Jim Freis, co-founder of CRINData, explains the relationships financial institutions have with service providers and their subcontractors. He provides examples of these relationships, and he talks about how CRINData protects financial institutions from the risks inherent in these relationships.
Transcript
John Maher: Hi, I’m John Maher, and I’m here today with Jim Freis, co-founder of CRINDATA, a FinTech startup supporting financial institutions and their service providers. Today, our topic is identifying third party subcontractors for financial institutions. Welcome, Jim.
Jim Freis: Thanks for having me.
Fourth-Party Service Providers: The Subcontractors of the Service Providers of Financial Institutions
John: So Jim, today we’re focusing on how CRINDATA helps financial institutions and their service providers monitor possible further subcontractors supporting them. So can you explain to me first what you mean by subcontractors in this case?
Jim: We’re looking at financial institutions’ reliance on third party service providers, which itself is growing. Service providers themselves may in many circumstances also rely on other parties to deliver those services. So you actually need to think about it as not just a bilateral relationship between the bank and someone who’s delivering services, but a potential chain of parties involved to make that service happen. So some people refer to this even as fourth party service providers, but the problem is that you only have this direct insight and direct relationship with the party that you’re dealing with, your direct contractual partner.
Maybe one of the best ways to illustrate this is in the IT area, although it’s important to understand that this is not limited to IT services in the classic context. So banks are relying on IT and telecommunications and have been transformed over the generations like no other industry, but we went from a situation where banks would locally install software to now increasingly, like all other industries, cloud-based platforms, software as a service, platform as a service, hosting as a service.
And there’s a fundamental difference when you think of the software provider, whether they’ve given you a license for local installation versus hosting an aspect of the installation in the cloud. And that is usually that there’s other parties involved in that hosting, including some of the biggest providers of hosting services. So again, this tells you that not only could there be a problem with your software… Let’s use a situation in which there is an upgrade where, frankly, it doesn’t work as planned, which is a common occurrence in the industry. But you could also have a situation where the software is working exactly as planned, but there’s a disruption in the hosting service or the access to that hosting service. So that way, another link in the chain has been broken.
A further example I’ll give you is that many financial institutions, particularly smaller ones, rely on wholesale banks for delivery of their services. It could be a situation where they rely on another bank for international wire transfer, because they’re not directly involved in that activity on a day-to-day basis. That wholesale bank may itself rely on a range of service providers for carrying out those services. So again, you have, from the retail banks’ focus, a range of multiple parties, your direct service provider is the wholesale bank, as well as that wholesale bank’s service providers, which are subcontractors in this context, and you need all of them to work together to carry out a function that you’ve defined as critical to your financial institution business.
Risks of the Subcontractors of Service Providers
John: Right. I’m thinking of some recent cyber attacks that have disrupted what’s called the DNS servers that handle sort of the addressing of addresses on the web. And you know, those attacks bring down multiple sites all around the country, various different websites that companies rely on. And so what you’re saying is that you might be working with a third party tool that their software is running fine, but then their website goes down because of maybe a cyber attack like this, and you want to make sure that they have things in place so that they can get back up and running as fast as possible, so that then you can continue to use your tool as a financial institution, that sort of thing.
Jim: And this is exactly what we’re talking about when we say risk management, including the risks of subcontractors involving service providers. Because if you know that there’s reliance on these external parties, you can take that into consideration in your planning, and that’s why you’re asked to know.
You can’t just not worry about that because then you’re essentially not understanding the risks. If you don’t understand the risk, how could you be in a position to accept them within your contractual risk-bearing framework? How can you bring this to the board of directors of your institution, keeping in mind that it’s a regulatory requirement that the board of directors needs to sign off on outsourcing of critical business activities and critical relationships?
Again, maybe think of a situation that many of us have been involved with in home renovations. You have a general contractor and that’s a good thing. They help bring together all of the different components, and they may subcontract for someone who is involved with the electrical work and someone who’s involved in the roofing work and someone who is involved in the plumbing work, all specialists in their area, but you’re dealing with the general contractor. Inevitably you don’t know who’s going to be involved, but there’s going to be some delay on one of those parties, and everyone seems to have their story of some type of delay. Then you wait for a matter of weeks and someone will say, “Well, I can’t install the wallboards because the person who’s supposed to do the behind the scenes utilities work has not finished their work.”
That works for us in building a house, but it’s not a good situation to find out when your customer service portal goes down and you have no access to the financial institutions for your customers, and then to find out that we were relying on some subcontractors that were not known to us. This is why it’s relevant and why you should proactively identify, understand, accept the risk, and try to monitor for these types of risks.
The Complexities of Dealing With Subcontractors
John: But doesn’t it make it really complicated to have to address the subcontractor issue and sort of understand who all the subcontractors of my contractors are, et cetera?
Jim: That’s exactly the point, that this is a known pain point for financial institutions. It’s enough work to keep on track of all of your direct service providers, but you rely on them to provide you information with respect to their subcontractor relationship, usually in a paragraph in the contract that no one goes back to after it’s signed, that they have to give you notification requirements.
But this is exactly why CRINDATA offers a service to help the financial institutions in that regard, because we collect that information about subcontractor risk, put it as a priority. Especially for relationships that you’ve identified, it is critical. We’re constantly monitoring with respect to all of the identified subcontractors as well as the service providers, and that information, when it’s relevant, is something that we make available to the financial institution on a real-time basis.
How CRINData Helps Reduce Risks Related to Subcontractors
John: So tell me a little bit more about how the CRINDATA offering applies to subcontractors.
Jim: So first we start with the due diligence platform, and we collect the information that financial institutions have identified their service providers, including aspects of those where there’s a known subcontractor. And that’s something that we go back to the service provider and we seek affirmation of that information. While the financial institution or the service provider themselves who can rely on a range of subcontractors will naturally focus on their direct bilateral relationship with their contractual partner, we monitor all of the identified subcontractors across the universe of entities.
So we’re doing the same level of ongoing monitoring with respect to all parties across the chain. This is particularly important when an incident occurs, because it’s too late to find out through the newspaper that there may or may not have been a subcontractor behind one of your service providers. It should be the type of thing that immediately flows through your alerting system as it does on our platform.
And one of the other aspects that’s critically important for financial institutions that is very difficult for them to see and identify today is whether you can have multiple dependencies, not necessarily directly on the service provider, that come back to you because of the risks of underlying subcontractors.
To put it a very specific way, let’s say that, as part of your services, you rely on a primary deliverer of one of your functions, such as payments, and as part of your business continuity plan, you have a secondary payment provider for the same services, a backup. But each of those two parties, your primary and your backup, rely on the same underlying subcontractor. If that subcontractor goes down, both your primary and your secondary are out of business. And that’s why it’s important to understand this holistically and as part of the overall risk management, and to see these dependencies across the industry. That’s one of the advantages of the industry-wide approach rather than a bilateral approach that we’re promoting, to give you this real sense of true risk management.
And again, the aspect of doing this in a proactive way is that you’re prepared for that unforeseeable event, and then you focus on addressing the issue, getting back to business, not on running down details that have been difficult for you to keep active. We keep that information ready for you in real time, so that you can focus on your risks.
Contact CRINData to Help Monitor Your Subcontractors
John: All right. Well, that’s really great information. Jim, thanks again for speaking with me today.
Jim: My pleasure.John: And for more information, you can visit the website at crindata.com. That’s C-R-I-N data.com.
