Do you know your third parties?

When the FCA published CP 19-32, "Building operational resilience: impact tolerances for important business services and feedback to DP18/04" somewhere on page 31 there was a bullet where they said "...half of firms said that they do not maintain a comprehensive list of all third-parties with who they do business and who have access to their systems and data..."

Let that settle in. The potential implications of that statement are much wider than what we are going to discuss in this article.

It is March 2020 and the economy is about to be sent reeling following a 1 in 100 year plague-like series of events. That same series of events caused a 1 in 300 year shock to markets in the first two quarters of 2020. The last time there was a quarter on quarter move so dramatic was 1720 when the South Sea bubble burst.

Is history repeating itself? We think so.

Earlier this year firms were put under enormous operational and financial pressure and the system started to buckle. There were some early warning signs and a Regulator reacted. On May 22nd , the FCA published a short consultation on safeguarding customers’ funds.

On safeguarding, FCA said, “we have found evidence that some firms have not implemented the Electronic Money Regulations 2011 or Payment Services Regulations 2017 as we expect”.

At Risk Shapes we were a little surprised that the FCA had to explain what reconciling customers’ funds “as often as necessary” meant. We were also surprised when one of our employees told us that their debit card stopped working. On June 26th Wirecard Solutions Limited ("WCS") was told to halt all regulated activity in the UK . The restrictions were lifted a few days later on June 30th, 2020. The ripple was quite dramatic.

Our employee was not a Wirecard customer, their debit card provider had however, outsourced something that was critical to the business service being provided. The outsourcing provider was WCS.

Our employee's account along with around 1.3 million other accounts at that provider were inoperable for a little while.

It was also reported at the time that the Department of Work and Pensions in the UK created a dedicated team to support some of the most vulnerable in our society when they were unable to access their benefits.

Regulators have consistently told firms to manage their third party risks. There are reams of discussions, consultations, policy statements and additional guidance on the subject. There are even requirements to seek permission from the Regulator before a third party is engaged to provide certain services.

Brexit has also brought third party risk management into sharp focus. Regulators in the EU want to ensure that UK firms setting up their “Brexit contingency office” resource their EU subsidiaries appropriately. Risk management activities taking place in the UK (the outsourced activity) must be fit-for-purpose for the EU subsidiary and well understood by those who are accountable in the EU subsidiaries.

Smaller firms are more likely to have higher third (and higher order) “n-party” risk exposures. This might be the case as a result of having to deal with resellers and maybe because they have had to focus on other priorities such as safeguarding customer's funds, and/or anti-financial crime, anti-fraud measures.

Firms like these are also more likely to be disproportionately affected by short (notice) consultations on third party risk management, because they are caught by surprise.

Do not wait for a Regulator to find evidence that a firm has not been managing their third party and outsourcing risks. Manage these risks for your business, not for the Regulator.

In 1720 South Sea was found to be a hoax and at the same time The Great Plague of Marseille started, which is reported to have ended the lives of over a million people. Third party risk management was probably not being discussed.

300 years later smaller financial services firms, and even large ones in the Fintech sector, can be built almost entirely on third party solutions.

At Risk Shapes we have seen that history tends to repeat itself, and most of the time we do not have to wait 300 years.

Sometimes events that we call “unprecedented” and “impossible to predict” have in fact happened before, and there were those among us who took decisive action. Deaths from Covid-19 have now passed the one million mark, and as for Wirecard, there will be more to story than is currently in the public domain.

Understand and manage your third party risks. Manage risk for your business not for the Regulator.

We would like to discuss how we can help you take some proportionate steps that make sense for your business. Get in touch.

Bringing you the information you need.