Ballard Spahr Attorney’s Perspective on Third Party Risk

As part of our Venminder Thought Leadership series where we speak with the industry’s sought-after thought leaders for their perspective and advice on third parties, mitigating risk, best practices, trends, and more, I had the opportunity to speak with Glen Trudel of Ballard Spahr LLP.

Glen is the consumer financial services banking and business attorney at Ballard Spahr. He counsels financial institutions, marketplace lenders, fintech entities and other companies on both regulatory and transactional matters. He also advises state and federal financial institutions on regulatory, operational and vendor outsourcing matters, debt, sales and collection agreements and other transactions. You can listen to the full interview here.

Glen Trudel Interview Highlights

• Third-party risk struggles financial institutions are facing
• Ongoing vendor risk management
• Cybersecurity and industry expectations
• Senior management and board level involvement

When asked how financial institutions are doing with regards to third party risk management, Glen shared that while it’s difficult to make pronouncements for the industry as a whole that is meaningful, he does think everyone is dealing with similar issues and it’s a job that never ends.

He said it’s a continuing process in which you are trying to establish a workable and compliant process and a structure that allows you to consistently do what your procedures say you’re doing. With the release of OCC Bulletin 2013-29, it’s safe to say the expectations have been raised and that financial institutions need to be doing this continuously. 

3 Common Third-Party Risk Management Struggles 

A few areas came to Glen’s mind when thinking about the struggles in the industry:

1. Cooperation from the third party service vendors. This seems to be the most major issue. Particularly, it’s difficult to get third party vendors who are providing critical functions to help meet regulator expectations and requests, such as level of access, the level of information or auditing to be provided. This is something most institutions understand all too well at this point.
   
   Solution: Glen thinks there is a potential solution to this issue. Take into consideration regulatory guidance OCC Bulletin 2017-21 which discusses collaboration when using the same service provider. This can lead to additional benefits like gaining access to other institution’s reporting that you may not be receiving from the provider and overall more negotiating opportunities.
   

2. Ongoing monitoring and maintenance of vendors. It’s often easy to lose sight of the ongoing monitoring requirements. After all, it’s said to be the most forgotten pillar of vendor management. This can be a huge issue when regulators are on-site and requesting documentation showing XYZ and the documentation is lost in the shuffle, or worse, not available because the due diligence wasn’t done.
   

3. Not having a robust enough system in place. Without a robust vendor management system, regulators may pick up on your vendor’s regulatory or service deficiencies before the system does, which can be an issue.
   

Cybersecurity – How Hot Is the Topic Really?

Glen thinks cybersecurity is a very hot topic and will only continue to be. So why exactly is this? Well, the industry is always evolving, and new systems are constantly being introduced into the marketplace which means additional regulations and requirements becoming necessary and industry best practices emerging again.

“Institutions really need to have their fingers on the pulse of this,” Glen said.

At Ballard Spahr, they are constantly getting requests from clients who are asking for pre-incident counseling, post-incident counseling, table top procedures and all kinds of related cybersecurity material. Cybersecurity is going to take additional resources to properly manage at institutions of all sizes.

As a quick tip, Glen gave some expert insight regarding cybersecurity within agreements: It’s important to avoid unrealistic incident reporting obligations. When an agreement says, for example, that an incident’s root cause with an additional list of requirements must be reported within a short timeframe, like 24 hours of the breach, it’s simply unrealistic and probably not going to happen. The standard is unsustainable as often times it can take months to know all systems that have been affected.

Senior Management and the Board – Demonstrating Their Level of Involvement in Risk Management

There are some ways that senior management and the board can best demonstrate their level of involvement. These include:

• Having retrievable documentation of all the efforts being made by senior management and the board.
• Taking into consideration regulatory feedback. If the regulator gives feedback regarding senior management or the board’s level of involvement, whether it be positive or negative, regarding the program, go ahead and document it so that it’s available for all to reference.

In order to show senior management and the board’s level of involvement effectively, it all comes back to documentation that outlines their involvement. People leave companies, they are promoted or even change departments which means that you may no longer be able to go directly to the source with questions so it’s important that everything senior management and the board are doing is documented well.

In Summary

Glen touched on a lot of great areas in third party risk management during our short time together. I look forward to seeing how each of these evolve and would like to extend a thank you to Glen and Ballard Spahr for their time. Be sure to subscribe to our Thought Leadership interview series to be notified as more informative interviews are released.  

As Glen said, it's important to communicate to your board and senior management their involvement in third-party risk management - download our infographic now to help guide you through this task.