Third-Party Payment Processors Risk Management: Best Practices
New CFPB regulations have brought consumer protection to the forefront, as well as greater scrutiny to financial institutions. Working from the premise that institutions can’t outsource responsibility for consumer protection, CFPB holds financial institutions responsible for the actions of their suppliers and vendors.
To comply with the changes, financial institutions have to expand the scope of their third-party risk management plans to include the risk the third party holds for consumers, as well as the institution and the financial system. This is not a small challenge and time is of the essence, since regulators have acted quickly to enforce the new laws. Substantial penalties have already been imposed on industries in the financial sector, partly because of the non-compliant activities of suppliers.
Suppliers and vendors will also need to respond to the new regime as financial industries incorporate the required management plans into their operations. It should be noted that many non-financial companies are also adopting third-party management strategies to ensure compliance with other regulators, such as Anti-Bribery and Corruption (ABAC). Third parties will feel the effects of the new regulations early in the relationship with their clients, as the financial institutions follow best practice models for due diligence and risk management in third-party selection, contract negotiation and monitoring.
Enhanced Assessment Process
Suppliers and vendors should also be prepared for an enhanced assessment process on the part of the client in the procurement stage. The emphasis on consumer protection brings more attention to smaller companies than before the new regulations took effect, though not all third parties will receive due diligence to the same degree. Those companies that interact with consumers can expect scrutiny of their human resource management, training, staffing levels, work quality and workload, and the company’s own performance monitoring strategy. Data collection and sharing also presents a risk to the third party’s client, and those practices will be part of a comprehensive review.
Provisions for the financial institution to audit, monitor performance, and require remediation as issues arise will be incorporated into the contract. Audits conducted by the supplier or vendor’s external or internal auditors may be accepted, but regulators expect the client to reserve the right to conduct its own audit. Once the financial institution and the third party have entered into a contract, monitoring activities will be stepped up to comply with the regulations. Both the client and the third party need to establish processes for reporting to management and complying with the law.
Third-Party Risk Management Plan
Financial experts suggest financial institutions can prepare a third-party risk management plan in a matter of months, which means suppliers and vendors need to be ready to align with the client’s plan. Compliance with the new regulations adds costs and responsibilities to the operation of a supplier or vendor. Those that deal with consumers need to pay particular attention, but data collection is another point of vulnerability. It’s essential to understand the regulatory risks that may be inherent in the product or service that’s provided, and identify steps that can mitigate that risk.
Preparing for increased scrutiny for compliance may mean hiring more staff, investing in technology, and ensuring that departments are acting in concert with compliance measures and new processes. While reviewing the state of the operation in relation to compliance issues, look for opportunities to incorporate changes and avoid a piecemeal approach.