Excellence in Third Party Risk Management (TPRM)

Transcription

1 Excellence in Third Party Risk Management (TPRM)

2 FINMA Circular 2018/3 Outsourcing banks and insurers Key changes The revised circular applies to banks and insurers What can be outsourced is now principle-based and under the responsibility of each company Additional reporting requirements like inventory of outsourced services and concentration risks Data must be accessible in Switzerland in case of restructuring, resolution and liquidation Companies must perform an assessment of the opportunities and risks before the outsourcing

3 The general trend within the financial services industry is to outsource services to third party providers in order to focus more on core business as well as to increase efficiency, quality and lower costs. Along with these potential benefits, higher risks in different areas such as compliance, legal, reputational, operational and information security risk need to be managed. As a consequence, regulators have strengthened respective laws and guidelines significantly. In the market, a growing need for an end-to-end TPRM Framework (Fig. 1) can there-fore be observed, especially focusing on regulatory compliance, operational efficiency and a digital solution. Regulatory Compliance TPRM is a highly regulated topic with specific requirements and guidelines across different countries (Fig. 2). Being regulatory compliant is crucial and is in general a challenge for financial institutions. In addition, it is important to identify upcoming regulations ensuring a timely implementation, e.g. in Switzerland the FINMA Circular 2018/3 Outsourcing banks and insurers and FINMA Circular 2017/1 Corporate governance. In a complex regulatory environment, operational efficiency forms the cornerstone of a holistic TPRM solution. Fig 1: TPRM framework Excellence in TPRM Risk Strategy Governance / Management Vendor Lifecycle On boarding & Due Diligence Monitoring & Reporting Termination & Off boarding Third Party Risk Management Tool Risk Staff

4 Fig 2: Global regulation US / FRB SR / CA 13-21: Guidance on Managing Outsourcing Risk (2013) OCC BULLETIN : Third-Party Relationships Risk Management Guidance (2013) UK / PRA & FCA SYSC 8.1 General outsourcing requirements (2018) EU / EBA Guidelines on Outsourcing (2006) Draft Guidelines on Outsourcing, Consultation Paper (2018) Switzerland / FINMA Circular 2018/3 Outsourcing banks and insurers (2017) India / RBI Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks (2006) Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs (2015) Singapore / MAS Guidelines on Outsourcing (2016) Australia / APRA Prudential Standard CPS 231; Outsourcing (2017) JFSA Inspection Manual and Oversight Policy on Outsourcing (2014) Hong Kong / HKMA Supervisory Policy Manual SA-2; Outsourcing (2001) Operational Efficiency An efficient TPRM framework is required because TPRM is a complex, long and cost-intensive process. This is mainly due to: increasingly complex regulatory environment resulting in additional governance, processes and controls high number of involved stakeholders (e.g. business, vendors and vendor management) in different locations broad variety of third parties and provided services which need a tailored risk assessment Therefore, a TPRM framework requires a clear governance and process around the third parties life cycle. The current trends are to standardise risk assessments and centralise operational tasks in a Centre of Competence (CoC) to reduce costs and gain efficiency (Fig. 3). The gains in operational efficiency can be maximised with help of a comprehensive and integrated digital solution. Fig 3: Centralised operating model options Option 1: Bank-internal centralisation Bank C1 C2 C3 CoC Centralised Risk based Standardised 1. LoD Business / SVM 2. LoD Legal & Compliance, IT, etc. Bank C1 C2 C3 External CoC Centralised Outsourced Option 2: Bank-external centralisation 3. LoD Audit

5 Digital Solution Based on the last PwC experience, most companies in the financial services industry use simple manual office solutions, which result in highly manual and non-aligned procedures. A digital TPRM solution offers streamlined workflows, setting clear roles and responsibilities, including the basic functionalities like: Risk assessment of individual suppliers Reporting of status and risk on individual and portfolio level Ongoing monitoring of relationships Therefore, an integrated end-to-end solution combines all required capabilities (Fig. 4). Fig 4: Proposed solution capabilities Due diligence questionnaires tailored to the needs of your organisation Option to extend for multiple roles; e.g. procurement, compliance, etc. Improved governance: Roles & responsibilities embedded in the workflow Eliminates the need for communication On boarding & Due Diligence Termination & Off boarding TPRM Solution Monitoring & Reporting All termination scenarios covered. Option to extend based on your organisation s processes Archiving functionality: All terminations archived for 10 years (default retention period) Standard monitoring of red flags Option to tailor red flags to reflect your organisation s policies and risk appetite Examples of reports: Concentration risk, team progress etc. Dashboard with integrated KPIs/KRIs/SLAs Pipeline management, including expected workload covered

6 How we can support you in achieving your targets Our Swiss and global PwC TPRM team has extensive experience from multiple projects with similar companies and in other industries and is ready and able to support your organisation. PwC always seeks to find the best solution for clients. The following examplary services can be adjusted to your specific situation and needs. Regulatory Compliance Regulatory Health Check on the current situation within TPRM and impact assessment of upcoming regulations Establish consistent regulatory change governance including radaring to ensure ongoing compliance Operational Efficiency Operational Efficiency Health Check to benchmark current level of efficiency and identify options to lower costs Design and implement a simplified operating model including: --Centralised and risk-based approach --Standardised operation --Consideration of shoring and sourcing options Digital Solutions Identify repetitive, highvolume manual tasks to consider automation opportunities Evaluate the appropriate TPRM software solution (int. vs. ext.) Project and change management support Dr. Marcel Tschanz Partner Advisory marcel.tschanz@ch.pwc.com Patrick Akiki Partner Advisory akiki.patrick@ch.pwc.com Michael Kuss Partner Assurance michael.kuss@ch.pwc.com Dr. Thomas Busch Leader TPRM PwC Switzerland thomas.busch@ch.pwc.com Dr. Manuel Plattner Director Advisory manuel.plattner@ch.pwc.com 2018 PwC. All rights reserved. PwC refers to PricewaterhouseCoopers AG, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.