Mark Stetler and Jim Freis of CRINDATA talk about third-party risk management, business continuity management, and incident management. What should financial institutions be thinking about with respect to these issues from both a business and a regulatory standpoint?
Video transcript
Mark Stetler: Hello, everyone, back with Mark Stetler and Jim Freis, CRINDATA. Jim, we talked about third-party risk management, and business continuity management, and incident management. We’re trying to cover a lot of ground here. What should financial institutions be thinking about with respect to these issues from both a business and a regulatory standpoint?
Jim Freis: There’s an aspect that’s been in place, and expectation, now for close to two decades, that a bank, meaning its senior-most management, the C-suite, needs to understand it’s exposure in outsourcing, or relying on third-party service providers. A disruption among them would lead to material failure within the bank.
What’s changing is the increased dependency is a matter of fact, on external service providers, particularly, IT data, cloud service providers, etc., that means factually, there’s greater exposure combined with the more real-time world in which we live. When you were talking about a check is in the mail, and it may clear within a period time, that’s very different from an expectation today that I’m sending money in real-time, and I want to see that it hit the other person’s account a nanosecond later.
That means that disruption of your services could be related to payments, it could be related to the account reconciliation, it could even be the user application that allows the interface for me to check my account balances that relies on external service provider is down. That means I’ve had a disruption of the customer experience or my services to my customer. There’s defacto more exposure and more potential impact even from a shorter-term disruption of a service provider.
Mark: Having identified those, what next? What should they be thinking about? What should they be doing? How should they be reacting to the regulatory requirements?
Jim: Once you’ve understood that, the biggest difference from the past is related to the life cycle of ongoing oversight. It’s not enough to just once a year review critical outsourcing list, part of an underlying process, who the business lines to check the contracts, do due diligence, or update the due diligence file on the contractor. You need to have ongoing monitoring to see that there are not disruptions as part of your overall operational resilience function.
A big part of that is we can only initiate a business continuity plan, or address a potential incident when we know that there’s a problem. Sometimes that problem doesn’t manifest itself directly in the bank’s IT systems. If you, the customer can’t log into your account because of the reliance on the external service providers, the bank might not know that. Or if there’s an exposure of that customer data because the data was relying on a third-party service provider, or a subcontractor, the bank might have no reason to know that in its daily operations.
The focus has to be binding those service providers, and in turn, making sure the service providers to the extent that they rely on further subcontractors, what we might call fourth parties, that they have bound those parties, that in the event of a operational incident, there is prompt notification that goes up the chain to the bank that allows the bank in turn to evaluate the incident and meets the bank’s direct regulatory incident reporting requirements to its supervisor.
Mark: That sounds complicated. If you’re a reasonably large size bank. When you’re relying on, let’s just say, a few dozen critical service providers, what is a bank– does it require contract amendments? Does it require outreach by the bank to their service providers? Every process is different, but in general, that’s going to require a bottom-up analysis, right?
Jim: It’s clear that banks have to rethink the exposure and their ability to react to an incident. The problem that we have is it’s a probability issue. We don’t expect with any service provider that there’s going to be material disruptions that have negative impacts on the banker, its customers, otherwise, we probably would not have chosen that service provider.
That being said, the more service providers that we have, combined with, as I explained before, this real-time expectation of service, it’s only a matter of time before one or more of those service providers, including through their dependency on subcontractor change, have a material outage. Put it another way, we’d like to quantify things, if you sign a statement of work with an expectation that you have even a 99.99% uptime, that is a tolerance that you could have a 0.01% downtime there.
You push that across 100 different vendors, or dependencies, that’s a 0.1% downtime, and we can move that on. The point is that it’s just a matter of time when you will have an operational incident. What that means is that it’s difficult to plan, and it’s difficult to predict both the entity and the timing, but frankly, it’s too late if you wait until the incident occurs to focus on the remediation. That’s inconsistent with the whole notion of business continuity, planning, operational resilience preparation. That’s basically, what we’re talking about here, that you should approach the question of incident management as part of your business continuity planning.
Mark: Let’s shift focus for a second. We’ve talked about the institutional view of the issues, but in our last session we spoke about how the regulators have, at least, in the banking sector, not necessarily in the corporate sector, where they’re moving on this third-party risk management as well, but in the banking sector, if you are serving an OCC or an FDIC bank, the regulators can come right to the service provider’s door under the Bank Service Company Act. What should the service providers be thinking about given the fact that they may not know it yet, but they have expanded regulatory risk in respect to incident management handling?
Jim: The service providers are hearing it already today, mostly from their banks. The banks conduct due diligence on the service providers and because the banks are more aware than the service provider community generally, of not just the new regulations, but the regulator focus, the regulators are now examining for the first ever time, starting now, may take you a year or two to get through the examination cycle when they come in with their new questionnaire and they’re deep diving on this subject.
In turn, that causes the banks to go back to the service providers, and say, “Hey, I like your service. It’s important to me, but now, I’m more focused than I probably was ever before on this aspect, when and if there’s a material outage, are you able to provide me with the information that I need in a reasonable amount of time so that I can turn around and meet my regulatory obligations?” Spending more time focused on the challenge that existed.
