Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

×

Status message

This is subscriber-only content, you are viewing with temporary unrestricted access. For full access, begin your free, no obligation 5-day trial.

Q&A: A view of bank risk from the battlefield

Joe Mont | January 24, 2019

Perhaps more so than any other industry, the financial services sector faces ever-escalating risk from all corners of its customer base and vendors. To get a frontline view, we recently chatted with Stuart Brock, director of Seal Software.

Based in San Francisco, Seal Software is a provider of contract discovery, data extraction, and analytics solutions. Late last year, the company launched a new extraction and analytics platform for contractual data held by banks and financial services firms. It uses artificial intelligence to provide the most advanced toolset for gaining insight from unstructured contractual data so that commercial, investment, and global banks and financial institutions can make proactive, faster business decisions. Among Seal’s specializations are third-party vendor due diligence and ongoing monitoring.

Q. What does an institution need to know about its third parties? How do you collect responses and feedback most effectively, and can you trust the information these parties report? Once you gather all that data, how do you go about understanding any red flags or problems that may be lurking below the surface?

A. Banks need to be able to manage not only their own folks internally but also, externally, their third parties. Financial services firms spend upwards of $270 billion a year on compliance—10 percent or more of their overall operating costs are devoted to compliance. There’s a real need for them to be able to report to various regulators on what it is they’re doing and how they’re doing it. The bank remains liable for the third-party actions as if they were their own by regulation. It’s not just contractual—it’s actually by regulation—so banks have to really police their third parties in the same way they police their own business.

The first thing that banks need to ask themselves: “Is my internal risk process fully aligned to my own risk framework?” Then, if it is, “How do I apply those processes to my third parties?”

Are you doing an end-to-end assessment of those third parties? That translates into not only monitoring them on an ongoing basis throughout the life of the relationship but putting some rigor around it. It should be more than just looking at the documents or data that they send. It entails going onsite with a vendor, looking at their systems, and looking at their processes, even something as simple as whether they have built-in access controls. What are their networks? How are they maintaining their systems? What is their password authentication processes? What are their business processes?

I had been involved in a number of regulatory exams throughout my career in financial services, and I can tell you that they are very rigorous. They look at all of the Is and the Ts to make sure they are [dotted and] crossed. They get into the minutiae of details about a firm’s relationships. The deficiencies they find almost always occur with ongoing monitoring. The problems are not in the due diligence setting up the relationship. They are not in the contract or papering of that relationship. It’s all about the ongoing monitoring. What examiners generally find is that the level of monitoring does not align to the risk or the type of relationship.

Q. That sounds like a warning to not fall into the compliance trap of “set it and forget it,” where almost all due diligence is front-loaded.

A. Absolutely. It is about realizing not only what your internal risk framework is for alignment, but what are your external factors as well. What are your regulatory requirements and monitoring plans aligned to that? A lot of times, you get line of sight into issues when something breaks or when a regulator steps in. Obviously, that’s not the desired way to go about things.

The first thing that banks need to ask themselves: “Is my internal risk process fully aligned to my own risk framework?” Then, if it is, “How do I apply those processes to my third parties?”

Q. It’s interesting that these lapses still exist amid so many warnings.

A. I think what happens is that, like most companies, banks are budget-driven. Most of their compliance and risk functions are not revenue generators. They’re working with high regulatory demand, lean staff, and limited budgets. Without automation there is no way they can meet all of their regulatory requirements. It just cannot happen using the traditional Excel spreadsheet and manual labor.

I was once involved with a very large enterprise-wide audit effort, and we ran the entire effort with an Access database and an Excel spreadsheet. That is not the way that you need to manage that kind of data across all of the operational centers—and there were hundreds of them. Having some level of automation that can come in, collect data as painlessly as possible, and then be able to analyze it and get you to the data points that you need to fill regulatory requirements is going to be key in stepping into the next few years. Especially with the tremendous costs of compliance that cannot continue to rise, there’s going to be further reductions in budgets.

Even though we have a current bit of reprieve in the current administration in terms of new regulations, I don’t know if that will be longstanding. Also, that’s only in the U.S. The EU is full speed ahead with their supervision. Banks are going to get really creative on how they can manage all of the data and all the reporting.

