Interos whitepaper

Protecting FSIs as risk management stakes grow

Senior FSI risk professionals respond to the Expanded Interagency Guidance for Third-Party Relationships

About CeFPro

About Interos

Executive Summary

New guidelines raise the profile of FSI governance teams

Risk professionals respond to a heightened risk landscape

Table of Figures

Figure A. Reported asset value of respondents’ institutions

Figure B. Range of respondents tasked with implementing/following interagency guidelines

Figure C. Perceived consequences of non-compliance with the 2023 guidelines

Figure D. Estimated additional investment costs for regulatory compliance

Figure E. Parties/tiers included in TPRM programs and monitored for risk across the third party lifecycle

Figure F. Expected impact of the interagency guidelines

Figure G. Reported number of fintech relationships per respondent surveyed

Figure H. Frequency for monitoring of ‘fintech’ third parties/suppliers

Figure I. Level of due

About CeFPro:

The Center for Financial Professionals (CeFPro) is an international research, events, and media company. CeFPro is the focal point for all risk, technology, and regulatory professionals, and is advancing the profession through renowned thought leadership, knowledge sharing, unparalleled networking opportunities, industry solutions and lead generation. CeFPro is driven by, and dedicated to, high-quality and reliable primary market research. This market research allows us to provide a range of services, from our excellent portfolio of peer-to-peer conferences, live interactive webinars, and international surveys, to a host of industry-led content, iNFRont magazine, and a membership area for industry figures to connect.

About Interos:

Interos is the AI-first supply chain resilience company – creating the most trusted and transparent supply chains in the world. Our pioneering scoring and relationship discovery technologies enable customers to automate risk assessment, detection, and response. As the world’s only fully automated supply chain resilience platform, we protect organizations from regulatory violations, unethical labor, cyber-attacks, bankruptcy, catastrophe, and other supplier vulnerabilities. Interos serves a variety of commercial, government, and public sector customers around the world.

Executive Summary

• The final interagency guidelines increase regulatory oversight of an expanded set of third-parties, including ventures, fintech relationships, and business partnerships. This will significantly impact the financial services industry, which is facing increased digital supply chain attacks.

• Impacts may be most significant for institutions with less mature TPRM programs. These impacts stem from the need to scale their TPRM programs quickly to monitor and report on this extended definition of third-parties. More mature institutions will also need to bring these parties under formal TPRM management to ensure compliance with evolving regulatory expectations for third-party monitoring.

• While most survey respondents express confidence their existing TPRM programs will satisfy new guidelines, they also acknowledge regulators’ heightened sense of seriousness in holding institutions accountable for third-party risk across the FSI value chain. Eighty-six percent of institutions expect to face significant consequences for non-compliance, with 54% citing brand and reputational damage as also likely consequences.

• The surveyed respondents demonstrate a well-defined onboarding due diligence process. However, there are clear gaps in ongoing monitoring, with more than 50% of respondents reporting annual or ad hoc assessment cadence of their fintech relationships.

• Despite increased regulatory demands, TPRM teams report limited budgets available for establishing processes to comply with these guidelines. They need to do more with less.

• In summary, institutions must prepare for a more consistent and rigorous supervisory engagement concerning TPRM. They must drive the necessary enterprise change to improve the efficiency and effectiveness of their TPRM operating models to pre-empt third-party risk and disruption that cost the global economy $2 trillion annually.

New guidelines raise the profile of FSI governance teams

In June 2023, the three main regulatory bodies responsible for U.S. Financial Service Industry (FSI) risk and compliance—the FDIC, FRB, and OCC—came together to publish the final standardized Interagency Guidance for Third Party Relationships. This guidance replaces previous rules around managing third-party risk and provides a supporting third-party risk management program (TPRM) framework.

Figure A. Reported asset value of respondents’ institutions

The new guidance establishes several key principles, including:

• Standardized guidance and elevated oversight with important implications for institutions lower on the TPRM maturity scale.

• Maintaining a comprehensive third-party inventory underpinned by a sound TPRM framework.

• Increased oversight of risks from relationships with new digital-first players and innovative services provided by Fintechs or Banking-as-aService organizations.

• An expectation that institutions will work with third-parties to manage critical fourth-party/ sub-contractor relationships and minimize risk.

• Importance of taking a risk-based approach that modulates due diligence intensity and monitoring based on the risk and criticality of the relationship.

