How to score risk and assess third-party vendors

Outsourcing certain services to third-party entities may provide financial institutions with convenience, efficiency and cost-savings, yet increasing regulatory reform demands stricter controls for the management of external KYC risks. As such, legislation enacted by the Office of the Comptroller of the Currency, the Office of Foreign Assets Control and the Federal Financial Institutions Examination Council is holding financial firms more accountable for the compliance failures of their vendors. Third-party vendors, partners and contractors in areas ranging from private banking, correspondent banking, money transmittal services, stock brokerage, and offshoring are just a small sample of the risk categories financial firms must address with renewed diligence.

Enhanced terrorism financing and money laundering threats require financial firms to be unwavering in their diligence inspections of prospective third parties. This notion is especially relevant to foreign vendors, whom inherently subject financial firms to escalated Office of Foreign Assets Control scrutiny, particularly for those entities located in high-risk jurisdictions. But, before risk assessment can begin, banks need accurate and unbiased data about vendor and subcontractor entities. This data can only be culled through an independent inquiry that assesses the experience, reputation, operating history, stated goals, risk management practices, insurance coverage, regulatory interactions and other factors that impact an entity’s risk score.

Banks must also ensure that their partners have the capability to score risk with the same rigor that the Bank Secrecy Act demands of their internal risk monitoring systems. BSA-compliant risk scoring is a key indicator that third-party partners are upholding the same KYC and AML standards that the financial institution demands of their customers. But, since ancillary financial service entities have traditionally cruised by with less intensive regulatory oversight, institutions will often encounter a gap in risk management technology and understanding. To mitigate the KYC and AML risks associated with third-party relationships, financial institutions must train external personnel on internal best practices and the use of preferred risk-scoring technology.

Quality risk assessments factor and cross-reference a wide range of data points, including:

  • Customer segment risks
  • Product and transactional risks
  • Geographic risk – location, citizenship & projected transactional jurisdictions
  • Business entity risks

Before a suitable risk assessment scoring system can be deployed, however, organizations must determine their unique risk thresholds. This process demands a holistic self-audit that identifies each business-unit risk category and the diverse regulatory agencies and laws with which they must comply. In 2016, banks must manage third-party relationships by conducting stronger diligence, strategically coordinating risk between internal KYC objectives and vendor categories and prioritizing the education and training of risk management personnel.

When onboarding third-party vendors or contractors, banks need to ensure their prospective partners are being transparent. Financial institutions must conduct their own independent investigations to ensure the legitimacy of potential correspondent banking, brokerage, insurance, indirect lenders and other partnerships. Banks may even want to consider on-site visits to their vendors’ places of business to verify and confirm the authenticity of their operations. And while recent regulations are vague about the precise types of diligence provisions that must be applied, here are some best practices to keep in mind:

  • Perform an independent and rigorous analysis of the provider’s ability to conduct its line of business in a compliant manner
  • Review each vendor’s policies, procedures, internal controls, and training materials and compare them with internal guidelines
  • Create internal controls, including procedures for continuing monitoring and reporting
  • Enforce contracts that define clear compliance expectations and consequences for non-compliance
  • Identify third-party services outsourced by the vendor
  • Immediately address any compliance problem or issue
  • Document all policies, procedures, and interactions with third-party vendors

Perhaps the most provocative issue raised by these guidelines is item 5. Although current regulatory attitudes insulate banks from fourth-party business operations, or contractors used by prospective third parties, financial institutions would be wise to evaluate their partner’s outside partnerships. A robust investigative technology solution can uncover weak links in a vendor’s business history in the form of politically exposed persons, criminals, bankruptcy, high-risk business officials and other dubious entities.

KYC is not a one-size-fits-all protocol. Different business units, product types, customer segments and geographic considerations present varying degrees of KYC risks and regulatory demands. As such, KYC considerations must be aligned with the specific business unit within a financial institution.

In order to properly align KYC and AML risks to appropriate vendors firms must have an adequate, detailed and transparent inventory of all third party relationships. According to a 2013 McKinsey & Company paper, titled “Managing Third-Party Risk in a Changing Regulatory Environment,” this cataloguing can be a challenge because the average financial institution has tens of thousands of supplier, vendor, joint venture, sponsorship and subcontractor relationships to review. Secondly, third-party databases are often incomplete and there are few reliable sources of information on fraud allegations and convictions among small businesses, according to the McKinsey paper.

A modern, digital risk management solution can help banks create data-driven third-party vulnerability models that qualify and quantify risk exposures, helping institutions allocate internal resources more efficiently. In other words, compliance managers can leverage technology to discover specific KYC risks and the level of risk associated with each vendor. The McKinsey paper says that algorithmic third-party risk management software can reconcile businesses databases and reduce the time needed to create an organized vendor risk inventory from nine to six months.

Assuming the bank has a compliant risk-scoring system in place, the institution must ensure that its vendor relationships are using analogous methodologies to qualify their core markets. If external risk scoring systems are deficient, the bank must allocate resources to deploy a system that meets their internal standards and then educate vendor personnel on how to use the technology.

Typically, risk categories are broken down into four segments: prohibited, high-risk, medium-risk and low or standard risk. Prohibited risks include sanctioned countries like, Russia and Sudan, while high risks involve politically exposed persons, gambling or precious metals businesses or clients hailing from high-intensity drug trafficking jurisdictions. Medium and low risks apply to individuals with possible low-level criminal backgrounds and typical retail customers, respectively.

The optimal risk-scoring model applies a numerical approach to quantify risk profiles, which are assembled from a vast universe of data points. Scored information should compute data from categories including, geography, customer type, products & services, regulatory actions, customer histories and other categories. The system should score each of these factors individually and then, cross-reference the ratings to produce composite score. The complexity of the score is ultimately a product of the bank’s discretion, but institutions should strive to make this process as intuitive and transparent as possible.

After all, the greater the navigability that the risk-scoring system offers, the less time and money the bank will have to exhaust educating vendors on how to operate the tool.

To achieve compliant third party risk management (TPRM) in 2016, banks must decide between a centralized, decentralized or hybrid oversight solution. A centralized solution is a good idea for onshore financial institutions, where there is regulatory consistency. But, a decentralized tool might make more sense for a multinational bank that conducts business across varying geographies and regulatory jurisdictions. Still, a hybrid solution, might present the most attractive value proposition with its ability to centralize all reporting and tracking issues across diverse and global units.

The increasing scale and cost advantages of third-party vendors is a trend that is locked in the crosshairs of an expansive regulatory scope. With the billions in fines that have hit multinational banks as punishment for their weak supervision of correspondent and private banking units, smaller institutions cannot afford the costs of failed vendor oversight. Banks need a trusted third party risk management solution to identify undesirable vendor data points before they transform into a financial and reputational crisis.


Thomson Reuters CLEAR

CLEAR online investigation software makes it easier to locate people, businesses, assets and affiliations, and other critical information. With its vast collection of public and proprietary records, investigators can dive deep into their research and uncover hard-to-find data.

Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.