Regulatory scrutiny has immensely increased since the 2008 financial crisis for not only banks, but the many companies that supply them. Since then, the Consumer Finance Protection bureau and other regulators are holding financial institutions responsible for not only their own actions, but for those of their vendors and suppliers as well. In the last year, Capital One, Discover Card, and American Express have paid $525m in total fines to settle complaints of deceptive selling by their third-party suppliers.

The nature of due diligence firms are required to do have increased significantly over the last decade as regulators are more sensitive to strategic and reputational risks. These new regulatory sanctions impose a big burden for financial institutions, who have over 20,000 suppliers worldwide, and a limited understanding of how their suppliers interact with customers. Effective management of third-party suppliers create operational health and positive cost management, all while deepening relationships with the supplier.

McKinsey has broken down the current state requiring firms to develop or improve along six elements:

  • A comprehensive inventory of all third parties with whom the firm has a relationship.
  • A comprehensive catalog of specific customer risks to which third parties can expose the firm.
  • A risk based segmentation of the supplier base.
  • Rules-based due diligence testing.
  • A disciplined governance and escalation framework.
  • Integrated technology and MIS workflow process and tools.

Firms that have successfully implemented these six elements have seen the expected benefits of lower risk costs, and also being able to give detail in their approach to key stakeholders.

Heightened Emphasis on Consumer Protection

On top of scrutiny among responsibility of third-party’s to firms, regulators have also taken a deeper interest in protecting the financial consumer from the risk of predatory behavior by banks suppliers and other financial institutions. The Dodd-Frank Wall Street Reform Act created the Consumer Financial Protection Bureau, an agency whose work to date has focused on holding banks responsible for actions taken against consumers by third parties. For example, in 2012, the National Mortgage Settlement issued $25 billion in fines against five leading mortgage servicers for wrongdoings by their suppliers. Since their formation, the CFPB has logged more than 79,200 consumer complaints, with mortgage and credit card companies generating 45% and 29% of total complaints, respectively. In its first public case, the CFPB fined Capital One $210 million to settle claims of deceptive marketing practices by their outsourced supplier.

Regulatory Changes Find Firms Off-guard

It is clear that many financial institutions are under-prepared for the organizational and tactical implications of this regulatory change. In the past, vendor management has focused on risks such as business continuity, financial strength, and credit risk. The degree of regulatory oversight has now increased not only to include risks to the bank and financial system, but also consumers.

As many risks are easily identified, supply chain risks are more hidden because of the extreme size of the systems banks have. Lists of third parties can vary from 20,000 suppliers, to upwards of 50,000. Because of the complexity of the chain, firms have dedicated teams to manage these relationships, but not all can be cared for. These are the suppliers that carry a higher risk to firms because of the unknown factors at hand.

Another problem with relationships between third-party vendors and banks is that most agreements between the two do not specify risk-sharing, which can lead to unaddressed risks. In the wake of regulatory change, old approaches used to manage third parties are insufficient, and tend to only focus on supplier performance. Now, firms must embrace new practices that encompass all six elements to develop an efficient third-party relationship.

A Comprehensive Inventory of Third Parties

As said before, most institutions have tens of thousands of supplier relationships, and it can be extremely burdensome to try and identify all risks associated with their suppliers. Regulators now expect firms to understand who their third parties are, and how they interact with customers.

This will be a big step for firms that do not have the information needed to complete this assessment. Many supplier databases are not complete, and some of the most inherent risks do not lie in those databases. There are few reliable sources for information on fraud allegations among small businesses, as different business units track their suppliers in a variety of ways. Most relationships are managed around emphasizing commercial goals, with not enough focus on risks. Experience suggests that the best third-party databases cover all third parties that the financial institution engages in a business relationship. An enterprise-wide survey can be a good starting point, along with an effective algorithm to reconcile various data models to reduce the time needed (9 to 6 months).

A Comprehensive Catalog of Third-Party Risks

Third parties expose financial institutions, and their customers, to a wide degree of risks. With the amount of suppliers institutions can choose from in today’s economy, it is essential to develop a list of risks imposed by vendors to produce successful audit routines and monitor risk continually. An example of monitoring certain risks would be an auditor requesting reports of call quality from a third-party call center to their customer base, ensuring agents are not misrepresenting their product to consumers. The degree and nature of risks will vary among all categories of suppliers, with high risk considered to have 20-30 potential risks or “breakpoints”.