The increased oversight set out in these guidelines significantly raises the profile of TPRM teams. To better understand the response of FSI TPRM risk practitioners to this additional scope and pressure, Interos asked the Center for Financial Professionals (CeFPro) to conduct a research study. Data was collected from senior risk management professionals at key banking organizations ranging in size from those with less than $1bn to those with over $100bn of assets under management. Nearly half of respondents worked at organizations with over $100bn. Moreover, 76% of respondents were directly responsible for, or tasked with implementing, the interagency guidelines as part of their remit.

Figure B. Range of respondents tasked with implementing/following interagency guidelines

Risk professionals respond to a heightened risk landscape

For the time being, regulators are focused on FSIs’ commitment to enhancing third-party risk management processes. The industry acknowledges regulators’ increased urgency in holding institutions accountable; the industry is expecting enforcement actions and fines to be the top two consequences of failing to meet the guidelines. Other issues explored in the survey are the likely additional costs of increased compliance activity and the types of third parties to feature in current TPRM programs.

Consequences of non-compliance

The consequences of non-compliance are a key issue for banks as they align their processes to the new recommendations.

Sixty-eight percent of survey respondents see increased enforcement action as a likely outcome of non-compliance, with just over 61% expecting regulatory fines to increase as a result. Elsewhere, 54% of respondents rated brand and reputational damage as a likely outcome of noncompliance. Third-party breaches and data leaks have significantly impacted the reputation of banks in the past, firmly establishing compliance and security protocols as key aspects of brand identity.

Approximately 40% of respondents named operational disruption as a consequence of non-compliance, although industry leaders appeared reasonably confident in their programs’ abilities to mitigate risks. Only 14% of respondents did not expect to face any significant consequences from non-compliance, possibly because the guidelines are currently non-binding and lack enforcement protocols or penalties.

Estimated additional compliance costs

Larger organizations (approximately 43% of those surveyed) have more mature programs, more capacity to implement change, and are therefore better able to absorb the additional costs of compliance. By contrast, those indicating higher investments (amounting to the 10% of organizations who anticipated a spend of $5–10mn, or over $50mn) could indicate smaller firms with less mature programs who need to expand into new capabilities, rather than build on current processes.

Seventy-five percent of respondents are either investing $100–500k, or not anticipating any additional investments. This could indicate budgetary challenges securing resources for more stringent supplier monitoring, with any budget being allocated to ‘extra resource’ rather than towards the implementation of new processes or tools.

Broadly speaking, the industry is expected to either do more with less or, at best, more with the same.

Parties that make up an FSI TPRM program

In the survey, 96% of respondents stated that they actively monitor third-parties for risk across their lifecycle. Monitoring of third-party service providers, fourth-parties, and third-party affiliates/subsidiaries are included within the third-party lifecycle for 68%, 64%, and 61% of respondents, respectively.

Notwithstanding relatively high percentages across the board, the survey does reveal gaps in the approaches taken. The interagency guidelines go beyond the above parties to include third-party partners and third-party joint ventures and broader business arrangements within the scope of a TPRM program. Yet significantly fewer respondents (46% and 43% respectively) indicated they were monitoring these.

In addition to third-parties, 64% of respondents state their TPRM programs extend oversight to fourth-parties within their lifecycle. Industry experts expect this trend to intensify, as regulators enhance scrutiny of fourth-parties, aligning them to current standards applied to third-party risk.

Approximately 18% of respondents report that fifth-parties are incorporated as part of a third-party lifecycle, and 11% of respondents state that they also include sixth-parties (and beyond). This is surprising given that regulators do not currently look deeply beyond fourth-parties. However, both instances are expected to rise in the future as regulators broaden the definition of multi-party involvement. To get ahead of this dynamic, FSI organizations should ask themselves where the regulators will stop, and at what point monitoring across the extended supply chain lifecycle becomes unachievable.

Overall Impact

Overall, the industry demonstrates a level of confidence in the durability of TPRM frameworks, with almost 54% of respondents stating that they expected the interagency guidelines to have a low impact on their organizations.

Many organizations already have defined programs to manage third-party risk and believe the guidance will not change their trajectory. Approximately 35% of respondents expect the guidelines to have a moderate impact. Given many organizations already have mature, or relatively mature, TPRM programs, the question of how to include third-party arrangements such as joint ventures, affiliates, and business partners is more likely to affect smaller organizations with less mature strategies.

