Jim Freis, co-founder of CRINData, talks with John Maher about the requirements for third-party risk management. He talks about the different types of risks carried by financial institutions. Then, he focuses on this specific type of operational risk and looks at how different jurisdictions are addressing it as business practices evolve in this industry.
Transcript
John Maher: Hi. I’m John and I’m here today with Jim Freis, Co-founder of CRINDATA, a FinTech startup supporting financial institutions and their service providers. Today, our topic is international requirements for third-party risk management. Welcome, Jim.
Jim Freis: Thanks, John. Great to be here.
Global Awareness Campaigns About the Risks of Relying on Third-Party Service Providers
John: Yes. So Jim, today we’re discussing how the focus on the risks of relying on third-party service providers for supporting business operations, particularly in the financial services industry, is part of a global awareness campaign across many jurisdictions. Can you provide me an overview of this and describe if there’s an international overview or if there’s different jurisdictions literally all over the map?
Jim: It’s a good question, John, because although every jurisdiction is different and has its own legal and regulatory framework, particularly as we talk about the financial services industry, there are attempts at harmonization, at least in terms of principles, and definitely it’s something that we see in the area of third-party risk management of looking at outsourcing risks and particularly the changes that we have due to technological innovation, IT service providers and cloud services.
Neither cloud services, nor alternative financial service providers, Fintechs, have the same historical connections to physical locations that we have, for instance, in a bricks and mortar banking, so that means that regulators have to think in a different way about cross border services and the need to harmonize an approach to those risks. Aspects of outsourcing risks, third-party risk management, are definitely moving in a more common international global direction.
How the Conversation About Outsourcing Risk Management Has Evolved Over the Years
John: You’ve had an international career in the financial services industry. Can you tell me a little bit more about that and then tell us from your perspective how the focus on outsourcing risk management has developed over time and where you see it going in the future?
Jim: Certainly. It’s something that I have had a lot of interaction throughout my career, as in many cases, the US financial services regulators, and particularly the banking regulators, were a leading force two decades ago pushing this for some of the bigger US banks and internationally active banks with a presence in the US, but that use the international coordinating bodies to get that word out.
The Basel Committee on Banking Supervision, when I was working in Basel, had spent some time looking at the specific issue of outsourcing risk, but in the context of increased focus over the past two decades on operational risk. Why do I say that? When we talk about the core business of banking and lending activities, lending is about managing credit risk that the borrower is going to repay that loan. If we’re talking about parties that are active in the markets, we talk about market risk, the value of securities or other instruments you’re buying will go up or down.
We talk about liquidity risk and that’s literally when you are a bank and you have many different depositors on the one side of the balance sheet, you have enough money available when certain borrowers, wholesale or retail, come at the same time looking to withdraw certain funds. Those are traditional financial risks.
But increasingly, again, now something looking back to two decades of experience, the focus was on operational risks. That’s even when you have your financial risks well-planned and managed, you need to implement them as well. And to implement them, you can have legal contractual aspects. You can have regulatory compliance risks, but in particular you have systems risks. It doesn’t matter how well thought out your plan is if your IP system goes down or you can’t execute that and you have the personnel that runs those systems, so that’s all an aspect of operational risk.
A unique but important sub component of that is this third-party oversight and third-party risk management because when you as a financial services provider are relying on a third-party to carry out something that for you is a critical or essential business activity, meaning that if it doesn’t work, it has an impact on your bottom line or a direct impact on your customers, you need to manage that as a type of operational risk and plan as part of your business continuity. That’s kind of the context in which the whole outsourcing framework grew in importance.
And in recent years, especially as I was working primarily based in Europe and global operations, the European Union has taken a very focused approach on modernizing and harmonizing across the EU member states with the focus on outsourcing risk from ABON and ESMA, the European Banking Authority. The ESMA have put out a series of guidance in the past few years and the Financial Services Board, the global entity that coordinates among financial services providers with a mandate from the G20 governance, they have taken up the issue of outsourcing risk in late 2020.
One of the most interesting aspects is that even smaller jurisdictions have come back and stressed the importance of a harmonized and coordinated approach to this very important issue because of the increasing reliance and integration of the financial services industry. So again, both driven from a changing risk profile in terms of business models with more and more exposure and also an increased awareness and a risk-based focus on this exposure, there is a true international focus on raising the bar, putting out more guidance on the aspect of third-party risk management and outsourcing. We’ve also seen that reflected in some revisions ongoing to the guidance and expectations in the United States.
