By James McPherson, Director, Credit Agricole CIB
Technology Service Providers and the Road to the Vendor Management Dashboard
Just ten years ago, it was not uncommon for some variation of the following scenario to play out when a software provider handed a financial services firm, such as an investment bank, a software license agreement for review. The contract would first be reviewed by the business or procurement teams, which would engage in some haggling over price and the scope of services. The contract would then be passed over to the bank’s legal department, where an attorney would attempt to revise certain sections, just before the revised version was returned to the software company for further review and a response. A few days later, or in some cases, even a few hours later, the agreement was returned to the bank in what appeared to be substantially the same format as originally proffered by the software company, although the price may have been adjusted slightly downwards in an effort to appease the client bank.
For various reasons, particularly in regards to what was customarily considered a standard form of license agreement and related services, there was generally a relatively low expectation that any terms outside of pricing and scope of services could be or would be highly negotiable. Times have changed.
Indirect Regulation of Third Party Service Providers
March 1, 2019 was the final effective date for compliance with Part 500.11 of the new cybersecurity regulation promulgated by the New York Department of Financial Services (“DFS”), the major parts of which regulation were first effective March 1, 2017 (23 NYCRR 500, referred to herein as “Part 500”). Part 500 is applicable to any financial institution authorized by the DFS to engage in the business of banking or insurance within the State of New York.
In order to allow financial institutions adequate time to prepare for compliance, the DFS staggered effective dates for certain sections of Part 500. The DFS provided regulated entities a two-year period to establish policies and procedures adequate to ensure the security of nonpublic information and information systems that may be held or accessed by any third party service providers. As of today, Part 500 is now in full force and effect and financial entities licensed by the DFS are expected to be in full compliance with all sections of Part 500.
Unlike much of the other guidance on third party service providers that has been issued by various U.S. regulators over the past two decades, Part 500 is a regulation, and as such, carries the full force and effect of law, in the same way as any other regulation promulgated by a government authority. While most service providers are not directly under the jurisdiction of the DFS, by doing business with a DFS regulated entity, such service providers will be affected in a manner comparable to their client, which is a regulated entity.
Service Providers Come Under Increasing Scrutiny
The risks inherent in engaging any third party service providers in support of critical or non-critical systems, particularly in cases of outsourcing, have been recognized and discussed through various guidance published by U.S. regulators, in large and material part over the past two decades. Until more recently, regulators were generally comfortable with the existence of third party service providers, and even with outsourcing, provided the regulated entity maintained a documented system of processes and controls to ensure that any engagements with such service providers did not result in the regulated entity becoming non-compliant with any applicable regulations.[1] For various reasons, that comfort level seemingly disappeared shortly after 2008.
Technology service providers started to come under more scrutiny in the aftermath of the financial crisis that started in 2008. During regulator focus on resolvability of systemically important financial institutions, third party service providers garnered attention during discussions around a bank’s critical operations, in respect to which technology service providers had been performing increasingly critical and material functions. In the course of analyzing the structure of critical operations at the major banks in order to gage a firm’s resiliency in times of extreme financial distress, regulators started to gain a greater appreciation for the role technology service providers played in the bank’s back office and IT systems and infrastructure. In some cases, not an insignificant portion of a bank’s back office or critical IT infrastructure, necessary for the bank’s normal day-to-day operation, was provided in significant or material part by third party service providers, some of which provided such services from completely outside the U.S. Where service providers were acting in a critical function or otherwise providing key services for a systemically important financial institution, concerns began to arise in respect to what could happen in the event such service providers refused to continue providing key services to the financial institution during insolvency or receivership proceedings. This presented an unaccepted risk in the eyes of the regulators.[2] As such, failure to adequately map critical operational dependencies coupled with an overreliance on one or two key service providers without adequate contractual protections, could further exasperate the ability of any receiver or court appointed trustee attempting to resolve the failing institution, making an orderly resolution even more difficult. In this context, financial institutions were required to review their relationships with their vendors, with a focus on any critical service providers, in order to assess any critical dependencies and identify contractual deficiencies, addressing such contractual deficiencies where possible.
As regulators were finalizing their resolution planning rules as well as issuing additional guidance on the engagement of service providers more generally, third party service providers abruptly ceased their supporting actor roles and took center stage as the culprit and weakest link, after several widely publicized cybersecurity breach incidents that were found to have originated at or through the IT infrastructure or systems of a third party service provider.[3] Shortly after, a plethora of congressional threats and regulator guidance ensued. Over the past five years, financial firms have been compelled by various forces to review their approach to engaging service providers of all types, whenever such vendors hold or access the private, non-public, or otherwise sensitive or confidential information of the financial institution or any of the financial institution’s customers. Certain States (New York) decided to take the lead and promulgated regulations (as opposed to mere guidance) on the subject of cybersecurity.
