A federated agricultural bank that is a wholesale lender and business-service provider to a network of local farm credit associations in the Americas has a complex organizational model. The bank provides funding to its affiliates, who in turn disburse loans to farmers, home owners, and other customers. The affiliates also provide services to the rural communities on behalf of this bank. On its part, the bank supports its affiliates in securely storing and accessing sensitive customer data and providing mobile access to their customers, thus creating highly complex third-party relationships and contractual agreements.
The board at the bank wanted a program that would help align their overall business objectives across the eco-system and ensure that all parties shared the common vision of customer centricity, cost reduction, and risk mitigation.
Due to fragmented operations across business units, siloed operations, and the lack of availability of harmonized data for the high volume of third party relationships, the bank had to gather information manually from each business unit. The absence of structured processes, multiple disconnected technology systems, growing risk from fintech third parties, and highly complex contractual relationships made it challenging for the bank to capture risks and define metrics to track performance and take timely action.
Additionally, the services provided by the bank’s affiliates and third parties included technology support, which exposed them to a wide set of cybersecurity regulations. Though the bank individually had to comply with the Farm Credit Administration (FCA), its vendors in the network needed to comply with other regulations like GLBA, FDIC, FFIEC, FATCA, CFPB, OCC, or FCC. For the bank this meant going beyond the bare minimum processes, compliance guidelines, and standards to mitigate risks in the ecosystem. Therefore, it became crucial to aggregate insights and requirements from all third-party related regulations, guidelines, and other requirements and address them within a system.
This prompted the bank to approach MetricStream for a structured third-party governance solution to on-board, assess, monitor, evaluate performance, and issue remediation. The board wanted “One Tool” for third-party management to be used across the business to collect and collate third-party information and provide comprehensive overview of risk information for quick decision making.
The MetricStream solution has facilitated a systematic and integrated approach to third-party risk management (TPRM) at the bank which provides the board consistent oversight. With guidance from MetricStream's implementation best practice guidelines on "basic", "optimized" and "rationalized" stages of a TPRM governance model, the bank has defined each stage of their TPRM lifecycle in line with their internal needs and objectives. The solution has helped the bank standardize multiple processes including on-boarding, monitoring, risk assessments, due diligence, performance scorecard, issue management, and termination.
As part of the implementation process, the bank has harmonized third party information stored in multiple systems across the business functions that has helped in consolidating the third party base. The solution stratified third parties and each relationship with a third party into various risk categories based on the offered product or service, as well as the third-party’s location, countries of operation, and other key factors. Through this process, the bank was able to reduce the vendor base by 90%.
Risk exposure from each third party, as well as each relationship with that third party is different. A one-size fits all system to assess third party risks will not provide relevant insights and might even increase risks. The MetricStream solution provided an integrated system to mitigate various aspects of third party risks such as compliance, reputational, transactional, country-specific, strategic, operational, credit related, and concentration – through the third-party lifecycle. The solution helped standardize the risk assessments templates and processes across the ecosystem. It enabled the bank to define risk assessment processes based on each third party relationship since the criticality and risk of each relationship was different. The solution assessed and aggregated risk ratings for each relationship to provide an overall risk rating. The third parties were continuously evaluated on internal as well as external factors, based on which the controls were designed and defined by the bank. The solution provided access to risk intelligence alerts from external content providers which enhanced visibility and enabled the bank to take quick remedial measures.
The bank’s relationship with the associations resulted in complex contracts and agreements. Tracking the conformance to these required well defined metrics. With the MetricStream solution in place, the bank streamlined the metrics and the processes to track third party performance. Furthermore, the scorecards and reports provided the bank relevant insights and incentivized the right behavior for their third parties.
With access to the right risk ratings, performance metrics, issues, and real time risk intelligence, the bank has been able to adopt a risk-based approach to managing third parties. These insights have improved their internal communication, enabling the front line to understand the risk dimensions and the likely impact of a risk from a third party. Since risk mitigation decisions are captured within the MetricStream solution, there is a clear audit trail of actions. This helps ensure accountability and ownership of risk within the first line, thus improving the risk culture maturity