Financial firms face two main challenges in developing the risk catalog: identifying the relevant breakpoints for each category of suppliers, and determining the relevant weight and importance of each breakpoint. Creating a master list of breakpoints and their risk weights is beneficial to all firms and can be built within three months. This step in managing the risks that third-parties impose is an essential step to understand the true drivers of risks and guide the steps taken to mitigate.

A Risk-Based Segmentation

After compiling the full list of third-party risks, the firm can now categorize suppliers based on the level of risks to their customers. High, medium, or low risk categories suffices to describe the threat that each supplier poses on the outsourcing firm. Most of the top institutions tend to have 200 to 300 high risk relationships with third-parties at a time. When firms segment their suppliers, this helps them efficiently allocate resources, by doing more due diligence on high risk relationships, and less on others with minimal risk.

Firms generally use two approaches to assign third parties to risk tiers. The first would be the score-based approach, where firms conduct due diligence across all dimensions of the business and develop a risk score associated with each. While very detailed and informative, this can be time consuming and resource-intensive for firms. The second approach firms use is the rules-based approach, which defines rules tied to breakpoints to streamline the assignment to risk categories. This approach is half as time consuming, only dealing with the risk assessment and due diligence activities needed. Designing the approach should take between 2 to 3 months, and should be heavily invested in to get the right design for you firm.

Rules-Based Due Diligence Testing

Nature of due diligence has become more detailed during the shift to increased regulation on financial institutions. Traditional approaches link diligence activities with the level of risk identified by the risk-based segmentation. Suppliers in the high-risk categories receive extreme detail during due diligence, which sometimes creates over analyzation and a waste of resources. Rules-based approaches can be more efficient because it triggers specific diligence activities for the correct risks identified. In the third party industry, risks can be deemed high even without access to personal customer information. Rules-based approach will help firms focus on risks that are more prominent.

Disciplined Governance and Escalation Process

Organizational governance is more important now than ever, where firms outsource activities to third-parties that spread decisions across multiple segments and business functions like procurement, compliance, and operational risk management. Upfront structures to escalate misalignments will create a more timely resolution of problems when they arise. Building an efficient governance and escalation framework can take up to six months, as well as six months to give off positive effects for the firm.

Governance can be successful in a centralized or decentralized form, and even a combination of the two can create a good dynamic for the firm. The centralized model discussing key decisions of the firm in a single team, holding risk owners accountable for their segment. The downfall of this approach is that it can create tension between units that “own” the relationship of the third party, and the centralized body accountable for risk assessment. Decentralized models let business units not only own risks associated with their segment, but also manage that risk. This can result in negative effects by duplicating resources to the same third-party, and can also be inconsistent with risk standards the firm is focused on.

Escalation frameworks are key in resolving problems and challenges that the governance structure does not capture. Many organizations have operational risk management groups, but its governance model might not capture all risks related to third-parties. In past experience, leading financial institutions are focused on assigning new responsibilities to standing committees rather than creating new ones to support supplier escalations. Firms must choose the appropriate approach for its risk appetite and culture.

Integrate Management Reporting and Workflow

Efficient management reporting and well-designed workflow processes are essential for accountability across all lines of defense. These tools must track all relevant data related to the organizations risks, aid information flow across all units, and give managers correct information to make informed responses to each risk. Many firms have applications that address one or two of these fundamental needs, but are not aware of a tool that performs all three functions. Building new applications from the ground can be capital intensive and require lots of time, so firms should prepare a strong, dedicated team, and budget out 3 to 6 months.


Based off the six elements listed in detail, managing third-party risk has emerged in the last decade as the CFPB has increased regulation on financial institutions outsourcing. Firms are now held responsible for third-party services and will pay the price if they act outside the rules. Institutions must do the correct diligence when choosing suppliers, identify the main risks associated with each, and make an informative response with the risk assessment provided.

Link: McKinsey & Company "Managing Third-party Risk in a Changing Regulatory Environment" Fall 2018

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

Related Resources

ERM Enterprise Risk Management Initiative 2019-01-29