Differences in Approaches to Outsourcing Risk Management in Different Jurisdictions
John: Okay. It really seems like the focus is growing in multiple places. How would you describe what’s similar versus what’s different across all of these different jurisdictions?
Jim: Similar is definitely the aspect of the importance of this third-party oversight as an aspect of risk management, that it’s risk-based, and that it is something that is at the very core to safe and sound practices, so no question in terms of the importance. One of the aspects that is different is how we think of data and location of data and partly this has to do with the factual aspect of the exposures.
Europe, in particular, with a different data protection framework under the EU GDPR, the General Data Protection Regulation, has a more detailed focus as to where data is held. When we think of the cloud services and cloud storage of data, that is something that is somewhat of a difficult grasp. We’re talking about virtual servers and no longer physical locations, but because of the legal framework and the protection obligations, they have much more of a focus of where your third-party service providers are and where they’re storing data then you would have from the United States.
For smaller jurisdictions, they may realize that there’s dependency on some of the global companies that provide both technology as well as financial services, so you do have a little bit of an aspect of a difference based on the factual aspect and some of the sensitivities that impact larger versus smaller markets.
Challenges for Financial Institutions and Service Providers With Cross-Border Relationships
John: What do you think that the challenges are for financial institutions and service providers that have cross border relationships where maybe they’re doing business in multiple countries and these different countries have different regulations and requirements and things like that?
Jim: We have to come back to the starting point that the aspect of risk and the risk that you’re supposed to manage in dealing with third-party service providers is that you don’t have the same level of control over a third-party that you do over your own operations. So when you’re outsourcing a critical activity or have a dependency on a critical service provider, that’s different from when it’s your own staff and your own team doing that directly.
So as a practical matter, how do you exercise control? Well, it comes down to what you’ve agreed in your service contract what the external party is providing you, what their service level agreement, SLA, says and everything works well, or when everything is working well, you don’t have a problem, but that fine print is only there for when things don’t work well. When you’re dealing in a cross border situation, you may have to actually enforce that contract and the dispute provisions.
And when you’re talking about a situation with an entity that is physically based elsewhere or based under a different country’s law, there can be different provisions that refer to that institution’s own risk management obligations, the access to that institution and potentially your data or information held with that institution by regulators, by government or law enforcement authorities, what the level of focus that entity has on business continuity management, what might be the implications if there were financial issues with that company, it goes bankrupt, it’s involved in uncomfortable discussions? It can happen in a different situation than what you might expect or you might be familiar with or which you might be able to enforce, if it’s around the corner, certainly again, a step down from if it’s within your own institution.
And when we’re thinking again about some of the privacy obligations or your confidential business data and understanding of your business being dependent on this entity, you’re going to have concerns or something that you need to take into consideration in your risk management. And of course, those aspects can also happen not just with your direct service provider, it can happen when there’s further subcontractors or sub outsourcers down the chain. Again, another set of legal requirements that are enforced through contracts that might be under a different framework than that which you as the originating entity are dealing with.
Recommendations for Risk Management, Especially in Cross-Border Contexts
John: What would be your recommendations in terms of risk management, particularly in this cross border context?
Jim: The biggest thing is that you have to be proactive and you have to take into consideration these different potential implications for your risks from the very beginning. If you have extra risks or a different set of risks because of a cross border relationship, then you need to attend to them in a different way than an entity that is under the same jurisdictional aspects, where those risks might be absent, you have different ongoing monitoring requirements.
And keep in mind that cross border is something that is no longer so distant for us as we’re working in a digital economy. The aspects of Fintechs could be dealing with remittance payments, they could be dealing with cryptocurrencies. These are services, and for which there’s a lot of consumer demand, that the notion of traditional borders don’t really mean too much anymore and both the global institutions and global service providers, in particular IT, are no longer focused on one jurisdiction.
It raises the importance of trying to come forward with a harmonized approach that makes sense for your business and the risks of your business, rather than dividing up between historical focus on different jurisdictions. Coming back to kind of the way we’d started this discussion, it really drives home the logic and the importance of a harmonized regulatory framework because if the principles and the risks are very similar, what the potential exposures are, then we shouldn’t reinvent the wheel in our risk management focus. It’s important to step back, find people who really understand some of these nuances and come forward with a strategy that makes sense for our business.
Contact CRINDATA to Learn More Today
John: All right. Well, that’s really great information, Jim. Thanks again for speaking with me today.
Jim: I really appreciate it and always looking forward to bridging this gap in the international context.
John: And for more information, you can visit the website at crindata.com. That’s a C-R-I-N-data.com.