As a factual matter, as the industry, and interdependency and the subcontracting chain, gets more and more complicated, and evolves, focusing and drilling down with that subcontractor, with that third-party service provider saying, “I need to understand a little bit more the extent to which you subcontract out, where my data might be, what are some of the dependencies that you have with people that I don’t speak to ever potentially, because I don’t have a direct contact relationship with them? Nonetheless, a failure and incident among those entities could ripple up the chain and have a negative impact upon me as a bank and trigger my reporting obligations.”
Mark: We’re going to avoid nakedly marketing statements in these sessions because they’re really about information transfer from, what your brain has and what the regulators are saying. I do have to say, ask this question, which is, in a reasonably complex service provider, dozens of bank customers, or hundreds of bank customers, or a reasonably complex institution where you have dozens of critical third-party service providers, is there any real way to do this without a system? Can you do this on an ad hoc basis?
I think the obvious answer is no, it’s a little bit self-serving, given the fact of where we are in the market, but I have to ask the question because it needs to be asked, not only of us, but internally with respect to the institutions and the service providers. How do we do what we need to do without having a system in place?
Jim: This is not an issue that is a shock to any bank in a highly regulated industry with respect to virtually any aspect of your operations or meeting regulatory requirements. You should have an understanding of what the issue is and the risks that should be addressed in a policy and risk acceptance or an overall risk management framework. You should have your operational procedures, you should have the designated persons that are responsible or multiple persons that are responsible, and then the detailed processes in place.
The aspect of tracking and continually updating aspects of your critical dependencies and relationships for many people is probably done on a spreadsheet beforehand, and the biggest focus was when it went up to reporting to the C-suite or the board or upon request for an auditor or the regulator. It shouldn’t be reactive, or once a year in that regard, it should become a living type of document, and that’s the whole notion of the ongoing monitoring and oversight framework.
Then when we talk about incident reporting, the regulators continue to evolve the approach, but one of the most consistent statements that you will see is that the regulators are looking for a type of early warning, and if in doubt, they encourage you to notify. That’s about as strong as they’re going to say, other than when you are required to notify, but you should not spend a lot of time trying to parse, “Well, is this meeting a threshold?”
The whole idea is that operational disruption or potential operational disruption that you don’t know how quickly you can resolve it, or you don’t know the potential negative effects. Tell them, “Now, the after-action report is an entirely different requirement,” but the focus on prompt reporting, when the incidents occur, that’s what’s new here.
Mark: I guess the analogy of the metaphor that we’ve used in the past is without a systemic approach to incident management, with respect to your third parties. Not talking about internal incidents, but third-party and fourth-party management. Approaching that problem without a system is like waiting until the bank is on fire to try to find the fire hydrant, or the phone number for the fire department. It seems a little bit silly and simple, but then the question is, what is the best practice for preparing for incidents, which we all know are inevitable, we just don’t know where they’re going to occur in the risk chain? The answer is, have a system in place.
Jim: Again, for banks, and in particular for a chief risk officer, for people focused on operational risk management, this is something that we know from other types of risk areas in terms of business continuity management, scenario planning, testing, stress tests, that effectively do your own stress test. If we had an operational incident, a failure of one of our key service providers, can you answer the question, what would we do then? Do we expect? Do we reasonably expect that we would get prompt notice?
Well, you’re not going to get prompt notice if that’s not something that’s part of the service agreement with them. Is it in your contract? Do you know that they know whom to contact? You know who would receive that information? What would the recipient do with that information? Is it tied to an individual who might be on a holiday and cut off from the systems or someone who’s out with COVID, or is it going to get to the people that need that information?
Then what would they do in terms of escalating, addressing, referring it if necessary to the business continuity, people referring it as appropriate to those parties who are responsible for the evaluation and incident notification to the regulators? That’s all part of the processes and procedures that you would need. Banks can do that in different ways. They can have different titles and responsibilities, but they need to have processes to anticipate the ability to deliver on that and these are the questions that they should expect an auditor or regulator and examiner, to come in and be asking them the next time they knock on their door.
Mark: Okay, to summarize, I think what we take away from this is that, the regulators are serious in virtual, in both depth and breadth. The FDIC, the OCC, are working on, and the fed have published regulations, the ACC is working on regulations. In case we thought the worldwide regulators weren’t serious, the European regulators are going even in some cases a step further with respect to, and we can talk about this another time, but requiring lists of critical service providers be provided to the regulators and notice provisions.
Those regulations haven’t been developed yet, but suffice to say that we know the regulators are dead serious. We know that the institutions and service providers are going to have to stand up to the regulations, and it’s a good idea to plan for that in advance, rather than waiting until the auditor regulator finds you deficient in some respect. Fair enough?
Jim: Absolutely. The regulators are serious because this is a real risk to institutions….
Mark: Yes, justifiably so. Right. Okay. We’ll leave it there. Thank you, Jim. Thank you everybody for listening, and we’ll see you next time.
