Third Party Risk Management Interview with Regtech Industry Leader

As part of Venminder’s Thought Leadership series, I recently had the pleasure of speaking with Jo Ann Barefoot, CEO at Barefoot Innovation Group and co-founder of Hummingbird Regtech. In this series we speak with the industry’s sought-after thought leaders for their perspective and advice on third parties, mitigating risk, best practices, trends and more.

Jo Ann is a noted advocate of regulation innovation and brings many qualifications to the table. She has an impressive background, so I think it’s important to share more about it with you. She's former Deputy Comptroller of the Currency, partner at KPMG, co-chairman of Treliant Risk Advisors and staff member at the US Senate Banking Committee. Jo Ann serves on the FinTech Advisory Committee, for FINRA, is an executive board member of the International RegTech Association, is a member of the Milken Institute US fintech Advisory Committee, serves on the board of Oportun, has served on the CFPB’s Consumer Advisory Board, is Senior Adviser to the Omidyar Network and host of the podcast show Barefoot Innovation.

Jo Ann Barefoot Interview Highlights

During our time, we covered:

• Ways regtechs enhance third party risk
• Vetting regtechs
• Best practices for managing a regtech company’s cybersecurity
• Managing/regulating regtech companies
  
  

The Heart of the Regtech Dilemma

Right out of the gate, I asked Jo Ann how regtech firms are enhancing the way in which organizations are performing third party risk. And, interestingly, she took a different approach to the question and shared some unique perspective that I found to be very valuable. First, it’s true that regtechs are enhancing the ways in which organizations do third party risk because they’re able to digitize information and do so “easily, instantly, cheaply, and so on” which improves everything from an efficiency and tracking standpoint.  

However, fully embracing the new technologies is the true dilemma for risk managers right now, says Jo Ann. Risk professionals are trying to get a good grasp on how to embrace the emerging technologies that are being created by very young firms, but also deal with the fact that they’re not always comfortable with most of the regtech firms being so new to the space. Basically, these firms have not established enough rapport yet as they do not have a history of regulatory approval, client approvals, etc. Therefore, highly regulated organizations and industries are struggling with this.

Vetting a Regtech Vendor

I think it’s important to properly vet your regtech vendors, so I asked Jo Ann for her insight and tips on how to best accomplish this. Here are 3 tips she shared with me:

1. Ensure your team understands the technology they’re vetting. While this may seem obvious, she shares that it’s a real challenge for many organizations to acquire the skillsets needed to adequately evaluate the newer technology.
2. Perform due diligence on the company’s track record. And, if the regtech has already been vetted by an organization who sets the bar high, or has high expectations, that’s going to help you out.
3. Decide if you’re willing to view regtech partnerships as experimental. Meaning, since decisions can take so long in highly regulated industries, such as banking, the possibility of running test pilots with the regtech companies to show proof to senior management, the board and regulators early on can be helpful to show that the vendor is a good fit.
   
   

Managing Cybersecurity

Jo Ann feels that organizations need to begin migrating to the cloud as this will help with managing cybersecurity. You may think the cloud seems unsecure; however, it’s actually more secure. Why? First, if properly designed, it’s more secure than an on-premises environment. Second, it’s less vulnerable to attack. And, a third point she added, is that the cloud is the answer to innovation.

Personally, I agree with Jo Ann. I’ve often said that the days of traditional in-house data centers are numbered. It’s costly to maintain your own in-house data center, so many are moving to the cloud.

A Look to the Future

There’s been a lot of discussion around the best way for the governing regulatory agencies to manage and regulate regtech companies. Given Jo Ann’s regtech expertise and regulatory background, I was eager to hear her perspective on the best approach to this. Here’s what she shared.

1. Regulators must transform how they look at risk and begin to move towards a digitized approach
2. Regulators must speed up to keep up with the rapid technology changes

How will regulators accomplish these two things? Jo Ann says they need to make changes to the group of individuals who are in the room. Mix it up slightly. Included in the group needs to be people who have strong technology skills. Finally, they need to run experiments and test regulations.

Wrap Up

Jo Ann recently formed a nonprofit called the Alliance for Innovative Regulation (AIR). According to Jo Ann, “We are working on trying to pull together the players from across the ecosystem, and to figure out these kinds of problems. How can the regulators and the industry risk management professionals collaborate more closely and accelerate how we're going to get things done while still making sure that we're doing everything safely and carefully?”

As a former banker myself, I know that many will welcome this wonderful initiative. Many feel anchored to regulation that seems outdated in many ways, so this should really help with clarification.

To wrap things up, Jo Ann shared some final thoughts on the importance of technology.

“Technology is the most important thing happening in both finance and financial regulation. Maybe that seems obvious, but we don't act that way most of the time. The technology trends that are driving this, we tend to frame them as if there are innovations in financial products or regtech solutions. But, it's really the transformative tech trends that are reshaping every sector of our lives.”

She feels technology is going to transform how finance and financial regulation are done, which will funnel down to how third party risk management is done, and it’s a real opportunity to do it all much better.

On behalf of Venminder, I’d like to thank Jo Ann for her participation in this series. Be sure to listen to our discussion here to catch even more helpful information.

Are you handling vendor management like the best vendor managers? Find out with this infographic.