Security incidents at financial institutions attributed to partners and vendors rose to 18% in 2012. Although improvements to strengthen third-party risk management (TPRM) have been made, PwC has found that most institutions still need to apply a risk-based approach to their vendor reviews.
In today’s environment, it would be nearly impossible to find a financial institution that doesn’t contract with a third party. But the convenience and flexibility of outsourcing to third parties comes with significant risks, including the potential for regulatory penalties related to third-party incidents: penalties that have soared in recent years.
Leading institutions are embracing new methodologies, including escalation and exceptions processes; due diligence assessments; centralized TPRM office; central issues repository; and vendor stratification. In our view, stratification, a risk-based methodology for analyzing the third-party population and identifying those services that present the greatest risk, helps financial institutions quickly prioritize their efforts to address initial and ongoing effectiveness and efficiencies.