Third Party Risk Reflections on 2018

2018 has been a quiet year from an enforcement perspective, particularly as it relates to third party risk management. However, there has been changes in leadership at all of the major national regulators, up to and including the confirmation of Kathy Kraninger to lead the Consumer Financial Protection Bureau  (CFPB) in early December. With the Democratic Party set to take over control of the House of Representatives, the House Financial Services Committee will be poised to exert control over the CFPB once again.

In addition to the shift in leadership, there are three areas in third party risk that I feel are important to reflect on this year. Let’s discuss.

3 Third Party Risk Areas of Reflection

The three areas are:

1. The CFPB - Departing Acting Director Mick Mulvaney did not dismantle the CFPB as he had once threatened; in fact, he opened the bureau to a new level of input and transparency. In addition, he renamed the bureau, as the Bureau of Consumer Financial Protection, and pledged to finally codify the Abusive standard in UDAAP (Unfair or Deceptive Abusive Acts or Practices).
   
   
2. Regulatory Reform - Much anticipated regulatory reform was passed but not in a manner meaningful to the average compliance officer. Other than the extension of the examination cycle from 12 to 18 months for financial institutions that are both well-managed and under $3 billion, there was nothing that gives a breath of relief to the compliance and third party risk management officials.
   
   
3. Cybersecurity - Absent enforcement actions, there have been many cybersecurity breaches  and significant saber rattling as various regulators warn of heightened scrutiny on data protection.

Two significant data protection regulations were passed:

• The European Union’s General Data Protection Regulation (GDPR), which any financial institution doing business or storing data with an EU entity must be prepared to comply with.
• The California Privacy Act, a similar data protection regulation to GDPR, with many details left for future development. There is also a call at a national level for similar standards.
  
  

Where Does This Leave Us Going into 2019?

We can expect:

• There will be major challenges with the House and Senate controlled by opposing parties and the atmosphere for further regulatory reform is tepid, at best.
• Day to day, the role of third party risk management is still on high alert for cybersecurity and exam scrutiny.
• Boards and senior management will be well served to stay fully vigilant for issues related to third party risk management.

We’ll see what interesting developments happen in 2019!

Finish off the year with a review on vendor risk management best practices. Watch the webinar now.