Potential risks from external vendors, service providers, and partners—collectively known as third-party risks—are becoming a growing concern for banks, according to Alex deLaricheliere (pictured), strategy and execution leader and banking subvertical leader at WTW.
As banks continue to outsource more functions and services, third-party risk management is taking on a more critical role in their overall risk strategies. While managing vendor risk is not new, it has become essential as banks look to balance operational efficiency with heightened risk exposure.
Third-party risks for banks include a variety of threats, such as operational, cybersecurity, compliance, and legal risks.
DeLaricheliere said that when banks rely on external providers for key services, they expose themselves to these risks indirectly, making it essential that their risk management frameworks extend to include third-party oversight. Banks must carefully monitor their partnerships to mitigate these risks effectively.
Increased regulatory scrutiny has also driven the importance of third-party risk management. DeLaricheliere said that regulators such as the Office of the Comptroller of the Currency (OCC), the Federal Reserve, and the Consumer Financial Protection Bureau (CFPB) now emphasise the need for banks to implement robust vendor management programmes.
These agencies require banks to have clear policies for evaluating, monitoring, and managing third-party relationships.
Key strategies for managing these risks include conducting comprehensive due diligence before onboarding third parties, establishing clear contractual agreements that detail liability allocations, and continuously monitoring high-risk vendors.
DeLaricheliere highlighted the importance of business continuity plans that address potential failures by third parties, ensuring that banks can respond promptly to disruptions.
A significant component of due diligence, according to deLaricheliere, is assessing the cybersecurity practices of vendors. Banks must ensure that third parties have adequate data protection measures, such as encryption, access controls, and secure data storage. Conducting regular assessments of a vendor’s ability to prevent and respond to cyber threats is also a key part of the onboarding process.
Many banks have adopted risk management software to help streamline the process of overseeing third-party risks, says deLaricheliere. These tools can simplify the operational, financial, and administrative burden of monitoring vendors.
By using software to track performance metrics, compliance status, and risk indicators, banks can better manage their third-party relationships and reduce potential exposure.
Managing third-party risks has become more complex as outsourcing trends accelerate within the banking sector. Banks are increasingly outsourcing key functions, including technology, compliance, and customer services, to reduce costs and improve operational efficiency. However, the complexity and importance of these outsourced functions introduce new risks that must be managed carefully.
DeLaricheliere said that as regulatory oversight continues to evolve, banks face new expectations and compliance obligations related to third-party management. These requirements necessitate a flexible and adaptable approach to risk management.
Globalisation adds another layer of complexity, introducing cross-border risks, new regulatory challenges, and cultural differences. DeLaricheliere said that banks must adopt "living" risk management strategies that can adapt to evolving threats and changing regulatory mandates.
Enhanced due diligence is particularly important when dealing with international third parties, as these partnerships often involve additional risks.
To address these challenges, deLaricheliere highlighted several best practices observed in the industry. A clear governance structure is critical, with defined roles and responsibilities for managing third-party risks. Many banks have implemented vendor management offices or vendor risk management practices staffed by employees responsible for overseeing these relationships.
Ongoing training and awareness for employees, particularly those directly involved in third-party management, is also crucial. DeLaricheliere emphasised that employees need to understand the importance of mitigating these risks and be equipped with the necessary skills and knowledge to manage third-party relationships effectively.
Finally, integrating third-party risk management into the bank’s broader enterprise risk framework is essential for a comprehensive approach. DeLaricheliere said that by embedding third-party risk management into the overall risk strategy, banks can more effectively identify, assess, and mitigate potential risks across the entire organisation.
“Managing third-party risk effectively requires a proactive and systematic approach. By implementing robust due diligence, monitoring and risk management practices, banks can mitigate the potential impacts of third-party failures and ensure the resilience of their operations,” deLaricheliere said.
What are your thoughts on this story? Please feel free to share your comments below.