Significant impact:

Our current TPRM framework enables basic information gathering and screening processes, with limited monitoring and periodic reassessment – we will have to make major/wholesale changes to our TPRM program.

Moderate:

Our current TPRM framework enables moderate information gathering which includes financial stability information and regulatory compliance checks, with some ongoing monitoring and regular assessments - we will have to make moderate changes to our TPRM program.

Low:

Our current TPRM framework enables continuous monitoring, regular reassessment, and detailed reporting – we will only have to make minimal changes to our TPRM program.

Emergence of fintech third-party relationships

As part of a significant global policy shift, guidance is starting to hold fintechs accountable for compliance. The inclusion of Business Arrangements and broader third-party entity scope—such as joint ventures, affiliates, and so on— along with ramped-up fintech oversight, has contributed to a heightened awareness that regulatory action is a very real risk.

Despite these pressures, many financial organizations continue to operate with limited visibility into multi-tier relationships that increasingly support distributed financial services. These are potential weak links in their digital supply chains that bad actors exploit to gain access to parent company systems. Regulators in the U.S., Europe, Canada and elsewhere are not waiting for enterprises to catch up. Already they are mandating visibility into hidden third-party risks that can compromise sensitive customer data and continued service delivery.

Focus on fintech

Many organizations have been including fintech relationships in their TPRM programs for some time. Now, however, regulators are subjecting fintechs to increased scrutiny. Approximately 44% of respondents in the survey

state their organizations have relationships with 1–10 fintech firms, with an additional 22% of respondents reporting theirs to have 11–30.

The risks posed by fintech companies, and fintech partnerships have increased in focus recently due to continued volatility across the sector. 2023 saw multiple bank closures and the issuing of consent orders and fines, leading to uncertainty across the industry on the future of fintech collaboration and partnerships.

As a result, regulators are ramping up restrictions to enhance the resilience of banks and reduce third-partyrelated risks. Banks such as Blue Ridge and Cross River, for example, have been ordered to offboard fintech relationships. Some organizations are restricting themselves to a small number of high-quality fintech partnerships to offset the risk while keeping some of the benefits of working with fintech companies. Other organizations are focusing on strengthening vetting and approval processes for fintech relationships, intending to form sustained and high-quality partnerships.

Monitoring fintechs

The survey also explores the frequency of monitoring fintech third-parties. Forty-one percent of respondents claim to monitor annually, compared with 37% who report it is a ‘continuous’ process. Most of the risk professionals surveyed expect the number of organizations reporting ‘continuously’ to rise in the coming year, in line with increased monitoring of all third-party relationships. Others in the survey opt for a third option that merges the first two approaches. This option is a mix of complex annual reviews ‘topped up’ by additional quarterly, monthly, or weekly oversight.

Periodic monitoring of this type falls short of what’s needed in today’s dynamic risk landscape and could spark yet more rigorous due diligence processes. Organizations may, for example, be asked to conduct multiple reassessments to ensure standards are maintained, before evolving to advanced capabilities such as continuous monitoring.

Fintech business models typically advance at a faster rate than more traditional organizations. Their associated risk landscapes change rapidly and require consistent oversight. It’s likely that the 37% of respondents who say they operate a continuous monitoring program are working with a smaller number of suppliers compared with those with larger-scale programs. Disruption can come at any time, in many guises, meaning organizations must consistently evaluate their inherent risk exposure to their full supply base, tailoring ongoing risk mitigation activities in line with proactive sub-tier risk assessments.

Fintech due diligence

The survey also analyzes the level of due diligence organizations believe is required for fintech third- or fourthparties. Regular assessments are crucial due diligence practices involving on-site visits, audits, and detailed reporting. Almost 63% of respondents state that fintech third/fourth-parties require ‘high-risk’ and ‘comprehensive’ due diligence.

Low-risk due diligence: Applicable to relationships with low inherent risk. Requires basic information gathering andscreening processes. Limited ongoing monitoring and periodic reassessment.

Moderate-risk due diligence: Applied to relationships with a moderate level of inherent risk. Involves more in-depth due diligence, including financial stability assessments, regulatory compliance checks, and possibly site visits. Ongoing monitoring is more frequent and may include regular assessments of the third party’s performance and risk profile.

