the risk management blog

Third Party Compliance Audits: The New Imperative for Financial Institutions

byBrad Moody | November 03, 2015

“Use of third parties reduces management’s direct control of activities and may introduce new or increase existing risks, specifically operational, compliance, reputation, strategic, and credit risks as well as the interrelationship of these risks. Increased risk most often arises from greater complexity, ineffective risk management by the bank, and inferior performance by the third party.” – Office of the Comptroller of the Currency, October 30, 2013 Bulletin

It’s well established that banks are increasingly turning to third parties to handle a wide range of activities and processes, from cash transport and ATM replenishment to IT and other services. However, when you examine the latest standards and scrutiny placed on financial institutions by the FDIC, CFPB, FFIEC, OCC, FinCEN, and others, it is clear that whether the activities are being performed by the bank itself or a third-party vendor, it’s the bank that carries the bulk of the risk.

Beyond AML: Compliance Risks are Pervasive

FinCEN has made it abundantly clear that it can and will actively, and most likely aggressively, enforce Anti-Money Laundering (AML) rules. But compliance risks extend much further than this. When you evaluate risks associated with third-party relationships, it is necessary to scrutinize the congruence between the third party’s operations and the bank’s established policies and procedures.

According to the OCC, compliance risk increases when conflicts of interest between a bank and a third party are not appropriately managed, when transactions are not adequately monitored for compliance with all necessary laws and regulations, and when a bank or its third parties have not implemented appropriate controls to protect consumer privacy and customer and bank records. There is much to consider.

The Certainty of Uncertainty

One thing certain in today’s compliance environment is that there is a lot of uncertainty. Prudent individuals inside banks and vendor organizations are trying their best to interpret guidelines and regulations that seem to continually evolve or outright change. We’re finding that companies are doing what they think is right and compliant, but ultimately may find that either the rules change or that they have misinterpreted what they considered to be the right course.

In times like these, it is wise to enlist the expertise of third party auditors who are well versed in the regulatory environment and can help you stay on top of the latest requirements.

The ‘Private Idaho’ Effect

We often find that policy writers, in their attempts to address compliance requirements, become involved in their ‘own private Idaho’. In other words, they are industry experts but their expertise is in a very specific area. So these well-intentioned individuals look at one aspect and make decisions that can have sometimes dramatic downstream effects to associated lines of business.

Consider an example we came across in the audit space. There was a large bank whose policy makers decided they would have their ATM group operate in a certain fashion related to cash handling and transportation. The downstream effect was a back end slowdown of the process and the bank suddenly lacking enough cash for customers. So they had to then order more money to cover more orders which then resulted in another compliance issue with the outsourced cash vault approved inventory levels. The trouble stemmed from having policy makers who were ATM oriented and unaware of the downstream effects at the banking center or vault.

A third party audit can help bridge the silos through a complete end to end process.

More Than Just Hefty Fines

Simply put, the costs of non-compliance are significant. And we’re not just talking about fines. There are the costs associated with picking up the pieces when an enforcement action is taken or a policy is found to be out of compliance. The opportunities an organization must forgo as a result of a major or even minor regulatory infraction can add up to significant competitive disadvantages. Add to this the reputation damage caused when a compliance issue makes its way to the headlines or otherwise impacts public trust or safety.

A professional third party audit company will understand not only the business requirements of financial institutions, but also the detailed requirements of regulators and insurers. In short, a qualified third party audit can be one of your best lines of defense against the risks of non-compliance.


anti money laundering



Brad Moody, CFI, CFE is the Executive Vice President of Operations for Lowers & Associates. As a Certified Fraud Investigator, Certified Forensic Investigator, licensed Private Investigator, Six Sigma Greenbelt and frequent author, Brad’s expert advisory capabilities include human capital risk, social engineering, fraud investigation, security compliance and compliance auditing, cryptocurrency risk, cyber vulnerability risk assessments, business continuity plan development, insurance policy consulting, surveillance and related risk advisory services.
View all posts by Brad Moody >