From small boutiques to global giants, all financial management firms utilize third-party services to perform vital functions. Be it data providers like Bloomberg or risk control modules from lone independents, these outside vendors have become a seamless part of daily asset management. A risk exposure, of course, can occur if that third-party service becomes compromised. Despite all the strong governance policies or technological security measures a firm can have in place, it can still remain vulnerable to business disruption or malicious hacking through no fault of its own. A firm’s security and compliance are only as strong as its weakest link, and a third-party vendor is that link.
Treat third-party services as the critical performance issue they are
The rationale for third-party services make sense from a cost perspective. Building out proprietary systems for every aspect of a firm’s functioning does not make economic sense, particularly for smaller firms. Third-party services can reduce staff overhead and infrastructure costs. The downside to third-party services, of course, is lack of control over key aspects of compliance and security. Every third-party service decision, therefore, must include not just short-term costs, but long-term risk and those potential costs. Obviously, crucial data like stock pricing and indices can only come from outside the firm. Firms depend on the integrity of these types of services—as do regulators—to such an extant that these sources inherently must have rigorous and transparent security practices. Firms should not simply rely on this truism—they must confirm it as part of its governance policy. Any introduction of outside data and systems is a risk that must be examined.
Prioritize due diligence obligations and requirements
Due diligence when hiring a third-party is a necessity in today’s regulatory environment. More and more laws and regulations are being put in place across the globe, and increasingly, firms are being held as responsible for third-party service compliance as their own internal policies and processes. As part of the decision-making process on whether to acquire outside services, firms need to know their legal obligations for control and oversight requirements in the jurisdictions in which they operate. Furthermore, firms must also understand the global and local requirements for the third-party service in question before proceeding. Once these services are acquired, ongoing review and audits should be an obligation for ongoing due diligence as rules and regulations do change over time.. Top priority for third-party service review is business continuity and disaster recovery plans.
Financial management is now a 24/7 industry and even a short business disruption can have severe ramifications. Large third-party entities that provide global services have more business continuity reassurances than smaller firms. In a disruption event, a large firm can, or at least should, be able to shift operations to another location with ease. Smaller vendors that produce crucial data management tools can be constrained by geography and their own internal systems. For these vendors, a
comprehensive business continuity process must be in place, as secure as the initial operations, and transparent to the firms using them. Asset management firms need to know these plans and whether they rise to or even exceed their internal standards.
Acquiring and reviewing outside service providers
Hiring outside service providers should have a stringent methodology to comply with regulation changes and internal governance and risk control polices. System updates, transparency, and auditing of services should be prominent in developing and maintaining a relationship. Virtually every aspect of firm management has the opportunity for the use of third-party services and all should be subject to the same review process. To develop a solid understanding of the use of these services, all services should be known and grouped into a comprehensive single source of information. Since these services are invoiced for payment on a regular basis, a good place to delegate the maintenance of this responsibility is the accounting department.
A best practice approach could resemble the following:
- Develop a complete list of all third-party vendors;
- Categorize by business unit and the level of risk for each service;
- Assign a regular due diligence review process appropriate to the service;
- Keep in mind firm growth and scalability of the process;
- Be cognizant of business continuity and disaster recovery in each instance;
- Implement policies for information technology security and regulatory compliance for every service;
- Review costs and flexibility for the service on a regular basis.
Third-party service analysis should include as many touch points as possible. Consider any introduction of an outside service as a third-party vendor such as custodians and central control points (CCPs), even the SWIFT network. Always seek out verification sources independent of the third-party vendor for reputational and current status of industry standards.
The firm and its vendors are one and the same
At the end of the day, a firm should hold third-party vendor services to the same governance policies that the firm would use if it were executing the service itself. From a regulatory point of view, review boards and governments are demanding this of firms anyway by holding firms equally responsible for failures. But developing a wide-ranged due diligence and compliance regime for third-party services, asset management firms can raise their reputational credit and build higher trust with its clients and regulators.
How OpsCheck can help?
OpsCheck is an Operations/Compliance Control and Oversight application that mitigates Operational Risk, enhances communication, offers full transparency, and makes
everyone accountable. OpsCheck brings proven advances in task, project and workflow
management software to you in a single tool. No more spreadsheets, emails and Outlook are needed for managing business operations. It’s easy to get started, easy to operate and is cost effective. Many reputable firms have already subscribed. Internal and external stakeholders will appreciate its value. OpsCheck promotes a culture of