Welcome to Episode 5 of Risky Business with PaymentWorks!
Yakut Akman has 40 years of experience in financial services, covering a wide range of functions globally, including Operations & Technology, Risk Management, Audit, and Regulatory Compliance.
She joined to discuss all things third-party risk management.
Read the excerpt of the podcast below or listen to the full episode here.
Ms. Akman started her career at Citibank Istanbul as an Executive Trainee and then worked in multiple locations gaining extensive global experience. Over time, she excelled in Operations Management as a thought leader and a change agent as the financial markets, and in response, the regulatory expectations grew more complex. Ms. Akman focused on process efficiency and effectiveness while balancing operational risks and controls. She sharpened these skills in Internal Audit overseeing new emerging risks. As a Risk Manager of key businesses, Ms. Akman actively interacted with government agencies around the world. She successfully addressed high-profile, enterprise-wide issues by setting standards, building trust and achieving sustainable results.
First one is the planning phase, when a bank is surely thinking about starting a relationship with a third party, that’s the planning phase. That is the due diligence phase, you have to go through a checklist of things that you need to make sure that the third party is an entity that would be okay to start a relationship with.
Then when you shake hands, and you go through the whole third phase of contracting, that’s important. But I would argue that the fourth phase is really the longer lasting and important phase which is ongoing monitoring because things change and this could be [a] years long [phase]. And the last phase, which is termination, may come up because the contract expires, or because you’re not happy with the services you’re getting from the third party.
When I started my career in banking, we did everything in house. The only things that were outsourced, was check printing, and maybe the cleaning of the offices. Over the last 10-20 years, banks have significantly increased the number and the complexity of bank functions that they outsource. Why? Because there was an emergence of third parties that could do similar functions better, faster and cheaper.
The banks were happy to outsource the services and pay for them. But what they forgot in the process was an oversight function of these third parties. I often liken this to parents dropping off their kids at a babysitter and then going out to enjoy themselves, and thinking, okay, the kids are the babysitter’s responsibility. They’re not. You’re still responsible.
The third parties were smart. They were happy to get paid without proper oversight. And then too many problems started emerging, and so much so that they contributed to the 2008 financial crisis.
The regulator’s certainly took notice of this. In 2013, I certainly dealt with the OCC and the Fed a lot. They published their third party risk management guidance, and significantly expanded their review of the bank’s third party management programs.
In any bank there’s lots of different processes and systems to support the different functions, whether it’s procurement, to pay, sales, contracts, risk management, compliance, information, security, cybersecurity, contingency of business, and so on. These departments and groups— some of them didn’t [even] exist a few years ago— are very big groups within an organization. They go and pick their own systems, they come up with some brilliant tool to take care of whatever it is that they’re responsible for. But nobody really has that bird’s eye view, that overall view of what’s going on to make decisions and put in the necessary central controls.
“There’s evidence that when third parties enter their data themselves, the error rate goes down significantly.”
A lot of these systems have been around a long time. They’re rather archaic, and they use old technology, there’s no connectivity between the systems. We may at best have some mapping between similar fields. I remember, many years ago, I was heading up derivatives and something came up and we needed to determine our exposure to a major Fortune 100 company. We realized that the company was in a gazillion different systems. And the name was spelled differently in every system!
So to me, the starting point is that repository of third party core data in a central way. At least, if you make sure that the name, address, tax ID, right? [Where] some core data defining the third party is centrally kept, and then fed into different systems, that would be a huge step in the right direction.
There’s evidence that when third parties enter their data themselves, the error rate goes down significantly. Because it’s not a one time thing we’re talking about here, once you set up your third party, things change over time, their address change, names change, all sorts of things change, right? So allow the third party to have control over their data, with some oversight and control, of course.
