With digital technology evolving by the day, more and more financial institutions are turning to third parties to handle an array of business functions. However, this can open up regulatory vulnerabilities which can be easy to miss – as Raphaels Bank discovered to their cost last year.
Third party risk
The FCA issued the bank with separate fines totalling £1,887,252 for failing to manage their outsourcing correctly. In 2015, one of Raphael’s card processor providers suffered a technical incident which caused the complete failure of the authorisation and processing services it provides to Raphael. This meant 5,356 transactions were not authorised at sales terminals.
The FCA investigation found that Raphaels failed to implement adequate processed to enable it to understand and assess the business continuity and disaster recovery arrangements of its provider. In particular, they had not assessed how that provider would support the continued operations of its programmes during a disruptive event.
Back in March, the FCA published new research on cyber resilience in the financial sector which included statements on third parties. Their research stressed the need for businesses to consider the risks and weaknesses of third party systems and resources when assessing their cyber resilience measures.
In January, they also released a paper explaining the implications of operational resilience for firms using third party service providers. We have more details of the FCA’s stance on the Global Regulatory Platform, but the essential message from the FCA is that every firm has the responsibility for managing its third parties. While you might be surrendering control of operations and data, the responsibility rests with you.
That means that if your third party experiences a problem which results in harm to your customers, you may be held accountable for the damage which results.
This has major implications for any company working with third parties, particularly in relation to their exposure to cybercrime. Data obtained last year from accountancy firm RSM under the Freedom of Information Act, found that a fifth of all cyber breaches occurred due to third parties.
Lessons to be learned
The lessons are clear. As a firm, you should monitor all third parties you’re working with. Each one may potentially represent a vulnerability if their processes and systems are not up to scratch.
Extensive due diligence should be conducted before entering into an agreement. You should have a full understanding of what redundancy measures are in place in the event of any disruption of system failure. You should establish how resilient the company is to cyber attacks and what measures are in place if they suffer a breach.
Failure to undertake these precautions will leave you vulnerable to fines from the regulators and in the age of GDPR, these fines can be considerable.