That question is the foundation of a process the begins long before a contract is signed and continues until the vendor and the customer firm part ways. Managing any relationship with a third-party provider can be taxing for a financial firm, requiring ongoing scrutiny, recordkeeping and now regulatory expectations. It is exponentially more difficult when the firm is managing hundred or even thousands of vendors through multiple business lines.
With so many internal departments involved and little in the way of official industry-wide standards, financial firms can spend countless hours trying to control vendor risk only to discover they have hired the wrong service provider or missed the warning signs of relationship going bad.
Markit is betting its new KY3P data hub will provide some badly needed relief to overworked compliance, business operations and technology staffers whose jobs will be on the line if they make a mistake. Wall Street powerhouses Morgan Stanley, HSBC and Barclays are the first to sign up for KY3P, but Markit says it is also targeting global asset managers, including hedge funds, as well as Fortune 500 corporates.
Here is how KY3P, hosted by Dell Cloud Services, works: Financial institutions can use the platform to get answers to a due diligence questionnaire from a selected list of vendors that may be offered requests for proposals. Likewise the vendors that file their answers on KY3P can choose which institutions may view their responses. Of course, vendors responses will not be shared with other vendors, and one financial institution will not give access to view the responses to another. Once an RFP is completed and the contract is finally signed, a vendor can update or revise its information on the platform, as well as respond to a new questionnaire and provide audit information . Markit will contribute its own due-diligence updates generated from news and rating agencies.
Interpreting the information and making a decision is up to financial firms. However, KY3P can reduce the time and risk involved in the evaluation and oversight process for both financial institutions and vendors alike, explains Gina Ghent, director of Markit’s KY3P.
Markit’s initiative might help firms reduce not only the administrative burdens involved with vendor management, but regulatory ones as well by providing an accessible audit trail of the due diligence process before and after a vendor is hired. Securities watchdogs have added vendor risk to the list of risk management processes they scrutinize in an audit, and firms have to be ready to provide proof of the adequacy of their programs.
In the US alone, the Office of the Comptroller of the Currency and the Federal Reserve have recommended how banks should oversee their external technology vendors. The Securities and Exchange Commission has warned that it expects fund management firms to prove they have mitigated their cybersecurity risk. However, few financial firms have developed consistent enterprisewide vendor risk management procedures, legal experts tell FinOps Report. As a result, they could face censure or worse for poor oversight of their service providers.
Who Knows What?
In an ideal scenario, all of the departments of a financial firm involved with evaluation and monitoring of a vendor would request and rely on the same set of information, as well as keep track of who knows what and when. The result is that everyone involved is working from the same playbook when deciding on vendor selection, contract renegotiation or terminating a relationship.
Without a method of information sharing, such a seamless process would likely only be achievable within a single department. However, most financial firms have a high headcount and often duplicative processes for due diligence and procurement across business lines, RFP departments, compliance, legal department, IT and even vendor risk management units — each having a different stake in the lengthy multifaceted process. Depending on the size of the organization, the number of vendor relationships could reach into the thousands with varying degrees of importance. Although the term vendor could imply only technology providers involved with critical cybersecurity, data storage, or business continuity services, financial firms now tend to include any third-party provider from an events planner to a fund administrator, custodian bank, or prime broker in the category.
The KY3P platform can replace paper-based requests for proposals to each vendor, and a vendor’s online response can be made available to multiple recipients. “Financial firms can be ensured that all vendors will be sent a standardized set of questions from internal interested parties and will receive one set of answers for each of their departments using the product,” says Ghent. “Vendors, in turn, don’t have to worry about responding to each potential client separately and can rest assured they have provided the same updates to multiple customers.” Timely updates are the most critical when it comes to business continuity plans and cybersecurity breaches.
The KY3P platform has similarities to the new KYC utilities that have recently cropped up, such as Markit and Genpact’s KYC.com, Depository Trust & Clearing Corp.’s Clarient and SWIFT’s KYC utility and Thomson Reuters. All allow financial firms to create consistent standards for the information they need to collect, as well a providing a central location where it can be maintained. They also eliminate redundant work across departments, while protecting the firm from the risk of different information being collected by multiple business lines.
Markit would not specify the annual fees it charges financial firms to use KY3P other than to say the fees depend on the number of vendors they reach through the platform. Third-party service providers won’t be charged for updating their profiles, but will be charged annual fees based on the number of financial firms viewing their answers.
KY3P may not be suited to everyone. “The cost-effectiveness and risk-effectiveness is based entirely on volume,” one vendor risk management specialist tells FinOps. He estimates that tier-one banks, global asset managers, and large corporations with at least 500 vendor relationships would benefit the most. By contrast smaller to mid-sized banks, broker-dealers or asset managers can probably handle fewer external relationships on their own. However, the merits of its documentation of the compliance process shouldn’t be discounted when considering whether to use KY3P, the vendor risk management expert concedes.
Leave a Comment
You must be logged in to post a comment.