Navigating Nonvendor Risks

A recent RMA survey indicates a steady increase in the maturity of nonvendor third-party risk management programs at banks. That’s important, experts say, because it allows institutions to concentrate third-party risk efforts in the areas that matter most. Twenty-eight percent of survey respondents said their programs were mature, up from 14% in 2015.  

“Banking organizations have, and are, developing methodologies that align with their risk appetite to allow for a more risk-based approach to third-party risk management than we have seen in prior years,” Matthew Buskard, senior director of enterprise risk management at Fifth Third Bank, said. 

The Third-Party Nonvendor Risk Management Survey included diverse participants, ranging from community banks to investment banks, headquartered across the U.S., Canada, and Europe. (For a handy explainer on vendor vs. nonvendor third parties, read this.) 

Other key takeaways included: 

• Sixty percent of respondents now maintain a special nonvendor list, a notable increase from 43% in 2019, reflecting a shift towards customized risk management for nontraditional third parties. 
• More than 80% of respondents have completed or are in the process of developing inventories of nonvendor third-party providers, up from 59% in 2019. 

Heather Hendershott, senior director for third-party risk management at Ally, said last year’s interagency guidance references “‘business arrangements,’ which is more expansive than previous regulatory guidance specific to ‘contractual’ agreements. This has resulted in a deeper evaluation of classifications as part of the regulatory change process in financial institutions.” 

Despite evolving landscapes and regulations, a fundamental principle remains: Banking organizations must maintain sound, effective, and sustainable processes to manage risks related to third-party use, Buskard said. 

The bottom line? The RMA survey reveals a notable shift towards a more nuanced and risk-based approach to third-party nonvendor risk management within the banking industry, emphasizing the importance of customized processes and ongoing regulatory compliance.