BID Daily Newsletter
June 14, 2017

BID Daily Newsletter

June 14, 2017

Risk Tolerance/Capacity of Third Party Providers

We found an interesting survey from financial technology and investment analytics firm FinMason. It looked at the risk tolerance of investor equity portfolios. What is particularly interesting here is that a whopping 43% of investors said they did not understand the term risk tolerance. Even worse perhaps, 68% of millennials did not know their risk tolerance. This means many of your customers probably do not understand the impact of a market crash on them either. To help, we point out that risk tolerance is all about understanding someone's psychological threshold, while risk capacity is all about how much the person or entity can mathematically handle (savings, cashflows, etc.). These can be wildly different depending on age and stage. It is important for community bankers to manage this sort of risk concern, model it and help raise customer awareness to protect your bank.
Another area related to risk management in banking comes from an increasing reliance on third-party technology (and of course other) service providers. Here, a recent report from the FDIC's Office of Inspector General finds the majority of financial institutions (banks) do not always adequately assess the risks or impact such companies could have on their own business. In particular, many banks fail to get sufficient details about the incident response or continuity capabilities of third-party technology service providers they may be using. This means banks are unaware of the ramifications this could have on their own business continuity plans.
Though the FDIC's guidance for managing third-party technology risk suggests an annual review for all aspects of these relationships, it appears that many fall short. While the FDIC found that most banks do review third-party providers' access to their customers' personal information, nearly 50% (particularly smaller banks) fail to perform adequate due diligence in this area before entering into contracts with such providers. Further, when it comes to these contracts, roughly 50% of banks don't require providers to create continuity plans or to outline their responsibility for maintaining ongoing support and risk management processes in the event of a disaster.
Failing to outline clear expectations within third-party contracts leaves the responsibilities of these providers open to interpretation. That increases the risks for the bank. In fact, the FDIC found that many banks still seem to think they can push these responsibilities onto service providers (a definite no-no). Whether because of insufficient knowledge of technology, a lack of experience drafting contracts, or a lack of expertise to adequately assess third-party provider risk, the FDIC found many banks give the advantage to their outside providers by allowing them to draft contracts. When banks do accept responsibility for outside providers' activities, the FDIC found many failed to follow or completely implement their own risk management procedures.
Some key takeaways from these findings are apparent. The first is to take the time to perform a thorough due diligence on any risks related to all third party vendors. These include technology and other providers so don't forget to broaden your view. The key is to look at the potential impact on your own risk controls and business continuity plans that outside providers may bring.
After you identify the risks, clearly communicate your concerns and expectations to your service providers. Be sure to address the biggest concerns within your contracts as well, along with expectations in the event of a disaster or security breach. Contracts should also clearly outline the responsibilities of service providers if any type of disruption occurs.
Additionally, remember to have your board review and weigh in on agreements with outside providers. Both board members and management are responsible to ensure sufficient protections to the bank are addressed.
It is important to understand both your risk tolerance and the risk capacity of any vendor you choose, so doing the work up front will save regulatory pain later.