Banks and other financial institutions are struggling to maintain compliance in an increasingly regulatory world, and industry observers say the financial vertical market offers great opportunity for channel partners -- but it is not without challenges.
"Where you primarily run into challenges with managed services specifically in the financial sector is in regulatory compliance. … There is a lot of oversight, and it's becoming more complex," noted Shawn Eftink, product manager for managed services at Computer Services Inc. (CSI), based in Paducah, Ky.
There are more audits done in the financial vertical than in other industries, Eftink said. "It's been regulated for the longest period of time. Obviously, we're seeing more [audits conducted] in healthcare and utilities, but there are stringent compliance challenges that exist in the financial sector."
Coming off the financial crisis of 2007- 08, the Office of the Comptroller of the Currency (OCC), one of the key banking regulators in the U.S., put forth guidelines on effective risk management in third-party relationships in October 2013. The guidelines aim to help banks assess and manage risks associated with third-party relationships, said David England, director of Alsbridge, a global consulting and advisory services firm based in Addison, Texas. Risks can have strategic, reputation, operational, transaction and compliance consequences, he added.
The OCC "more clearly pointed out that accountability goes all the way to the top, so the board can't say, 'We didn't understand those things' as [the bank outsources] IT or any critical information," England explained.
Any time a financial institution interacts with third parties involved in critical activities, the board has to sign off that it understands the risks inherent with outsourcing. The institution also has to do its due diligence, which includes going out to a service provider's site and auditing its policies and procedures for controlling information and physical security.
"This puts a lot of demands on any bank or financial services organization," England said.
The challenge is that the OCC doesn't clearly define what "critical" information means, so there is some ambiguity, he added. "It's not a matter of checking a box in response to a specific requirement. While banks have gotten more confident about interpreting the guidelines, there's still some uncertainty," he said.
Violating the guidelines can raise red flags and lead to further investigation, which can lead to the bank being deemed as unsafe or unsound. That, in turn, can lead to even more investigation and, ultimately, fines and penalties.
In addition to the OCC, the other main regulatory body in the area of third-party risk management is the Federal Reserve Board (FRB), he said. The FRB issued guidelines in December 2013 that were designed for financial institutions involved in outsourcing operational activities to service providers, England said.
How MSPs should prepare for the financial vertical
One of the financial market trends that England sees is that banks are outsourcing more IT-related services now that they have seen outsourcing's benefits.
Another trend is that as technology continues to grow more complex, so do regulatory challenges, Eftink added. "Anything you can do to help mitigate risk is going to be a conversation starter with a bank or anyone in the financial sector," especially when it comes to dealing with issues such as ransomware, security for the border between private networks and outside or public networks, and disaster recovery and business continuity.
The landscape is also changing. "I think the financial industry and regulators have come a long way over the years," Eftink noted. "I used to see a more combative approach between banks and regulators, but recently I'm seeing them working together to address challenges."
For managed services providers (MSPs) looking to enter the financial vertical, the OCC's guidelines are the de facto standard to learn, England advised. "It's pretty broad and comprehensive. If you follow that … you probably have a good handle on the risks associated with outsourcing and you're probably doing a pretty good job. The problem is it's difficult [to do]."
One of the requirements, for example, is that financial institutions must track every third-party relationship. Alsbridge works with large clients on major IT or business process outsourcing deals involving lots of people, critical services and critical data, so it is required to do on-site assessments. "It used to be that an annual assessment was enough. … Now we're seeing our banks doing quarterly [assessments] for their high-risk vendors," meaning those that handle sensitive data or large volumes of data, he said.
Shawn Eftinkproduct manager for managed services
Not only does a bank have to do its due diligence vetting an MSP, it has to scrutinize the MSP's clients, Eftink said. That means CSI is asked by regulators "if we're doing our due diligence and making sure the people we're working with are good, solid companies that are onshore or whatever the case may be," he said. MSPs considering the financial vertical should be prepared for scrutiny over their internal risk assessment programs for whatever technology vendors they use to service their clients.
MSPs also must meet a variety of standards and answer hundreds of questions on request for proposals (RFPs) for the financial vertical, England said. "The table stakes just to get in and support the banks are high. You have to have pretty much air-tight capabilities for managing that risk, typically around all the information and protecting it, or else you can't even play in that game anymore."
Additionally, MSPs should prepare for the cost associated with hiring different firms to assess whether they have an appropriate level of cybersecurity, as well as more items such as Better Business Bureau checks. The question list on RFPs is very extensive, and it takes a lot of involvement from different people who deal with areas ranging from information security to disaster recovery to telecom, he said.
"The bad thing is [the RFP is] going to be different for every bank,'' England noted. The MSP won't be able to answer the questions once and then leverage those for every bank RFP it responds to.
Weighing the investment against opportunities
Once an agreement is signed, there's a contracting step. The contract essentially says that any risk that the bank finds when it comes to using a particular MSP must be mitigated. The mitigation has to be proven in writing. For example, if a third-party firm found problems with the MSP's physical security controls, the bank's contract may stipulate that no data will be moved off its premises until the MSP's policies are changed, England said. However, in a case like this, the bank would likely dismiss the MSP to avoid any potential risk to its data, he added.
"So for providers, it becomes the price of entry. They have to have this buttoned up, or they get excluded on many contract jobs,'' England said.
The bank must also make monitoring a service provider an ongoing process and not let service-level agreements languish on a shelf. "That's where we [Alsbridge] come in. We monitor [third parties] on a monthly basis and make sure invoices are accurate and do ongoing site assessments for higher risk ones."
Finding people who can speak to both regulatory and IT issues is difficult, Eftink said. "To be perfectly candid, shifts in IT, the complexity of technology and increasing regulations will push the limits of those people inside the banks responsible for dealing with regulatory issues."
"Service providers willing to dig deep into the IT regulatory compliance challenges, and willing to remain current, can help consult their clients on how to address [challenges], and, when executed effectively, may find themselves in a key 'trusted advisor' status," he said.
There is a real opportunity for cloud and services providers. "I expect opportunities for service providers specializing in IT regulatory compliance is only going to grow."
Get tips for selecting a fraud detection system