Banks need to step up third-party risk management

The event was attended by various local banks and fintech companies, with the majority of participants being C-suite executives and experts in digital banking, information technology, cybersecurity, and risk management.

In fact, stronger connectivity among financial services providers means new opportunities and new risks.

Digital transformation has given rise to increased outsourcing of operations and services by banks to third-party vendors. Common types of third-party services used by banks include payment initiation, customer loyalty programmes, or routine office administration tasks, among others.

Cost savings are not the only reason why third-party services are on the rise in banking. Beyond that, third-party vendors give banks access to specialist capabilities and technologies that they might not yet be able to build or maintain in-house.

Despite the evident benefits of using third-party providers, the associated risks are not to be ignored. A few years ago, hundreds of customers’ bank statements were stolen from a bank in Singapore, following unauthorised access into a server containing such information on an off-site printing facility. And earlier this year, a data and analytics firm catering to some of the biggest financial institutions in the US failed to secure millions of private financial documents after a major data breach.

Common third-party risks to financial institutions

As information security threats grow, so do related regulations. For instance, the State Bank of Vietnam issued Circular No.18/2018/TT-NHNH on August 21, 2018 to govern the assurance of information systems safety and security in banking operations. However, most local banks are still struggling to comply with the requirements related to digital transformation in the circular, particularly those concerning the management of third-party risks.

At the above workshop, the experts from PwC discussed the digital trends in the financial services sector and associated risks, focusing on third-party risks under the impact of Circular 18. The workshop instructors also gave an overview of common security risk assurance standards, such as ISAE 3402/SOC 1, ISAE 3000/SOC 2, and ISRS 4400/AUP.

Nguyen Phi Lan, partner, Risk Assurance leader, PwC Vietnam

According to Nguyen Phi Lan, partner and Risk Assurance leader at PwC Vietnam, “The convenience of tech-enabled financial services has led to an ever-larger and more complex ecosystem of banks, fintech fims, and related service providers. The adoption of international standards and good practices helps banks improve the effectiveness of risk management, including third-party risks.”

Yu Loong Goh, IT Risk Assurance director, PwC Vietnam

Sharing experience from Malaysia and the region, Yu Loong Goh, IT Risk Assurance director, PwC Vietnam, said that most high-performing banks in the region are focusing on two main tasks in third-party risk management.

First, assessing the current state of their cybersecurity risk management programme and second, third-party attestation reporting. These provide the basis for banks to come up with measures to address gaps and protect their organisation and clients.

Pho Duc Giang, Cyber Security and Privacy director at PwC Vietnam Cyber Security Services Co., Ltd.

Pho Duc Giang, Cyber Security and Privacy director at PwC Vietnam Cyber Security Services Co., Ltd. added, “Third-party attestation can bring many potential benefits, such as improved trust with stakeholders, increased confidence in your own operations, reduced costs, and moving towards a sustainable financial services ecosystem.”

Following the success of the workshop, the Vietnam Banks Association, PwC Vietnam, and PwC Vietnam Cyber Security Services Co., Ltd. expect to hold a similar event for financial institutions and fintech companies in the southern region.