In today’s fast-moving payments industry, third party risk is more important than ever.
Firms rely on a complex web of partners and vendors to deliver seamless services, but this interconnectedness brings new vulnerabilities. Recent data breaches and high-profile outages have shown that a single weak link can disrupt operations or even lead to regulatory trouble.
Why third party risk matters
Payments firms often integrate multiple third parties directly into their core services. From cloud providers like Google, Amazon, and Microsoft to specialised screening solutions, these partners are essential, but also introduce risk. Each third party that a firm integrates creates a potential entry point for IT and operational threats. If one partner suffers a breach, your data or ability to provide client services could be compromised, even if your own systems remain secure. A single outage at a critical third party could halt your ability to effectively provide services to customers, meaning even minor disruptions can escalate quickly, negatively impacting revenue and client trust. Additionally, with increased regulatory scrutiny, it is now expected that firms demonstrate effective oversight of third party ecosystems. In short, a single outage or security lapse with a third party partner can halt operations, expose sensitive data, or result in regulatory breaches.
Key risks to look out for:
1. Regulatory risk
New rules from the FCA and the EU’s Digital Operational Resilience Act (DORA) put third party oversight in the spotlight. Within the UK, the FCA expects all firms to be compliant with its operational resilience requirements. Captured within these requirements is the need to identify key third party dependencies when mapping important business services. Understanding where these dependencies and potential single points of failure lie is crucial in understanding where firms are vulnerable to disruption. Despite being European legislation, UK firms must also be aware that they could fall within the scope of DORA if they have a European presence. As maintaining an up-to-date register of information about third parties is a key requirement of DORA, firms must ensure they have comprehensive third party oversight measures in place. Without the right level of oversight in place, firms can very quickly become non-compliant, incur fines, and face increased regulatory scrutiny.
2. Operational disruptions
Recent outages to vendors such as Cloudflare have demonstrated how widespread disruption can result from a single source. With the integration of a wide range of third parties into a firms’ network, even the most obscure provider can bring business to a standstill. Unexpected operational outages can cause a wide range of issues for firms that may be unable to process payments or service client needs. Operational disruptions put additional strain on frontline teams trying to identify the source of the disruption and restore operations efficiently. Disruptions can be costly to firms who may lose revenue, incur restoration costs and damage hard-earned client trust.
3. Data breaches
Recent incidents involving brands like Marks and Spencer and Jaguar, both originating from third party vendors, highlight the risks that third parties can pose to firms. Third parties integrated by a firm may process and hold client data that remains your responsibility. In an industry that relies on client trust, the exposure of client data, particularly personal and identifiable information, can be costly for a payment firm’s reputation. Additionally, data breaches can prompt investigations from the Information Commissioner’s Office (ICO), potentially resulting infines of up to £17.5 million or 4% of annual turnover. The financial repercussions, along with loss of client trust, can be challenging for firms to recover from.
Building a strong third party risk framework
To protect your business, it is essential to implement the following measures:
- Map your third party ecosystem: know who your vendors are and what services they provide.
- Conduct risk-based due diligence: apply the strictest checks to your most critical partners. Due diligence should not be a tickbox exercise; evolving procedures should ensure that third parties undergo constant and consistent monitoring.
- Strengthen operational resilience: ensure a thorough operational resilience framework has been established that meets the FCA’s expectations. Inclusive of this framework should be the identification of third parties and where dependencies and singlepoints of failure may exist.
- Regularly review controls: ensure your own third party, security and operational controls are consistently reviewed and up to date. Additionally, monitor the controls implemented by your third parties and any changes made to their control environment.
How fscom can help
At fscom, our payments specialists can help you design and implement a robust operational resilience framework. We offer:
- expert guidance on regulatory compliance and third party risk management;
- independent audits to assess and strengthen your existing controls; and
- practical support at every stage of your resilience journey.
Watch our operational resilience webinar here, or download our checklist to ensure you stay ahead of third party risk.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.
