Fintech Perspective: Balancing Speed to Market With Sound Risk Management



Christopher Monk, Managing Director
Business Performance Improvement


Tyrone Canaday, Managing Director
Technology Consulting


As financial institutions develop innovative technology, in-house or by partnering with fintech companies, they need to carefully consider regulatory requirements for both third-party risk management and information security. Protiviti hosted a Fintech Innovation webinar on April 5, which addressed the need for banks and other financial institutions to balance sound third-party risk management with the desire for ensuring speed-to-market for new products and services in a bid to remain competitive in today’s marketplace. The attendees primarily consisted of traditional financial services companies (81 percent) – mainly banking organizations and some insurers. Fintech companies represented seven percent of the audience.

We want to highlight some of the results of the polling questions submitted during the webinar because they give insight into the current state of fintech innovation and the areas banking firms are most concerned about as they work to achieve a balance between innovation and sound risk management.

The collaboration is not without challenges. Of those saying they are facing challenges with their third-party risk management programs (a large majority), one-third consider coordinating activities and workflow between different groups in the organization responsible for managing parts of third-party risk, such as the business (the first line of defense), the vendor management office, procurement and the compliance and information security functions, to be the most difficult. Seventeen percent of respondents highlighted the difficulty in gaining coverage of all of the organization’s third parties across all of the lines of business in the enterprise. Other issues include understanding and keeping up to date with all of the evolving regulations, and managing the workload by enhancing the efficiency and scalability of the third-party risk management process.

Most significantly, almost half (44 percent) of all respondents indicated that their organization does not track the risks associated with fintech companies and other vendors effectively.

Addressing the challenges

For institutions that are just beginning their innovation journey, a good starting point is to ensure they understand what their current capabilities are, including those for actively managing third-party risks as well as data security and privacy risks. From there, firms can then begin to consider pushing forward with developing innovative products using a structured research and development (R&D) lifecycle. By layering the two efforts together, firms can ensure third-party considerations are addressed throughout the process, and the level of risk management rigor and scrutiny is increased as they progress through the R&D gates.

During our webinar, Protiviti experts guided attendees through the many ways in which fintech companies are disrupting the marketplace and offered a new third-party risk management framework that can help manage the risks inherent with partnering with smaller, startup firms and launching new technology products and services. You can access the free recorded version here, and we recommend a full listen.

For even more detail on how traditional financial institutions can balance the need for speed-to-market for new products with the need for information security and risk management compliance as best practices, refer to our newly published white paper: Enabling Speed of Innovation Through Effective Third-Party Risk Management.

Paul Kooney of Protiviti’s Security and Privacy practice contributed to this content.

2016 Vendor Risk Management Benchmark Study Results Released

infographic-2016-vendor-risk-management-benchmark-studyProtiviti and the Shared Assessments Program recently released the results of our jointly conducted 2016 Vendor Risk Management Benchmark Study.

This is the third year that Shared Assessments and Protiviti have partnered on this research, which is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program. At right, you’ll find our infographic, and below is our podcast featuring Gary Roboff, senior advisor to Santa Fe Group and Shared Assessments Program, and Cal Slemp, managing director for Protiviti and leader of the firm’s Security Program and Strategy Services practice, discussing the key findings.

Learn more and find our full report at and

Compliance Insights Top News: Court Rules on RESPA Enforcement and CFPB Constitutionality

Steven StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance




In our most recent edition of Compliance Insights, we highlight the compelling news regarding the U.S. Court of Appeals for the District of Columbia Circuit’s ruling in favor of a large, non-bank mortgage servicer seeking relief from an order by the Consumer Financial Protection Bureau (CFPB) to pay more than $100 million in penalties related to the assessment of mortgage reinsurance premiums charged on loans dating back to July 2008.

The court ruled that the CFPB violated the servicer’s due process standards by retroactively applying a regulatory interpretation to invalidate a long-standing and accepted pronouncement from the Department of Housing and Urban Development (HUD) regarding the Real Estate Settlement Procedures Act (RESPA). The court also ruled that the CFPB’s case did not correctly consider the applicable statute of limitations, which could result in effectively “open-ended” liability for the financial servicing industry. The court further held that statutes of limitations apply not only to RESPA, but also to all 19 of the consumer protection statutes that the CFPB administers.

Even more notably, the court agreed with the lender’s assertion that the structure of the CFPB (created under the Dodd-Frank Act as an independent agency under a single director, rather than a board or group of commissioners) constituted “unprecedented and potentially inappropriate concentration of power in a single person,” in violation of the constitutional separation-of-powers doctrine. Although harsh in its criticism of the CFPB’s enforcement approach, the court rejected the lender’s request to shut the agency down until Congress could legislatively fix the constitutional concerns. Instead, it ruled that the director should serve at the will of the president, making the CFPB an executive department rather than an independent agency.