Technology Service Providers as Providers of Critical Services
Over the past decade, technology itself and the utilization of technology in a much broader range of areas has evolved and expanded at an exponential pace. The causes are mixed, however, in the financial services industry, such rapid change appears to have evolved from a combination of advances in technology itself, the need to cut costs, and various regulatory actions.
In many areas, technology has evolved to critical mass. For example, software company challenges associated with installing software instances in the client’s environment have been significantly reduced due to the increased use of the Software-as-a-Service (“Saas”) delivery model and other similar cloud-based solutions. While the SaaS model has been around for many years, its attraction has increased with the growth of the internet and ever increasing data transmission speeds. Under today’s SaaS model, instead of purchasing a software license for implementation and rollout on the client’s local systems, the client “rents” the solution, which is often housed off-site, and pays the service provider to maintain the solution, and in certain cases, the server on which the solution is hosted, as well as provide other related ongoing support and services. Many SaaS solutions are also offered as an “off-the-shelf” product or service, meaning the client could be up and running in only a matter of days. SaaS solutions are often run in conjunction with or as part of a cloud-based solution. The utilization of cloud-based solutions may still be relatively low, however, industry experts expect that utilization and market penetration of such service providers in the financial services area (including Fintech) will rise significantly over the next five to ten years.[4]
The financial crisis that started in 2008 and the regulatory actions that followed, forced banks to reduce fat. Dieting was not limited to the front office – operational areas and non-IT support functions were also at risk. Part of the slim-fast regime included exploring ways to ramp up outsourcing and expand utilization of SaaS or SaaS-like solutions.
Significant cost savings may be realized by outsourcing. However, the initial move to an outsourced model, whether it be managed capacity or managed services, can incur significant upfront costs in terms of time and resources spent in planning and implementation. Furthermore, the actual hard dollar costs, in addition to time and resources associated with any reversibility or transfer of services to a new provider, under any circumstances, can be comparably significant. As such, absent significant or material reoccurring breaches or major defaults not capable of being cured, a client firm more often than not, may be more inclined to attempt to work out any issues with the service provider, as opposed to immediately declaring a default or exercising any rights that would ultimately lead to reversibility. Similarly, any significant change in the client firm’s business that results in a corresponding material change to the original business case for outsourcing would also warrant careful consideration for the same reasons.
Ironically, in hindsight, many of the regulatory reform laws that came out of the financial crisis, particularly those aimed at Wall Street, actually set the stage for risk to be even more concentrated than it was before 2008. In perceiving clearing, electronic platform execution, and trade repository reporting as the panacea for many of the ills that led up to the financial crisis that started in 2008, the U.S. Congress and the U.S. regulators seemingly neglected to consider the significant amounts of capital expenditure that would be required in order to build out the necessary infrastructure for market participants to comply with their new rules, that came in the form of the Dodd Frank Act of 2010 (“DFA”).
Because the big banks and brokers were viewed as the most culpable parties, they ended up shouldering not an significant part of the new obligations under the DFA. Many of these obligations translated into increased capital expenditures to build the infrastructure that swaps are now traded on today. The increased costs associated with regulatory compliance caused a number of market participants to struggle as they attempted to reorganize themselves and their business models. In the event those efforts failed, such firms ceased operations or were absorbed by other market participants. On the other hand, larger institutions capable of funding the requisite infrastructure and systems build-outs, were able to substantially increase their market share of the trade flow, while also snatching up various gems along the way from among what was left of the fallen. Certain firms, particularly in the U.S. are larger today than they were prior to 2008. While risk may have been reallocated, in certain important areas, it also become more concentrated among a smaller number of major global players.
The areas of the IT industry that serve the financial markets have concurrently benefited. The relatively rapid growth and evolution of super computers, machine learning, automation, and artificial intelligence during such period has allowed technology service providers to increase operational efficiencies, with continued cost reduction, not only for their clients, but also for themselves. Similar to the financial services industry, the technology market has also experienced market consolidation. While this consolidation has increased concentration risk, it has also allowed technology firms to acquire critical mass and take advantage of economies of scale. It is predicted that consolidation within segments of the industry will likely continue in the near future as firms proceed to attempt to reach critical mass, build economies of scale, and pick up expertise that they have not been able to develop organically.
Vendor Management
There is much literature out there on what a vendor management program should include, what issues commonly arise during due diligence, and what mitigating actions may be taken or factors considered in getting from RFP (request for proposal) through final contract execution, in particular in respect to outsourced critical services, all of which is beyond the scope of this discussion. The following thoughts are more basic.
