI-powered reporting. IBM watsonX™ Discovery can analyze large amounts of data related to a third party, including due diligence information, transaction records and organizational documents. The tool can identify patterns, anomalies and relationships that might not be apparent to human analysts. It can also provide visualizations and summaries. This function enables the discovery of key factors involved in due diligence and risk rating.

IBM Cloud Pak for Data® can assist in summarizing and clustering third parties based on their data, risk ratings and other relevant factors. The tool can also provide recommendations for addressing the underlying issues, such as enhanced monitoring or offboarding. IBM Cognos® Analytics can generate detailed reports on third-party trends and patterns, which can inform senior management, regulators and other stakeholders.

Regulators have made it clear that they are focusing on how institutions manage third-party, financial-crime risks. Financial institutions need efficient and effective programs in place to conduct due diligence on third parties and continually monitor, assess and control the risks that stem from these relationships.