The ultimate effects of the ruling are unclear in light of the pending election and the likelihood of a CFPB appeal. Financial institutions should monitor developments in this case closely.

In other compliance news, the Federal Deposit Insurance Corporation (FDIC) has issued draft guidance on third-party lending. With a growing trend toward partnerships between insured depository institutions and third parties such as marketplace lenders and third-party technology providers, as well as recent challenges encountered by institutions implementing complex lending and servicing regulatory requirements, such as the TILA-RESPA Integrated Disclosures (TRID) in October 2015, third-party lending relationships are drawing increased regulatory scrutiny.

The draft, published in July, expands on the FDIC’s existing 2008 guidance regarding third-party risk management and outlines risk management considerations for depository institutions that have arrangements in which they rely on a third party to perform a significant aspect of the lending process, such as underwriting, origination, servicing and collection. The FDIC’s assertion here is that when banks partner with third parties, they effectively “integrate” the internal processes of the third party into their own system, increasing operational complexity and risk.  Transaction risks increase when assignee liability is taken into account. Consumer compliance risk is affected to the extent that the third party has established an effective compliance management system.

To mitigate these risks, the FDIC proposes that institutions implement a risk management program specifically for third-party lending arrangements, and robust processes to evaluate and monitor these relationships.

Other compliance topics covered in the October Compliance Insights newsletter include:

  • The Bahamas Leak and the Call for Global Transparency
  • CFPB Wins Tribal Lending-Related Case Against Nonbank Servicer
  • HMDA Implications of the Updated Uniform Residential Loan Application

To learn more about these developments and download the newsletter, click here.

Fraud and White-Collar Crime: A Conversation with Donald Rebovich and Scott Moritz

Listen to Donald J. Rebovitch, a professor of criminal justice and Director of the Economic Crime and Justice Studies Department at Utica College, and Scott Moritz, a leader of Protiviti’s Fraud Risk Management practice and former FBI special agent, discuss results of the joint Protiviti-Utica College survey and other topics in this informative podcast.

More Resources Are Required to Master Third-Party Risks

Rocco Grillo - Protiviti NY 2014 (hi res) (2)By Rocco Grillo
Managing Director, IT Risk




As corporate boards, auditors and regulators increase their scrutiny of vulnerabilities associated with third-parties, vendor risk management (VRM) – and particularly the danger of lost or compromised data through third-party service providers – remains cause for concern at most organizations. This is what Protiviti’s most recent VRM benchmarking survey revealed. The survey, conducted in partnership with the Shared Assessments Program, collected feedback from directors and senior management at more than 450 organizations across a broad spectrum of industries. The overarching conclusion: A lack of perceived improvement, year-over-year.

In 2014, Protiviti began working with the Shared Assessments Program, a consortium of financial institutions, Big Four accounting firms and third-party risk management leaders in insurance, brokerage, healthcare, retail and telecommunications, to gauge internal perception of third-party risk management, using Shared Assessments’ proprietary VRM maturity model. The model is a COSO-like framework with 126 detailed components grouped into eight high-level criteria, and is designed to assess an organization’s ability to recognize and remediate third-party vendor risks on a scale of 0 to 5, with 5 being a fully evolved state of continuous improvement.

In our 2015 survey report, we grouped responses according to the respondent’s level of responsibility: chief executive, vice president and manager. For 2015, average responses by category ranged from 2.4 at the C-level to 2.8 for managers. In 2014, the range was 2.3 to 2.8. The average response for vice presidents fell in the middle of this range. Clearly, not a lot of change here.

There are many ways these results could be interpreted. Personally, I’d like to believe the flat results are due to progress, offset by increased expectation. In other words: Vendor risk management practices are improving, but not enough to affect perception in the face of increasing scrutiny and rising expectations. I prefer this “glass half full” approach; you may think differently. In either case, the points below, drawn from the survey, hold true:

  • VRM programs require more substantive advances – Regulatory agencies, most notably the U.S. Office of the Comptroller of the Currency, have asserted that “average” risk management no longer suffices. Organizations must enact the mind shifts, organizational culture and behavioral changes required to meet and exceed rising expectations.
  • Cybersecurity threats are a prominent challenge – High-profile data breaches, often involving millions of customer records and personally identifiable information, are being reported with greater frequency. Strengthening cybersecurity is a top priority, and third-party data security is critical to this effort.
  • Financial services organizations are leading the way – The financial services industry was the first to establish a Coordinating Council for Critical Infrastructure Protection in response to federal pressure in 1998. VRM practices in this sector remain significantly ahead of those in other data-vulnerable industries, including healthcare and insurance.
  • The number and intensity of vendor risks, and cybersecurity threats in particular, is increasing – From 2009 to 2014, the number of cybersecurity incidents increased at an average annual rate of 66 percent.

