Operational resilience is fundamental to the safety and stability of banks and the broader financial system. With thirty years working alongside banks to build resilience—and especially since becoming Chief Risk Officer & Chief Information Security Officer of R&T—the industry’s continued disruptions have underscored an urgent need to address vulnerabilities.
Financial institutions are facing unprecedented challenges in managing diverse risks, from system failures, cyberattacks, and third-party relationships to external threats such as pandemics and geopolitical events. As digitalization and evolving, interconnected ecosystems add new layers of complexity to service infrastructure, banks are also navigating rising regulatory expectations.
Since 1974, R&T has supported financial institutions in achieving their goals with effective liquidity management solutions. Resilience is in our DNA, and we’ve guided hundreds of banks, trust companies, wealth managers, and broker-dealers as they have navigated the new risk and regulatory environment and sought to develop robust, adaptive frameworks. At R&T, we aim to distill our firm’s 50 years of expertise into actionable insights to help financial services professionals prepare for the next era of risk management.
In this article, we discuss the growing regulatory focus on third-party risk and share key strategies for banks to manage these partnerships effectively.
The banking sector’s risk landscape is growing increasingly complex. With data privacy concerns, cyber threats, and a rush of third-party relationships, banks now face a fast-evolving web of vulnerabilities. The rapid pace of tech advancement has opened doors to new opportunities – but also to risks that are hard to predict and control.
Regulators are paying close attention. The crises at SVB and Synapse have only heightened scrutiny of banks’ partnerships with fintechs and tech providers. Beyond simply protecting customers, banks now juggle a maze of third-party systems while managing ever-growing regulatory expectations. “Operational resiliency”—the ability to adapt, function, and bounce back fast— is no longer just a buzzword, but a demand that banks can’t ignore.
While risk management is in some ways a shared responsibility, there’s no easy fix for handling the surge in interconnected systems. However, implementing proactive strategies can help institutions mitigate risk.
This means actively reviewing service capabilities, comprehensively assessing the third parties in a company’s ecosystem, and setting up adaptable frameworks for any new challenges. However, maintaining operational resiliency consists of more than a single assessment; it’s a continual process that involves challenging what you think is an effective plan and incorporating different points of view.
A Regulatory Industry in Flux
Over the past few years, we’ve seen an explosion of third-party partnerships among financial institutions. Banks are no longer the sole players in their own ecosystems, and this development has introduced more entry points – and more potential vulnerabilities – into bank networks.
It’s also caused regulators to rethink their approach. In the past, financial institutions often assumed that third parties were responsible for their own risk management, but regulators now expect banks to own that accountability. The focus of regulators has also shifted, moving further away from topics like loan portfolios, credit risk, and capital reserves to operational risk and third parties.
The collapse of fintech company Synapse in April 2024 only accelerated these trends. This crisis – caused in part by an inadequate assessment of third-party firms for risk management and regulatory compliance – underscored the need for financial institutions to manage third-party risks more proactively.
Today, the pressure on banks is coming from all sides. Regulators are increasing demands for accountability with new guidance, while clients and partners expect banks to demonstrate secure processes without sacrificing innovation. To complicate matters, while financial institutions may prepare for each Notice of Proposed Rulemaking (NPR) put forward by regulators, they often lack certainty about which rules will eventually be enforced.
Key Tips for Gaining Operational Resilience
The good news is that there are proactive steps that banks can take to strengthen third-party risk management and stay ahead, regardless of impending regulations.
Building a Foundation with Due Diligence
This often begins with consistent, thorough due diligence. Banks benefit from using structured questionnaires, whether based on frameworks like ISO 27001 or FFIEC guidelines, to standardize their assessments and identify risks systematically. By categorizing third-party vendors into risk levels – such as “critical,” “high,” and “low” – institutions can allocate resources effectively and prioritize relationships that present the greatest risk.
Engaging in Continuous Monitoring
Beyond due diligence, continuous monitoring plays a critical role in managing third-party risk. Subscribing to services that monitor the financial health and reputational stability of partners provides banks with real-time insights into potential weaknesses. This is also where AI can come in to enhance compliance in areas like Know Your Customer (KYC), money monitoring, and ongoing regulatory alignment.
Planning for Adverse Events
Once financial institutions have a clear understanding of their third-party landscape, they should prepare for high-risk events, even those with a low likelihood of occurring. Addressing questions like “What if our primary partner fails?” and “What backup plans are in place?” takes KYC to a new level. Ultimately, firms need to know not just their client but their client’s client. This makes it easier to have backup providers in place that can step in and maintain continuity of access in the event a primary provider is disrupted.
Testing Existing Infrastructure
Conducting tabletop exercises and facilitating open discussions that challenge existing points of view – particularly with independent third parties – is also crucial. This approach enables executive teams to make informed decisions and ensure that the institution not only survives but continues to serve clients, employees, and communities effectively in any scenario.
The Value of Being a Strong Counterparty
As a third-party provider ourselves, we’ve seen firsthand the importance of being a reliable partner to financial institutions. Rigorously practicing self-due diligence and proactive risk management not only allows us to reduce our own risks but also helps us become highly valued allies for banks.
When third parties prioritize accountability and transparency, they allow banks to streamline their oversight processes, often facing less regulatory scrutiny as a result. Reliable partners who actively self-assess and improve their practices help banks stay focused on strategic goals instead of constant compliance checks. By consistently asking – “What are banks trying to solve for, and how can we be part of the solution rather than the problem?” third parties can cement their role as indispensable contributors to a more resilient financial ecosystem.
The current environment remains challenging, with banks facing heightened regulations, more interconnected systems, and the constant drive to innovate. However, by maintaining a robust assessment and monitoring strategy, and prioritizing strong partnerships with reliable, self-regulating third parties, financial institutions can navigate this complexity with greater confidence. In this landscape, being a good partner is not just advantageous but essential – both for reducing risk and for building enduring, strategic relationships.
Jason Mull, EVP, Chief Risk Officer & Chief Information Security Officer
Click here for R&T’s list of receiving institutions in the DDM, CDMX and RTID programs. R&T is not an FDIC or NCUA-insured institution. FDIC and NCUA insurance only covers the failure of an FDIC or NCUA-insured institution. Certain conditions must be satisfied for pass-through deposit insurance to apply.