From small boutiques to global giants, all financial management firms utilize third-party services to perform vital functions. Be it data providers like Bloomberg or risk control modules from lone independents, outside vendors have become a seamless part of daily asset management.
The reality is exposure to risk exposure should that third-party service become compromised. A firm may have strong governance policies or technological security measures in place. Still, it can remain vulnerable to business disruption or malicious hacking through no fault of its own. An organization’s security and compliance are only as strong as its weakest link, and a third-party vendor is that link.
Treat Third-Party Services as a Critical Performance Issue
The rationale for third-party services is logical from a cost perspective. Building out proprietary systems for every aspect of a firm’s functioning does not make economic sense, particularly for smaller organizations.
Third-party services can reduce staff overhead and infrastructure costs. Where the downside comes in is a lack of control over key aspects of compliance and security. This is why every third-party service decision must include not just short-term costs, but the potential costs of long-term risk.
Obviously, crucial data like stock pricing and indices can only come from outside the firm. Organizations depend on the integrity of these types of services – as do regulators – to such an extent that these sources inherently must have rigorous and transparent security practices.
Companies should not simply assume this to be true. Every third-party service must be vetted as part of the firm’s governance policy. Any introduction of outside data and systems is a risk that has to be examined.
Prioritize due diligence obligations and requirements
In today’s regulatory environment, due diligence is a necessity when hiring a third-party. As more and more laws and regulations are being put in place across the globe, firms are being held responsible for third-party service compliance.
When deciding on whether to acquire outside services, companies need to know their legal obligations for control and oversight requirements in the jurisdictions in which they operate. Also, firms must also understand the global and local requirements for the third-party service in question before proceeding.
Once these services are acquired, continual reviews and audits should be an obligation for ongoing due diligence as rules and regulations do change over time. Business continuity and disaster recovery plans are a top priority for third-party service reviews.
The Cost of Business Disruption
Financial management is now a 24/7 industry and even a short business disruption can have severe ramifications. Large third-party entities that provide global services have more business continuity assurances than smaller firms. In the event of disruption, a large firm could – or should – be able to shift operations to another location with ease.
Smaller vendors that produce crucial data management tools can be constrained by geography and their own internal systems. For these vendors, a comprehensive business continuity process must be in place, as secure as the initial operations, and transparent to the firms using them. Asset management firms need to know these plans and whether they rise to their internal standards.
Acquiring and Reviewing Outside Service Providers
Hiring outside service providers should have a stringent methodology to comply with regulation changes, internal governance and risk control polices. System updates, transparency, and auditing of services should be prominent in developing and maintaining a relationship.
Virtually every aspect of an organization’s management has the opportunity for the use of third-party services and all should be subject to the same review process. To develop a solid understanding of the use of these services, all services should be known and grouped into a comprehensive single source of information.
Since these services are invoiced for payment on a regular basis, a good place to delegate the maintenance of this responsibility is the accounting department. A best practice approach could resemble the following:
- Develop a complete list of all third-party vendors
- Categorize by business unit and the level of risk for each service
- Assign a regular due diligence review process appropriate to the service
- Keep in mind company growth and scalability of the process
- Be cognizant of business continuity and disaster recovery in each case
- Apply policies for information technology security and regulatory compliance to vendors
- Review costs and flexibility for the service on a regular basis.
Third-party service analysis should include as many touch points as possible. Consider any introduction of an outside service as a third-party vendor such as custodians and central control points (CCPs), even the SWIFT network. Always seek out verification sources independent of the third-party vendor for reputational and current status of industry standards.
The Firm and Its Vendors are One and the Same
At the end of the day, a firm should hold third-party vendor services to the same policies that it would use if executing the service itself. From a regulatory point of view, review boards and governments are demanding this of firms anyway, holding companies jointly responsible for failures.
By developing a wide-ranged due diligence and compliance system for third-party services, asset management firms can raise their reputational credit and build higher trust with clients and regulators alike.