The coronavirus boosts the need for third-party payment risk
If there’s a silver lining from this crisis, it may be stronger partnerships between financial institutions and their regulators.
Regulators know that effectively managing financial and payments crime during this disruptive period is difficult. Some are even ceasing regular inspections or extending the time period for remediating supervisory findings. No regulator, however, will allow institutions to shirk their compliance duties.
One step financial institutions can take to strengthen relationships with regulators at this time is to map out all regulatory commitments and reporting requirements, then determine and communicate to regulators which they can complete in a timely manner. Another is to proactively and continuously communicate and document financial crime risk strategies and plans as part of their ongoing response to the crisis.
Banking is a relationship business. And this is a relationship-defining moment. Financial institutions should use this time to strengthen their partnerships with regulators.
In recent years, banks have increasingly joined forces with payment technology companies, fintechs and other third parties around the world to deliver new products and solutions to customers. There are many benefits: access to state-of-the-art technology, better operational management, and economies of scale.
But these relationships also reduce management’s direct control and can introduce new (or elevate existing) operational, reputational, compliance, and strategic risk.
More risk calls for more supervisory focus. Regulators have made it clear that outsourcing an activity or function does not relieve banks of their compliance responsibilities with all applicable securities laws and regulations. And they expect financial institutions to maintain comprehensive and rigorous oversight of these relationships, particularly ones that involve critical activities.
Today, bank dependencies on third-party providers and technologies have further increased, as they are needed to allow staff to work from home, gather, analyze, and secure data, and connect with customers remotely.
As such, being able to demonstrate an appropriate governance framework is even more critical. No matter how well prepared your own organization is, you’re reliant on your third parties that perform key functions to be just as resilient.
Therefore, banks should be increasingly vigilant about third-party risk management. This means strengthening your governance framework by making sure it addresses key questions about planning, selection, contracting, ongoing monitoring, accountability, and termination of third parties. Banks need to be confident that their suppliers and partners employ practices just as strong as their own.
With their privileged access to systems and data, insiders have the potential ability do more accidental or malicious damage than third parties or outside attackers. That threat increases at times of economic uncertainty, when some employees become disgruntled in the face of budget cuts and layoffs and others consider insider crime as a way to mitigate losses. It is important that institutions strengthen internal controls to surveil employee behavior, data access, and transactions and cultivate a culture of compliance.
Also, if your bank relies on a supplier for a product or service and that supplier is affected by the pandemic, then your bank may have a gap. Having a plan to locate, evaluate, and quickly onboard an alternative third-party provider will be key.
Unfortunately, financial criminals don’t rest during times of crisis. Instead, they take advantage of the fear, uncertainty, and distraction that surrounds it to ramp up their frauds and schemes. If banks do not change how they assess and manage risk and compliance, they will see a spike in financial crime affecting them and their customers.
And when a hurricane hits, the shoreline never looks the same. So, it is also imperative that FCRM management functions re-evaluate their overall strategy, operating model, policies, procedures, controls, and operations to create the foundation for greater resilience in the future.