26 Digital products and online platforms have reconfigured commercial banking in the 21st century. Market penetration for these services and products continues to rise, and it is expected that the users of digital banking will eclipse 80% of the population in the U.S. by 2025. These changes represent a massive, irreversible disruption in the way commercial banking is done, opening up new business models and placing pressure on industry incumbents. As digital banking has proliferated, however, there has been an associated rise in the risks posed by the enabling technology. Cybercrime has supplanted — or in some cases, amplified — more traditional kinds of risk to banking operations. According to a recent survey by the Conference of State Bank Supervisors, over 70% of survey participants ranked cybersecurity as their top concern. Both of these trends — the ramp up in digital offerings and the security measures necessitated by it — present difficult challenges for smaller banking operations that lack the economies of scale brought to bear by larger institutions, and over the past decade, many of these smaller banks have turned to third-party vendors to help even the playing field. Managing Institutional Third-Party Risks Evolving Guidance Charts a Path Forward for Risk Management Professionals in the Financial Services Industry By Ben Streckert, Husch Blackwell, LLP By outsourcing non-core operations, smaller and community bankers can focus on value creation, innovation, or any area where there is a perceived benefit. This trend toward outsourcing has covered a wide range of functions, involving information technology, human resources, product development, and even loan servicing; however, while outsourcing might reduce capital expenditures and provide access to better technology, the risks associated with outsourced functions remain with the bank, and this circumstance has gotten the attention of bank regulators. As early as 2008, the Federal Deposit Insurance Corporation (FDIC) issued guidance for managing third-party risk, and follow-on guidance was later provided by both the Federal Reserve Board (FRB) and the Office of the Comptroller of the Currency (OCC). All three sets of guidance had the same goal and covered similar concepts but approached the issue in slightly different manners. The OCC’s 2013 guidance was much more robust and detailed and, therefore, more prescriptive than that from the FDIC and FRB. It also applied to all third-party relationships, meaning “any business arrangement between a bank and another entity, by contract or otherwise.” The FRB guidance contained less specificity and only applied to “service providers.” The result was to create a different set of standards for different banks, depending on their primary federal regulator. Agency scrutiny of the third-party risks to banking institutions has only increased over time, as has the federal government’s vigilance regarding cybersecurity, which has been elevated to the level of a national security concern. Banking is at the heart of the matter. The industry is roughly 300 times more likely to be targeted by cybercriminals, according to information from Boston Consulting Group, and as the use of third-party vendors has increased greatly over time, the vulnerabilities are now spread out across a vast supply chain with each link presenting its own unique risk profiles. With the goal of creating one uniform framework for managing risks associated with third-party relationships, the FRB, FDIC, and OCC released a joint “Proposed Interagency Guidance on Third Party Relationships: Risk Management” in July 2021. The
RkJQdWJsaXNoZXIy ODQxMjUw