High-risk due diligence: Comprehensive due diligence involving thorough assessments of financial health, cybersecurity practices, regulatory compliance, business continuity plans, and more. Continuous monitoring and regular reassessment are crucial, often involving on-site visits, audits, and detailed reporting

Among the risk professionals surveyed, fintech relationships are generally considered to be higher risk, yet most companies do not continuously monitor them but instead rely on periodic monitoring. This raises questions about whether such methods are effective enough for such fastevolving organizations that are responsible for millions of digital transactions daily. ‘Monitoring’ also applies to global events and geographies and their impact on third-parties and supply chains. The events of 2023, which included the collapse of multiple banks, resulted in enforcement action to offboard several risky relationships.

Many organizations appear to be well-equipped to manage fintechs’ inclusion in their third-party risk management programs. Others, however, may lack the resources to reach the required levels of continuous monitoring. Fintechs typically pose a higher risk than other vendors as their technology is not always fully understood or mature. That said, if their infrastructure has limited (or no) access to data, then they may be less of a risk. Therefore, treating all fintechs as ‘high-risk’ and requiring the same level of monitoring and due diligence may not be a practical or workable approach.

The survey also reviews how organizations gather risk intelligence on critical fintech fourth-parties or subcontractors. A large majority (81%) picked vendor management, where organizations continue to maintain relationships to retain their access to data and information.

Contractual obligations with third-parties or partners and oversight of fourth-parties—even if not directly contracted— are also rated highly for gathering risk intelligence. Updating contractual specifications to include fourth-parties, and by extension fintechs, can enhance oversight and aid in risk intelligence gathering.

Organizations are increasingly conducting due diligence on fourth-parties to better identify and manage risk across the third- and fourth-party ecosystem. Many technologies, tools, and solutions are used to complement information not available through the vendor management process or direct contractual obligations. Nevertheless, there is greater scope for FSIs to leverage more threat assessment, cybersecurity, data analytics and GRC tools—used by less than half (44%) of organizations surveyed—for greater resiliency.

Protecting FSI business objectives in the new risk era

Regulations are expanding beyond the oversight of direct third-parties, placing a greater focus on fourth- and fifthparties, including fintechs. This requires FSIs of all sizes to develop proactive and comprehensive third-party risk management approaches that minimize risk and protect business objectives. Yet less than half the respondents in our survey incorporate next-generation threat assessments, data analytics, AI platforms or GRC technologies for this purpose. Organizations can uplift their use of advanced risk technology to strengthen resilience, protect profitability, and safeguard their reputation.

Interos enables a dynamic, data-driven, risk-based approach third-party risk management anchored in trusted, transparent, and continuous risk intelligence for FSIs. Our award-winning platform establishes Visibility of your multi-tier ecosystem with actionable insights, offering unparalleled data mapping, monitoring, and standardization of risk domains. By emphasizing Materiality, Interos enables risk teams to configure bespoke risk models aligned to your unique and critical supplier business objectives. Interos also integrates with existing workflows and operations to ensure the Actionability of multi-factor risk intelligence at speed and scale. Next-generation resilience demands this level of materiality and actionability delivered through dynamic and tailored risk modeling.

Conclusion

As regulators continue ramping up scrutiny of risk in FSIs and third-party gaps, oversight of outsourcing activity across the digital supply chain is an urgent business imperative. It is essential for organizations to cure gaps in their risk management strategy. With the right solution, it is possible to empower governance teams with the security intelligence and technology necessary to monitor and self-administer risk, eliminating bottlenecks in decision-making. By providing broad, reliable insight from enriched overlaid data, TPRM teams are empowered to manage risk spanning ESG, core processing, payments, and reputational concerns across all layers of the supply chain— from outsourced vendors and solution providers to legal—with all the relationship insight and clarity necessary to take control of risk for competitive advantage.

Join our global online community at www.cefpro.com © 2024 Center for Financial Professionals®, All rights reserved

No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of Center for Financial Professionals (CeFPro®).

The facts of this report are believed to be correct at the time of publication but cannot be guaranteed.

Please note that the findings, conclusions and recommendations that CeFPro delivers will be based on information gathered in good faith, whose accuracy we cannot guarantee. CeFPro accepts no liability whatever for actions taken based on any information that may subsequently prove to be incorrect or errors in our analysis.

CeFPro® is a Trade Mark of Center for Financial Professionals. Unauthorized use of Center for Financial Professionals’ (CeFPro®) name and trademarks is strictly prohibited and subject to legal penalties.

CeFPro® is a registered trademark of Centre for Financial Professionals, registered in the UK.