Lacking Smart Third-Party Risk Regulation, JP Morgan Chase, Bank Of America, Wells Fargo, And American Express Create Company: TruSight
The third-party ecosystem continues to flummox risk managers. Regulators keep pushing for stronger oversight, but they fail to offer real standards or tools to make this possible. What’s worse, technology and service providers have only helped large companies become more efficient at asking their third parties hundreds of questions; which means these third parties are drowning in documentation rather than actually managing risk.
Seizing on the opportunity, industry heavyweights JP Morgan Chase, Bank of America, Wells Fargo, And American Express announced yesterday that they’ve collectively founded a company called TruSight to standardize third party risk data collection and reporting. (Not to be confused with TruSight, the genetic sequencing panels from Illumina; and to be only slightly confused with True Sight, the D&D spell that exposes illusions and other-worldly dimensions, as discussed in the most recent season of Stranger Things.)
Welcome Progress, But New Issues Need To Be Addressed
Whether distributing or responding to survey questions, risk managers will welcome the kind of “network” or “marketplace” solution TruSight promises. But to have the kind of positive impact that the financial industry needs (and that other industries will ultimately want to replicate) there are critical issues to address:
- As long as this solution is proprietary and for-profit, it’s not a standard. Just 6 months ago, Barclays, Goldman Sachs, HSBC and Morgan Stanley announced investment in the IHS Markit KY3P product, which appears will be a direct competitor of TruSight. There are also vendors like Opus Global and Achilles creating similar communities for third party risk data exchange, and the Shared Assessments Program lists more than 60 vendor and financial service firm members. So now, we have a race to see how quickly these companies can drive adoption (and revenue!) of their dissimilar platforms, processes, and survey questions until a single platform and data standard emerges (perhaps driven by an enterprising regulator?).
- This solution was created by and for firms requesting risk information. While keeping track of risk and compliance profiles across an ecosystem of tens of thousands of third parties is a massive challenge, the larger unmet issue in the industry is the difficulty that tech companies, service firms, and other B2B orgs have in responding to these checklists. It’s not uncommon for some of these companies to have a dozen or more people whose sole job is to read and respond to risk and compliance questions in RFIs, RFPs, and annual assessments. The TruSight announcement gave a nod to these overworked responders, but small improvements in efficiency won’t help them at the bargaining table when they’re asked to provide live data, submit to surprise onsite audits, or meet other demands to participate in these marketplaces. This could ultimately amount to collective bargaining by the industry heavyweights, and huge costs to their suppliers.
- This solution does not mitigate risk for those most exposed to potential loss. Discussions related to this announcement will no doubt evoke the failure of Equifax to protect consumer data as well as its dismal response. It’s true that stricter third party risk programs could help uncover control gaps and prevent future breaches. However, the consumers who suffer the most from these breaches will have no additional visibility into how these companies are considering their best interests, no choice in which third parties have access to their data, and no additional recourse should there be any violation. Again, because industry heavyweights are driving this solution, they will be the primary beneficiaries.
- The scope of risks reviewed in this new solution is vague, and apparently narrow. The TruSight platform is not set to be available until Q1 2018, so the scope of its applicability is still a question. The initial announcement mentioned it would likely cover risks related to infosec, technology, hiring practices, and governance, which leaves off categories such as ethical sourcing, conduct, consumer protection, privacy (which is very different than infosec!), workplace harassment, etc. etc. etc. It’s not surprising that the initial focus will be on concerns highlighted in regulations and audit reports, however, a standard assessment that ignores major risk categories and sources of loss is itself a systemic industry risk.
I know third party risk management is a developing space, and many of you with whom I talk on a regular basis are actively working to improve it. As always, I’m curious to hear your thoughts.