Jim Freis talks about chain risk and the subcontractor, sub-outsourcing relationship, and how understanding this chain is essential to proper regulatory due diligence.
It’s understandable for a financial institution when it’s contracting with a specific service provider, that it should be asked to understand the risks and the nature of that service provider. But increasingly service providers themselves will have some type of a subcontractor, sub-outsourcing relationship. This is particularly the case when we look at software providers moving from on-premise installations to a SaaS solution or a cloud-based solution, whereby you are not only relying upon the programmer who is then licensing you the software, but you have network connections, you have hosting environments, you have where the data is actually stored in a cloud environment.
These are multiple parties that effectively can be looked at as a type of sub-outsourcing chain in order to deliver the service, and for which multiple of those subcontractors could themselves be deemed a critical party in that delivery. Meaning that a failure of that subcontractor could detrimentally affect you, the financial institution, or your customers.
It’s a challenge, a known challenge, by the financial institutions and their regulators to do a type of due diligence, including ongoing monitoring with parties that by definition you have no direct relationship because they are a subcontractor. It’s also something that, outside of the regulated services industry, it’s a pain point for some of the service providers to ensure these banking, regulatory-driven requirements are met by subcontractors that might not be specialized in the banking industry, or might provide this similar type of a, for instance, hosting service for any parties regulated for financial services or not.
So it’s a mindset and understanding shift. One of the aspects that CRINDATA helps service providers do is move this understanding in a structured way down the chain, help the service provider understand the requirements that its financial institution customers are meeting. And that’s a relief in many ways for the service provider whose core interest is providing the unique aspects of its services, not broad or regulatory due diligence services.
