From TPRM to SCRM: Exiger on the Evolution in Supplier Compliance in COVID – Spotlight on Financial Institutions w/ Tara Loftus & Samar Pratt
Welcome to a special five-part podcast series, sponsored by Exiger, on topics From Third Party Risk Management to Supply Chain Risk Management: Exiger on the Evolution in Supplier Compliance in COVID. Exiger was founded to fight financial crime, fraud and terrorist financing by introducing technology-enabled solutions to the market’s biggest supply chain, risk, investigation, litigation, and compliance challenges. A global authority on risk and compliance, Exiger serves the world’s largest banks, Fortune 1000 companies and government agencies and regulators. Over the next five episodes, we will put a spotlight on Financial Institutions with Tara Loftus and Samar Pratt; focus on corporations with Aaron Narva and George ‘Ren’ McEachern; consider Federal Government and Supply Chains with Carrie Wibben and Vishnu Anantatmula; review the pillars of good compliance with Brandon Daniels and Carrie Wibben; and end with a review of third-party risk management solutions with Erika Peters and Skyler Chi.
In Part 1, we put a spotlight in financial institutions. In this exploration I am joined by Tara Loftus, a Managing Director based in Exiger’s New York office, where she is part of the Financial Crime Compliance Advisory practice focusing on anti-money laundering (AML) and anti-bribery & corruption (ABC). She has over two decades of financial services industry experience managing compliance and regulatory risks for global banks and security firms, and Samar Pratt, Managing Director based in Exiger’s London office, where she is a leader in the firm’s financial crime compliance advisory practice, specializing in audit and assurance. Since joining Exiger, Samar has served as the Deputy Monitor on behalf of the US Department of Justice, led independent examinations for the Financial Conduct Authority and New York Federal Reserve Board, and also helped clients to strengthen their financial crime compliance controls across the three lines of defense.
We began with a discussion of some of the top regulatory regimes in the US and internationally, which focus on third parties and supply chains. According to Loftus, in addition to the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) on the enforcement front, there has been both enforcement and guidance from the Office of the Comptroller of the Currency (OCC) and Federal Reserve (Fed). In October 2013, the OCC issued guidance on managing outsourcing risk and the Fed followed two months later with their own guidance on the same topic.
Instead of just talking about technology, the OCC and Fed were talking about compliance risk, concentration, reputational risk, country, operational and legal risk. Their guidance’s also focused on the risk management life cycle. By the time the state of New York Department of Financial Services (DFS) issued what is known as Part 500 in 2017, the term CISO or Chief Information Security Officer, was being used throughout the industry, and financial institutions were very focused on their cybersecurity programs, which that regulation focused on.
On the UK/EU side, Pratt noted, regulators in the UK have been pushing firms to improve their supply risk management programs over the last few decades. They are still pushing, “particularly given the severe operational disruption that some firms faced due to supplier failures during the start of the COVID-19 lockdown.” The key regulatory regimes here in the UK under the Financial Conduct Authority (FCA) are laid out in its handbook in various sections which contain general requirements for third party risk management as well as outsourcing requirements that firms have to adhere to. The FCA also issued guidance for firms who are interested in outsourcing to the cloud and other third-party IT services. Other key regulatory instruments include the Payment Services Regulation that sets out requirements for authorized payment institutions with Regulation 25 covering outsourcing. One thing the FCA made clear was its expectations that although firms can outsource processes to third parties, they absolutely cannot outsource the risk or the responsibility. Finally, in Europe, the Committee for European Banking Supervisors (CEBS), in September 2019, updated its EBA guidelines on outsourcing which contains key requirements that all institutions across the EU must comply with by the 31st of December 2021, so lots of activity in this space.
I then asked Loftus what she sees as the three top challenges for financial institutions dealing with third parties and supply chains. First is the merging of the third-party risk management process, with the general procurement or sourcing process. While Loftus believes bringing these two areas together is a good thing, it’s a really large remit, with the resources in these areas having different skillsets. Second, she identified the challenge of breaking down silos. “When you are trying to mitigate so many risks, there are often many groups or people involved and there can be silos that do not communicate and each have a piece of the puzzle.” The third challenge identified is risk assessments. This is because due to the many risks covered and the numbers of third parties that financial institutions deal with, the risk assessment and risk rating process is very complex.
We concluded with Pratt addressing how financial institutions might address these three challenges. She believes it is “essentially about getting all the right people around the table and then allocating ownership and accountability to the right teams for the various aspects of the end-to-end supply risk management process.” She then provided an example in the situation where “pricing, contracts, supply and performance are being managed by the sourcing and procurement teams, risk assessments are being designed, and then oversighted by relevant risk teams to make sure that they don't lose that focus.”
Pratt believes that in terms of breaking down silos, it is critical for the sourcing and procurement teams to work hand-in-glove with various parts of the business and risk functions, looking at supplier data, underpinning key products and services and then segmenting and risk rating suppliers in a coordinated fashion to pinpoint those high risk and critical supplies that they really need to focus on. In terms of risk assessments, she noted that the role of the compliance team is critical, having these risk experts provide input to group-wide third-party risk management policies and procedures and business initiatives to reflect regulatory requirements and also to provide ongoing compliance monitoring of third parties.