In April, I had the opportunity to moderate a panel on compliance and risk management in the evolving prepaid market at the Network Branded Prepaid Card Association’s Power of Prepaid conference in Washington D.C. Not surprisingly, one of the key things that continues to get attention at this annual industry gathering is the importance of third party risk management and of all parties in the value chain working together in the process, including regulators.
A few weeks ago, I caught up with one of my expert panelists, Branan Cooper, Chief Risk Officer at vendor risk management firm Venminder, to dive deeper into the issue of third party risk management, how the political environment in Washington is shaping it (or not), and what those working in financial services can do to improve third party risk management, whether they work at a bank or at a third party service provider like I do.
Here are four key takeaways:
- Collaboration Is Critical: Even when you’re good at it, third party risk management is hard. And as regulation and fraud threats change, the demands for risk managers are increasing. That’s one of the reasons banks are seeking out help from companies like Venminder. Third party risk management requires a lot of all the organizations involved—the banks, third party service providers and even the regulators themselves. It may sound obvious, but collaboration across all stakeholders in third party risk management is essential. A major part of the collaborative approach is open communication in all directions, not just from the banks to the third parties or from the regulators to the banks. We can all work more effectively together when we’re talking to each other and sharing information.
- Transparency Matters: Another important factor in effective third party risk management is setting the expectations up front and to have clear roles and responsibilities delineated from the get go. While this may be part and parcel to the contract process, it’s important for everyone to be very clear about expectations not only of the services being provided but also the need for ongoing monitoring to manage risks, as well as how that monitoring will be accomplished.
- Politics Don’t (Matter): Regardless of what’s happening in Washington or at the state level, third party risks and best practices don’t change. The risk of new regulations or rulemaking might be reduced under President Trump and a Republican Congress (keep your eyes on the states), but the risks related to security, fraud or regulatory compliance remain intact for banks and their third party service providers.
- What You Don’t Know Can Hurt You: In any type of risk management, what you don’t know can definitely hurt you. As a third party service provider, we take our bank relationships and the accompanying responsibilities very seriously. That’s where the collaboration and transparency mentioned above come into play, but we also go deep into the weeds to really understand the regulatory requirements for ourselves. We couldn’t do our jobs effectively if we didn’t know Reg E error resolution requirements backwards and forwards. It helps that our CEO, Cheryl Slipski, is a former lawyer. And of course, as the rules change, we’re ready. That’s one of the big reasons we are part of the NBPCA.
The OCC's Bulletin 2013-29 is the benchmark for managing third party relationships. Download our helpful toolkit now to compare to your existing program and help identify any gaps in third party risk management.