Today’s global banks and asset managers seek out technology rationalization and cost reduction wherever possible, and increasingly, this includes farming out back-office processes to external providers, which should lead to a slimmer and more manageable
stack, with more internal attention paid to value-added activities, better data management, and potential millions in annual savings if conducted effectively. For many firms, however, crucial processes around vendor due diligence, onboarding, reassessment,
and offboarding frequently fall short.
Financial institutions continue their post-crisis drive toward enterprise risk management, and nowhere is that more obvious than the relatively recent addition of risks associated with third-party technology vendors.
It’s no secret: Today’s global banks and asset managers seek out technology rationalization and cost reduction wherever possible, and increasingly, these moves include farming out back-office processes to external providers. In theory, this should lead to
a slimmer and more manageable stack, with more internal attention paid to value-added activities, better data management, and potential millions in annual savings if conducted effectively. Major IT transformation and digitalization projects today frequently
feature some aspect of this tech redistribution, as a result. Fix the front by first reengineering the back.
Vendors in Flux
And yet, that same flux introduces significant challenges of its own—specifically, more relationships to oversee. While diverse areas of bank operations have pushed technology provision or even wholesale functions outside, the crafting and control of the
bank’s overall vendor estate has often developed more slowly—or been overlooked entirely. For many firms, crucial processes around vendor due diligence, onboarding, reassessment, and offboarding frequently lack enterprise-level standardization and a formalized
platform for monitoring these activities.
In one sense, this is understandable. Ops functions naturally interface with their vendors in different ways and at different speeds, depending on the particular need; its scope and urgency; and of course, the history and strength of the relationship coming
before. A global tier-one institution may be managing hundreds or even thousands of these decisions at a given time, often in local offices and jurisdictions that have unique idiosyncrasies around engagement. And it’s fair to say that vendor risk was far from
top of mind for the CRO’s office, post-2008. Third-party risk management remains a young and growing discipline.
Still, a larger set of vendors combined with inadequate vendor risk management quickly adds up. A recent study by Celent found that financial institutions are spending almost $750 million per year struggling through vendor risk and due diligence, including
nearly $4 million a year in average annual spend among the top 50, alone. As a result, the mindset is shifting. Banks are moving third-party risk management away from its traditional corner in the procurement office and under the enterprise risk umbrella,
with operational oversight, stronger audit capabilities, and centralized vendor due diligence data to work from.
One simple reason why is clear: the focus on costs. Some firms find they have mitigated the financial benefits of outsourcing by paying for duplicate (if typically, ancillary) services being delivered in two different areas of the firm. Essentially, they
can discover one hand isn’t talking to the other as they aim to improve operations organically.
But the punitive consequences for an institutional laissez faire approach have become the bigger worry. For one thing, Office of the Comptroller of the Currency (OCC) regulation has been in place since 2012 requiring banks in the US to audit their providers,
certify their suitability and document this due diligence. This has become all the more important in recent years as many of the largest cyber-attacks and data theft incidents have exposed vulnerabilities to major corporations caused by third-party technology,
and greatly expanded the universe of due-diligence questions to ask.
For another thing, newly introduced requirements from Europe’s GDPR privacy directive have made the work of offboarding external data management platforms far more complicated, as banks with a footprint in Europe now must demonstrate an ability to protect
and indeed “forget” clients’ personally identifying information (PII) when required, or face penalties.
As a result, contracts no longer simply “run out” as they would in the past. Instead, unwinding these vendor relationships means extensive time and care—telegraphed well ahead and under well-codified terms.
The objective is clear: faster on, cleaner off. To get there, while managing all these new wrinkles and effectively risk-rating a far greater vendor ecosystem—encompassing agent banks, clearinghouses and custodians, and consultants among others—demands a
more holistic perspective from institutions.
And for the new third-party risk manager, an end-to-end approach to vendor data to match.