Close panel

Close panel

Close panel

Close panel

Cybersecurity 27 Mar 2019

Managing third party risk, together: KY3P & Regional Banks

As technological innovation continues, customer expectations evolve at a similarly rapid pace.  In navigating this dynamic landscape, financial institutions are increasingly seeking assistance from outside, third party providers, a strategy that itself poses inherent risks, like cybersecurity challenges and the potential for digital-related fraud.  Greater attention and scrutiny from regulators naturally results from this developing risk paradigm.

With increased regulatory scrutiny comes the need for banks to further develop, or in some cases, build the processes and systems needed to manage third party risk, many times at great cost to the bank. This is why today’s announcement - that 12 leading regional financial institutions have come together as shareholders in third party risk management provider KY3P - could indicate a new future for the discipline.

KY3P is a company that standardizes best practices and optimizes certain processes around third party management. When a bank wants to work with a vendor, as part of the due diligence process, the bank requires the vendor to fill out an in-depth questionnaire that allows the bank to assess the provider’s controls over various risks -- such as Information Security or Regulatory Compliance -- that the service poses to the bank. Sounds easy, right?

The problem, according to BBVA Compass Director of U.S. Non-Financial Risk Management Billy Murray, is that many banks use the same vendors, which means the vendors are filling out similar questionnaires many times over. As a result, the consistency of the questionnaires, the timeliness of the assessments and the overall quality of the final risk assessment sometimes suffer.

There is a distinct value proposition for the 12 banks.

“The idea is that KY3P will onboard a major vendor to the industry and, instead of that vendor having to deal with 12 different regional banks and their questionnaires, now they have just one questionnaire that the banks have agreed on together,” he said. “In this, there is a distinct value proposition for the 12 banks coming together from an overall quality, cost efficiency and time standpoint. In addition, nothing in the agreement precludes a bank from going into more depth with the vendor if the bank feels more due diligence is required.”

Murray also said that in this partnership, onsite reviews - or the time banks spend at a vendor’s physical location assessing risk - can be performed by PWC or Grant Thornton, the two consultants that work with KY3P, another efficiency.

He specified that, while the work KY3P does on behalf of the banks is important and should save time, money and effort, banks cannot shirk their obligation to be hands on with managing risks that might arise from KY3P’s due diligence evaluation of a particular vendor.

“All of the banks talked to our regulators about this before we decided to move forward,” he said. “The regulators were on board with what we were working toward, but made it very clear that we own the relationship with the vendor and have the responsibility to proactively monitor the services that the vendor is providing to the bank, and in some cases directly to our customers.  We have to continue to manage all risks proactively. The work with KY3P will be just one part of our overall Third Party Risk program at the bank.”

Coming together to take an equity ownership in a company may seem an unusual move for a consortium of banking competitors, but Murray points out that because the need for a service like this is relatively new, the companies offering such services tend to be in their infancy.

We have more strength together than acting separately.

“KY3P was formed in late 2015 by IHS Markit in partnership with global banks, asset managers, and big 4 consulting firms,” he said. “The equity stake in the company means that the 12 regional banks now have a seat at the table and can help influence the organization and the industry.  We have more strength together than acting separately.”

When it comes to what this announcement means for BBVA Compass, specifically, Murray said that the bank will see much the same benefits as the other 11 in the consortium, but he also sees this as being an additional factor in identifying and selecting potential third party vendors for the bank. “Many factors go into selecting the best vendor for the bank for a particular service. This partnership will provide us greater access to information. For example, if you know ten banks use a certain vendor in a satisfactory manner and controlled fashion, that is great input into the overall selection process. It’s not the only factor, but it will aid our overall due diligence efforts,” he said.

Opportunities such as this, to work together, may not be as few and far between in the future as they have been in the past. Regional banks, Murray said, tend to see more opportunities to come together to face issues that are common among all of them and not a matter of competition.

“For better or worse, the big banks have more leverage and more resources in certain areas,” he said. “By coming together, the regional bank consortium can effect the kind of change that makes sense for us, and meets our collective needs. It’s a strategy that ultimately makes each of us better while providing better service and security to our customers.”

To read more about today’s announcement with KY3P, click here for a press release.

For more on BBVA Compass, click here.