MAS Outsourcing Guidelines and Third-Party Risk Management

Identification and Risk Categorization

MAS requires organizations to identify and categorize third-party dependencies. This includes establishing a management and governance framework; identifying and inventorying third parties; categorizing them based on their nature and risk characteristics; and establishing criteria to determine the governance and due diligence requirements that they should be subject to.

To address these requirements, financial institutions should:

• Build a comprehensive vendor profile that includes demographic information, ownership, financial performance, CPI scores, Modern Slavery statements, industry and business insights, and maps potentially risky 4th-party relationships. This helps centralize third party information, providing a single source of the truth for vendor management across their relationship lifecycle.
• Perform inherent risk assessments on their third parties in order to tier them; set appropriate levels of further diligence; and determine the scope of ongoing assessments for all third parties. Criteria can include:
• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties (to avoid concentration risk)
• Exposure to operational or client-facing processes

Due Diligence (Onboarding and Periodic Review)

In terms of due diligence and performing periodic reviews, MAS recommends taking the results generated from the identification and risk categorization exercise and developing an onboarding plan that facilitates ongoing reviews.

Third-party risk assessments should be conducted at the beginning of a relationship to gain a picture of the risks the third party presents to your organization; at the time of contract renewal; and whenever there is a compelling event such as a breach, compliance violation or other failure. Critical success factors include having access to a large library of questionnaire templates to add flexibility to assessment efforts, and prescriptive remediation recommendations to hold third parties to account. As part of this process, be sure to:

• Review third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place.
• Map the responses to your organization’s selected control framework.
• Develop remediation plans and track them to completion.

Ongoing Risk Management and Monitoring

To enable ongoing risk management, MAS recommends deploying adequate risk monitoring tools and mechanisms to manage third party risk. Monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data should be correlated to assessment results and centralized in a unified risk register for each third party, streamlining risk review, reporting and response initiatives. Risks can be categorized into a heat map view with likelihood and impact axes.

Monitoring sources should include a mix of cyber and non-cyber sources to gain a comprehensive picture of a third party’s risk. Examples include:

• Cyber: Criminal forums; onion pages; Dark Web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; and data breach databases
• Business: M&A activity; business news; and operational updates
• Reputation: Negative news; and politically exposed persons (PEPs).
• Regulatory and legal: Global sanctions lists; and global enforcement lists and court filings
• Financial: Financial performance; credit scores; shareholder funds; beneficial ownership.
  

How Prevalent Helps Address MAS Third-Party Risk Management Requirements

The Prevalent Third-Party Risk Management Platform automates workflows required to onboard, periodically review and terminate material and non-material third-party outsourcing arrangements, delivering key capabilities for multiple teams to centralize TPRM across the enterprise. The solution delivers specific capabilities that address all due diligence requirements, from approval to termination.

Prevalent helps financial organizations add governance and oversight to their outsourcing and non-outsourcing arrangements by:

• Building a comprehensive, agile and mature third-party risk management program based on proven financial industry best practices
• Centralizing third-party profiles for a single enterprise-wide inventory of outsourcing and non-outsourcing arrangements
• Automating the identification and assessment of critical third parties based on their criticality to the organization
• Assessing and continuously monitoring for cybersecurity, business, financial and reputational risks
• Measuring against key performance indicators (KPIs) and key risk indicators (KRIs)
• Delivering remediation recommendations to reduce third-party residual risk
• Including templates to simplify regulatory and security framework audit reporting to multiple internal and external stakeholders

For more on how Prevalent can help address the requirements in MAS Operational Risk Management – Management of Outsourcing and Third-Party Arrangements, download our complete MAS checklist or request a demo today.