Excellence in Third Party Risk Management (TPRM)

www.pwc.ch

FINMA Circular 2018/3 “Outsourcing – banks and insurers”

Key changes

• The revised circular applies to banks and insurers

• What can be outsourced is now principle-based and under the responsibility of each company

• Additional reporting requirements like inventory of outsourced services and concentration risks

• Data must be accessible in Switzerland in case of restructuring, resolution and liquidation

• Companies must perform an assessment of the opportunities and risks before the outsourcing

Along with these potential benefits, higher risks in different areas such as compliance, legal, reputational, operational and information security risk need to be managed. As a consequence, regulators have strengthened respective laws and guidelines significantly. In the market, a growing need for an end-to-end TPRM Framework (Fig. 1) can there-fore be observed, especially focusing on regulatory compliance, operational efficiency and a digital solution.

The general trend within the financial services industry is to outsource services to third party providers in order to focus more on core business as well as to increase efficiency, quality and lower costs.

Regulatory ComplianceTPRM is a highly regulated topic with specific requirements and guidelines across different countries (Fig. 2). Being regulatory compliant is crucial and is in general a challenge for financial institu- tions. In addition, it is important to identify upcoming regulations ensuring a timely implementation, e.g. in Switzerland the FINMA Circular 2018/3 “Outsourcing – banks and insurers” and FINMA Circular 2017/1 “Corporate governance”.

In a complex regulatory environment, operational efficiency forms the corner-stone of a holistic TPRM solution.

Fig 1: TPRM framework

On boarding & Due Diligence

Termination & Off boarding

Monitoring & Reporting

Vendor Lifecycle

Excellence in TPRM

Risk Strategy

Governance / Management

Third Party Risk Management Tool

Risk Staff

Operational EfficiencyAn efficient TPRM framework is required because TPRM is a complex, long and cost-intensive process. This is mainly due to:• increasingly complex regulatory

environment resulting in additional governance, processes and controls

• high number of involved stakeholders (e.g. business, vendors and vendor management) in different locations

• broad variety of third parties and provided services which need a tailored risk assessment

Therefore, a TPRM framework requires a clear governance and process around the third parties’ life cycle. The current trends are to standardise risk assessments and centralise operational tasks in a Centre of Competence (CoC) to reduce costs and gain efficiency (Fig. 3).

The gains in operational efficiency can be maximised with help of a comprehensive and integrated digital solution.

Fig 2: Global regulation

Fig 3: Centralised operating model options

India / RBIGuidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks (2006) Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs (2015)

JFSAInspection Manual and Oversight Policy on Outsourcing (2014)

Australia / APRAPrudential Standard CPS 231; Outsourcing (2017)

Switzerland / FINMACircular 2018/3 Outsourcing – banks and insurers (2017)

EU / EBAGuidelines on Outsourcing (2006) Draft Guidelines on Outsourcing, Consultation Paper (2018)

Singapore / MAS Guidelines on Outsourcing (2016)

Hong Kong / HKMASupervisory Policy Manual SA-2; Outsourcing (2001)

US / FRBSR 13-19 / CA 13-21: Guidance on Managing Outsourcing Risk (2013) OCC BULLETIN 2013-29: Third-Party Relationships Risk Management Guidance (2013)

UK / PRA & FCASYSC 8.1 General outsourcing requirements (2018)

CentralisedRisk basedStandardised

CentralisedOutsourced

Option 2: Bank-external centralisation

ExternalBank

C1

C3

2. LoDLegal & Compliance, IT, etc.

1. LoDBusiness / SVM

3. LoDAudit

CoCC2

Option 1: Bank-internal centralisation

Bank

C1

C3

CoCC2

Fig 4: Proposed solution capabilities

Digital SolutionBased on the last PwC experience, most companies in the financial services industry use simple manual office solutions, which result in highly manual and non-aligned procedures. A digital TPRM solution offers streamlined workflows, setting clear roles and responsibilities, including the basic functionalities like:

• Risk assessment of individual suppliers

• Reporting of status and risk on individual and portfolio level

• Ongoing monitoring of relationships

Therefore, an integrated end-to-end solution combines all required capabilities (Fig. 4).

Due diligence questionnaires tailored to the needs of your organisation

Option to extend for multiple roles; e.g. procurement, compliance, etc.

Improved governance: Roles & responsibilities embedded in the workflow

Eliminates the need for email communication

Standard monitoring of red flags

Option to tailor red flags to reflect your organisation’s policies and risk appetite

Examples of reports: Concentration risk, team progress etc.

Dashboard with integrated KPIs/KRIs/SLAs

Pipeline management, including expected workload covered

All termination scenarios covered. Option to extend based on your organisation’s processes

Archiving functionality: All terminations archived for 10 years (default retention period)

Monitoring &Reporting

TPRMSolution

On boarding &Due Diligence

Termination & Off

boarding

How we can support you in achieving your targetsOur Swiss and global PwC TPRM team has extensive experience from multiple projects with similar companies and in other industries and is ready and able to support your organisation. PwC always seeks to find the best solution for clients. The following examplary services can be adjusted to your specific situation and needs.

© 2018 PwC. All rights reserved. “PwC” refers to PricewaterhouseCoopers AG, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

Michael KussPartner Assurance+41 58 792 15 09michael.kuss@ch.pwc.com

Dr. Manuel PlattnerDirector Advisory+41 58 792 14 82manuel.plattner@ch.pwc.com

Dr. Thomas BuschLeader TPRM PwC Switzerland+41 58 792 24 08thomas.busch@ch.pwc.com

Regulatory Compliance• Regulatory Health Check on

the current situation within TPRM and impact assessment of upcoming regulations

• Establish consistent regulatory change governance including radaring to ensure ongoing compliance

Operational Efficiency• Operational Efficiency Health

Check to benchmark current level of efficiency and identify options to lower costs

• Design and implement a simplified operating model including: - Centralised and risk-based approach

- Standardised operation - Consideration of shoring and sourcing options

Digital Solutions• Identify repetitive, high-

volume manual tasks to consider automation opportunities

• Evaluate the appropriate TPRM software solution (int. vs. ext.)

• Project and change management support

Patrick AkikiPartner Advisory+41 58 792 25 19akiki.patrick@ch.pwc.com

Dr. Marcel TschanzPartner Advisory+41 58 792 20 87marcel.tschanz@ch.pwc.com