Regardless of how you interpret the results of our 2015 survey, the message is clear: VRM remediation efforts to date have, at best, kept pace with increasing threats and scrutiny. Organizations need to accelerate their efforts and increase the quantity and quality of resources devoted to this critical governance issue.

I recommend taking a look at the study and related video and podcast here. A VRM self-assessment tool is also available at the link.

Vendor Management – Realizing Opportunities in Financial Services

Chris MonkBy Christopher Monk
Managing Director, Protiviti Supply Chain Solutions 




Banks and other financial institutions have conducted tactical vendor management activities for decades. Much of this activity also has been performed in silos throughout these organizations.

As reliance on third-party providers domestically and globally grows, often driven by competitive pressures, the management of those vendors has become increasingly complex and scrutinized. Indeed, it’s not unusual for the largest financial institutions to have more than 50,000 vendors!

Add to the picture aggressive rollout of new services and products, heightened merger and acquisition activity, and new regulations regarding third parties, and it’s no wonder that financial services industry observers are left with one word to describe the current state of vendor management: Chaotic.

Even in the midst of this challenging environment, companies that employ the right strategic approach can do more than just meet compliance requirements; they can capitalize on better vendor management to achieve operational improvements and enhance the value provided by third parties. A recently published Protiviti white paper, Vendor Management: Realizing Opportunities in the Financial Services Sector, offers guidance in this regard.

One of the most common problems afflicting organizations is that there is no single point of accountability for managing vendor activity. Different functions and lines of business often hire their own vendors – or sometimes the same vendor – unaware of the vendor’s existing relationship with the company. The lack of centralized vendor data or reporting may make it difficult, if not impossible, to understand the complete picture with each vendor, identify spending patterns or uncover opportunities for more cost-efficient sourcing. Such a deficiency also hinders sharing of best practices across business units.

Furthermore, companies that lack good mechanisms for the ongoing management of their vendor relationships likely will struggle to ensure that contractual terms and related service-level agreements are fulfilled. These issues, in part, explain why regulators – including the Office of the Comptroller of the Currency and the U.S. Federal Reserve Board – are increasingly concerned that institutions have:

  • Failed to perform adequate due diligence and ongoing mentoring of third party relationships
  • Entered into contracts without assessing the adequacy of a third party’s risk management practices
  • Entered into contracts that incentivize a third party to take risks that are detrimental to the bank or its customers in order to maximize the third party’s revenues.

A sophisticated vendor management organization (VMO) can help institutions to tackle these compliance issues, but just as importantly, it can help them build strategic partnerships with vendors to drive greater value. Protiviti has identified six critical elements that an evolved and mature VMO is built upon: Contracts, spend, classification, metrics, governance and relationships.

How these elements are assembled and the degree to which they are developed determines the effectiveness of the VMO. The first step in making necessary enhancements is to ask key questions, such as:

  • Are our vendors classified using factors such as the importance of business function supported; geography; ease of replacement; dollars spent; frequency of use; data privacy requirements or level of reputational risk?
  • Do our current vendor management activities include a mechanism for reducing risks?
  • To what extent are our current spend analyses driving vendor management decisions?
  • How effective are our existing relationship management metrics in improving vendor performance?

By answering these questions, companies can gain a clearer picture of their existing state of vendor management and a better understanding of the work required to elevate it to a strategic level that yields real operational benefits.

Do you have a vendor management organization that delivers more than just basic performance and compliance management? I’d love to read your insights in the comments.

More on Cybersecurity – President Obama Issues Executive Order to Sanction Cyberattackers

As a follow-up to our recent posts related to cybersecurity and cyberthreats, President Obama issued an Executive Order this week authorizing sanctions against cyberattackers operating outside the United States. You can read the Executive Order here. Reuters also published an informative overview of the Executive Order.

As noted in Reuters’ article and other sources, the Executive Order has received some positive response, but concerns are raised, as well. How exactly will a cyberattack be attributed with certainty to an individual or group? How will the administration handle cyberattackers who are deemed to be state-sponsored, particularly by nations with which the United States conducts trade? Will such sanctions be effective against faceless perpetrators who operate independently (i.e., without state sponsorship)?

We will continue to monitor these issues and comment periodically here and in other forums.