JWG Q421 research reveals major regulatory battles for information on third parties in 2022, which has massive implications for FS suppliers. Combined with Cloud, AI and other new controls, knowing your supply chain just became a lot more critical and complicated.
Without standard supply chain messages, regulators, regulated firms and their suppliers run the risk of stifling innovation, creating an enormous administrative burden and dealing with large fines. We continue to create the safe space for innovative solutions in this arena – let us know if you’d like to get involved in the research or just learn about it at our November conference.
Why Third Party Risk?
Technology, data and infrastructure provision to banks now puts 3rd parties on the critical path for systemic oversight.
The pandemic has refocused attention on FS supply chains and regulators across the globe are revisiting the level of detail required to run a bank today. Through initiatives like operational resilience in the UK and DORA in the EU, banks have been introduced to a more detailed set of questions from regulators about ‘BAU’. Failures to comply, of course, will come at a much greater cost.
While the UK and EU have outlined clear guidance for firms looking to outsource, the US are still in consultation stages.
However, this has not stopped the US from issuing a large number of fines. The largest fine to date was imposed upon Morgan Stanley for $60 million, who failed to adequately assess the risk of subcontracting and failed to perform adequate due diligence in selecting and monitoring a service provider. In total the US have issued fines totalling $87 Million for poor third-party risk management, in comparison to the UK’s significantly lower sum of £7 Million; a 757% delta.
A heterogenous approach to TPRM controls
With each regulator devising their own rules and guidance, the industry faces a complicated web of obligations to manage the relationships with their suppliers and to communicate them to their regulators. In the case of the UK and EU, consultation is in progress on the requirements of sharing information via portals.
Over the course of the last 2 months, we have collated guidance from the ESAs, the FCA, PRA and US Agencies and compared it against a well-developed set of public requirements from Singapore’s OSPAR which is maintained by the ABS.
To do this we compared 21 of OSPAR’s separate controls, compared them against regulator guidelines from the EU, UK and US and provided a score for each control using OSPAR as the baseline. Out of the 21 audit requirements in Singapore, only 5 exceeded the baseline for regulators.
What we have found is that third party risk management frameworks are being extended to detailed entity and service controls and that the US is taking a leading position which aligns well with the existing framework in Singapore. However, we also found a heterogenous approach to the detailed controls.
Looking at information security, in detail, each regulator set their own requirements. For example, the PRA only provided 4 considerations for this control, whereas EIOPA provided 11. With OSPAR’s baseline of only 3 considerations, it’s clear to see where firms and suppliers will struggle to define what good looks like.
Exhibit 1: JWG TPRM cross-jurisdictional gap analysis (EU/US/UK vs. Singapore’s OSPAR)
Global TPRM baseline
In our latest trade surveillance special interest group workshop we reviewed our TMPR benchmark findings in three broad control buckets:
- Entity-level. Regulators are asking firms to control a lot more information about the providers of products and services. Firms are expected to perform the relevant due diligence on their providers and to ensure that all roles and responsibilities are clearly defined. Risk assessments, communication, monitoring and information security and an open line of communication is all seen as critical to a functioning relationship, not only between firm and service provider but also between firm and their regulator. Though those lines will soon be adjusted with the implementation of DORA which will see the regulators talking directly to the critical, systemically important service providers.
- Services. As regulators look to ensure that firms are analysing the connections between service providers and their businesses, they have focused on controls surrounding the maintaining of records, which includes but is not exclusive to, access and audit rights, business continuity and exit plans and the retention and destruction of data. The biggest concerns with record keeping by an outsourcer is compliance with GDPR and accessibility and availability, should a regulator come looking for documents.
- General IT. Regulators have been slow off the mark when addressing general IT controls in their outsourcing guidance, but it could be argued this is because often these controls are already present in other existing frameworks and policies. The PRA are currently above the baseline in two areas: logical security and back-up and disaster recovery. They have noted the need for the self-classification of data by a firm but openly admit to having no taxonomy to aid with such. With little in the way of guidance, this leaves the potential for a margin of error, with the possibility of ill-equipped staff, hands on with sensitive data. For example, whilst OSPAR provides 21 different controls for service provider audits, the PRA goes above and beyond even those controls when dealing with back-up and disaster recovery, covering circumstances such as stressed and non-stressed exits, a guidance that is missing across the other regulators.
This is a massive amount of information for any supply chain to collect.
Conclusion
In isolation these findings could appear low impact. However, Cloud, AI, Cyber, Quantum have detailed controls and information requirements which will need to be taken into account across the supply chain.
In a nutshell, knowing your supply chain just became a lot more critical and complicated. Regulators, regulated firms and their suppliers now run the risk of stifling innovation, creating an enormous administrative burden and dealing with large fines.
Large banks have thousands of technology suppliers and many of them are dependent upon each other. The Wealth management, Investment Bank and Retail arms are often buying from these suppliers with little co-ordination. This makes group-level conversations with the regulator about the systemic risk of a supplier challenging.
Procurement is one part of the industry without a commonly understood set of codes for the supply chain. We don’t even have messages or the appropriate identifiers to scale this globally. We need to act soon to put in place the infrastructure to support FS procurement.
The sector has a huge opportunity to come up with a more joined-up approach to TPRM, but will require senior engagement, trust and ‘safe space’.
JWG will continue to help bring the right stakeholders together to find the right solution which makes TPRM better, faster, cheaper, safer at lower risk. Let us know if you’d like to get involved.
Additional resources:
- To join the JWG Trade Surveillance special interest group, email Corrina
- Access the JWG Surveillance LinkedIn here or Trading here
- To create your own JWG RegTech Intelligence Hub, sign up here
- To register for JWG’s 16/17 November 2021 conference, see here