Q. You touched on something that makes me shake my head in disbelief. With all the technology that’s available, established and emerging, why are so many folks still relying on manual systems and glorified Post-It notes?

A. What’s really frightening about that is there are tools available, but the adoption rate is very, very low. There are a number of reasons for that. The due diligence burden to bring any vendor or platform into a bank is tremendous. There’s a lot of investigation that needs to go on before they can actually begin to look at those vendors, and even more before they can bring them in-house. There needs to be competitive bidding and all of that. By the time you get to all of that, you’re a year and a half into it, but you still don’t have your tool up and running. I can see why folks turn to the tools they have, versus trying to bring in a new tool. That’s changing, however, because of the need to control costs. Doing more with fewer resources is the big pressure right now.

Q. Do you ever feel like there’s like a “Catch-22” here? If I’m a financial institution and I want to have better oversight and monitoring of my third parties, I may do that by bringing in a third party to help with that process. Do some firms just think it’s easier to stick with legacy systems and not court more risk by expanding their vendors?

A. What we’re seeing is increasing interest in how they can use existing tools and supplement them with new technology. How can they then use that hybrid system to get these things done?

Some of the largest financial institutions were founders of TruSight, an alliance to centralize diligence efforts for large- and medium-sized banks. What they found was that each bank was asking the same vendors the same questions. Vendors were filling out five or six or more different workbooks with only slightly different questions. The goal is centralizing the process so that a vendor can answer a single set of questions, and multiple banks subscribing to the alliance can then rely on that information. It’s literally one-stop shopping. It’s taking away a lot of duplicative efforts. That is just one example of how the financial services industry is looking at how it can make things cheaper, faster, and less complicated.

[ED. Note: TruSight was founded as an industry initiative by a consortium of leading financial services companies, including American Express, Bank of America, Bank of New York Mellon, JPMorgan Chase, and Wells Fargo. It promotes best practices for third-party assessment. It is a service “created by leading industry participants for the collective benefit of all financial institutions, their suppliers, partners, and other third parties.” As innovators of the “Assessments-as-a-Service model, TruSight streamlines and simplifies third-party assessments by executing best practice assessments once and delivering to many over a secure, shared-services platform,” it says.]

Q. What are some of the newest, evolving risks financial services firms need to be on the lookout for?

A. I probably would say, in order of priority, that LIBOR [the London Interbank Offered Rate, the rate at which banks can borrow unsecured funds from one another. Plagued by a rate-fixing scandal, international regulators are developing an alternative] is the largest issue during the next couple of years, followed by Brexit [the planned split of the United Kingdom from the European Union].

Brexit is behind LIBOR, because they are still working out the details of what happens next. We still don’t have a permanent vote on it, and we really don’t know where it’s going to land. The LIBOR issue is the more pressing one. As we know, the financial crisis that we all lived through in 2007-2008 had a lot to do with the derivatives market. LIBOR has the ability, and these are my words, to kill the market. If we don’t get it negotiated and stabilized as the rate is terminated, it could have a huge impact.

Q. Are sub-contractors particularly problematic? We always hear “know your customer” regarding due diligence, but that’s evolved into “know your customer’s customer’s customer’s customers” over time. Is it hard to screen a third party when they’ve got a whole universe of third parties themselves? As a primary institution keeps digging, how do you know when you’re done?

A. Banks try to drive into sub-contractor relationships with the same kind of requirements that they have for their own contractors. They try to do things contractually and, in those documents, stress that contractors remain liable for their sub-contractors as if they were their own. They are contractually bound by the same terms and agreements that the contractors have to enter into. Sub-contractors have to meet the same obligations for background checks and ongoing monitoring.

What you find in reality, however, is that it’s very difficult to get to the sub-contractors, except for the riskiest of the services being provided. The folks who are cleaning or lawn maintenance for that particular institution are very different than a sub-contractor who’s coming into a data center with access to the mirror servers and that type of thing.

This view of risk gives you the license to either go into a sub-contractor or not.

There’s almost always push back on any of the kinds of obligations you want to put on the sub-contractor. It’s very difficult to get there in the lower-risk relationships and easier, maybe, to get there in the higher-risk relationships.

I will say, however, that some banks have very aggressive sub-contractor monitoring teams. There’s more toward the Tier 1 relationships, but they do have them up and running and try to apply the same requirements to those sub-contractors.