Review and due diligence on service providers, and any of their respective service providers, the so-call Nth provider,[5]is comparable in many ways to the review and ongoing assessment financial institutions have been required for years to do in respect to their own customers in order to comply with anti-money laundering (“AML”) and sanction laws. Similar to AML and KYC (know-your-customer) rules, the U.S. regulators have generally allowed financial firms to take a “risk-based” approach in establishing policies and procedures for vendor management and developing their “know-your-vendor” programs, which programs should take into account both the financial institution’s own risk profile, based on its own menu of products and services and client base, and the risk profile associated with the particular service provider or category of service providers under review. Artificial intelligence (A.I.) and its rise in significance as a potential weapon within the AML space promises new precision and efficiencies, which functionalities, if successful, could most likely also be applied to vendor due diligence as a function of the procurement and contracting process.
AML concerns aside, understanding the business of the bank’s own customer, allows the bank to provide better services tailored specifically for its customer’s needs, as well as, potentially increases the bank’s ability to spot early warning signs that may be indicators of more serious risks. Likewise, more precise knowledge of a service provider’s delivery models and the individual services themselves may help a bank identify risks that can be mitigated upfront by the bank acting on its own, or in collaboration with other parties, including the service provider itself, thus allowing the bank to meet regulatory expectations as well as potentially negotiate more precisely focused contractual protections, appropriate in scope and application for the particular services being provided.
The rules, policies, procedures, and information systems and tools associated with the AML business are presently more developed than those in the vendor management space. Furthermore, the significance of the liability in terms of penalties and remediation expenses associated with violating AML and sanctions laws, and the certainty that such sanctions will be imposed if liability is found, cannot be understated. Nevertheless, despite having different purposes, the underlying goal of both programs is fundamentally the same: know the person you are dealing with – and in many cases, know who they are dealing with.[6]
Closing
The so-called Fourth Industrial Revolution, which insurgency is being catapulted forward by all things digital promises to be disruptive, disconcerting, exhilarating, and intoxicating. As with any revolution, new challenges will arise, and when it comes to third party risk management, adequately being able to identify and address such risks and monitor such as appropriate, on an ongoing basis, starts (and sometimes ends) with knowing your vendor, and your vendor’s vendors.
Times have changed. Contracts today are expected to be reviewed and scrutinized closely. Multiple internal stakeholders and subject matter experts aligned with the interests of the financial institution client may be involved in the contract review process. There is the expectation (and regulatory requirement in some cases) that contracts will be more strenuously vetted and negotiated, and that appropriate contractual protections will be included to address any remarkable risks that are identified. The better financial institutions know their service providers, the easier and more efficient negotiations will hopefully be, from the first request-for-proposal, all the way through, to the execution of the last service level agreement.
Author:
James McPherson is a Director and Counsel at Credit Agricole Corporate and Investment Bank in New York. Unless another source is indicated, the views and opinions expressed herein are those of the author only, and in no way reflect or represent the views or any positions of the author’s employer.
[1] In all cases, any part of a regulated entity’s activities that under law require a license to conduct, cannot be outsourced. Furthermore, notwithstanding the engagement of any third party service provider, the regulated entity at all times must remain primarily liable for any acts or omissions of any of its service providers.
[2] It was not uncommon then nor today, that contracts for services customarily allow either party to terminate the agreement upon the event of an insolvency of the other party. Historically, the inclusion of this type of provision, even in executory contracts, has been relatively noncontroversial. However, the exercise of such a termination right by a critical service provider in the middle of an insolvency or reorganization proceeding most likely would frustrate the orderly resolution efforts of a complex financial institution.
[3] Around the same period, the DFS took aim at a third party service provider for developing end-to-end encryption functionality for communications systems that were being marketed in a manner the DFS felt was inconsistent with DFS rules, in that such technology could be used by banks to effectively preclude the DFS from accessing communications among banks utilizing such technology platform.
[4] The Financial Stability Board (FSB) discussed cloud solutions at some length in their recent report on FinTech developments and financial stability implications, entitled “FinTech and market structure in financial services: Market developments and potential financial stability implications”, issued February 14, 2019.
[5] See eSentire’s January 2019 report entitled “Third-Party Risk to the Nth Degree” for eSentire’s survey of 600 IT and security experts on concerns relating to third party and fourth party risks. Also see “Data Risk in the Third-Party Ecosystem: Third Annual Study,” sponsored by Opus and issued in November 2018, containing the survey results of over 1,000 IT and security experts, also covering concerns relating to service provider risks.
[6] Both reports from eSentire and Opus indicated, among other things, that for various reasons, companies failed to adequately prioritize vendor risk management and that a significant number of respondents were not confident that vendors kept them adequately informed of critical issues, such as a data breach and that this number sank even lower in respect to an Nth vendor.
