contact

When Partners Become Liabilities — Rethinking Third-Party Risk

When Partners Become Liabilities — Rethinking Third-Party Risk The Day a Payroll Vendor Brought Us to a Halt It was a routine Friday morning—until it wasn’t. Phones lit up. Systems slowed down. HR couldn’t run payroll. Finance couldn’t close the books. Our third-party payroll vendor had gone offline, caught in the crossfire of a ransomware attack that had nothing to do with us… or so we thought. But regulators didn’t see it that way. To them, it was our responsibility. And they were right. We had outsourced the service, not the risk. Why Third-Party Risk Is Everyone’s Risk Today, financial institutions rely on a complex web of vendors: fintech partners, cloud providers, legal consultants, data processors, offshore support teams—and the list keeps growing. Each one is a node in your ecosystem. Each one can be a vector for operational, reputational, or cyber risk. According to Deloitte, 83% of organizations have experienced a third-party incident in the past three years. And yet, fewer than half conduct deep risk assessments beyond onboarding. That’s not a strategy. That’s a gamble. Lesson 1: More Than a Box to Check I once worked with a firm where vendor risk assessments were essentially a tick-the-box process. “Do they have a SOC 2 report?”“Yes.”“Great, move on.” No one read it. No one asked what systems were in scope. No one noticed the outdated controls in their user access reviews. It wasn’t until a regulator showed up—asking very specific questions about sub-service organizations and data segregation—that the panic set in. We had assumed compliance. We hadn’t verified capability. The fix? We revamped the Third-Party Risk Management (TPRM) lifecycle: Replaced checkbox reviews with risk-tiered due diligence Added on-site assessments for critical vendors Integrated real-time monitoring for ongoing risk awareness The idea wasn’t to make life harder—it was to make it smarter. Lesson 2: Subcontractors Are Still Your Risk Here’s the kicker: the payroll vendor that caused our outage?They weren’t breached. Their subcontractor was. We didn’t even know about the subcontractor. That’s why the OCC’s Third-Party Risk Management Guidelines emphasize “chain-of-responsibility.” If your vendor relies on someone else, you still own the exposure. Now, all our contracts include: Disclosure of all subcontractors Right-to-audit clauses Breach notification timeframes Incident response collaboration expectations It’s not about micromanaging. It’s about governance. Lesson 3: Risk Never Ends at Onboarding Vendor due diligence isn’t a one-and-done task. One of our cloud providers was financially stable when we onboarded them. Two years later, their parent company was in bankruptcy court. Our access was nearly compromised. From that day forward, we implemented ongoing risk monitoring using platforms like: BitSight (for cyber hygiene scoring) ProcessUnity (for TPRM workflow management) LexisNexis (for legal and reputational red flags) Vendor relationships evolve. So must your oversight. Lesson 4: Culture Still Matters Here’s something we often forget: third-party vendors are people too. When the pandemic hit, one of our offshore support vendors struggled with lockdowns and limited internet access. It wasn’t their fault. But we hadn’t planned for it. That’s when we shifted from thinking of vendors as contracts to thinking of them as strategic partners. We began: Hosting joint resilience workshops Aligning KPIs on client outcomes, not just deliverables Sharing incident response plans and testing together Resilience is a team sport. Final Thought: The Chain is Only as Strong as Its Quietest Link Third-party risk isn’t just a function. It’s a philosophy. It’s about asking the hard questions before a regulator does.It’s about looking beyond the glossy onboarding decks and into the operational realities.And above all, it’s about remembering that outsourcing the work doesn’t mean outsourcing the responsibility. About the Author Laksh Vaswani is a senior financial executive, best-selling author, and global risk governance strategist. With over two decades of experience leading transformation, regulatory readiness, and vendor risk management programs across banking and fintech, he has helped organizations balance innovation with resilience. Laksh is the recipient of the International Achievers Award and an advocate for smarter, human-centric compliance. Share this article :

U.S. vs Europe: Navigating Regulatory Expectations Across Borders

single post U.S. vs Europe: Navigating Regulatory Expectations Across Borders The global financial ecosystem is increasingly interconnected, but the regulatory frameworks that govern it often aren’t. When firms operate across both U.S. and European markets, the challenge becomes less about the rules themselves and more about the differences in approach, enforcement, and interpretation. Having consulted with organizations navigating both worlds, I’ve come to appreciate how nuanced cross-border compliance can be—and how it can be turned into a competitive advantage when handled thoughtfully. Let’s start with what they have in common. Both the U.S. and Europe demand rigorous controls around risk management, data privacy, anti-money laundering (AML), and operational resilience. But the way these themes are implemented and enforced can vary dramatically. 1. Regulatory Philosophy: Rules-Based vs Principles-Based In the U.S., regulatory agencies like the Office of the Comptroller of the Currency (OCC), Federal Reserve Board (FRB), and Securities and Exchange Commission (SEC) adopt a rules-based approach. Regulations are specific, and deviations come with clearly defined penalties. Contrast this with Europe, where regulators like the European Central Bank (ECB) and Financial Conduct Authority (FCA) operate on a principles-based model. Under frameworks like MiFID II and CRD IV, firms are expected to meet broad outcomes, but how they do so is left to interpretation. Lesson: In one engagement, I advised a Caribbean bank expanding into Europe. They were used to U.S.-style playbooks and sought detailed checklists. But in London, they had to adapt—demonstrating how their controls aligned with the Senior Managers and Certification Regime (SMCR) and FCA’s Treating Customers Fairly principles. We built governance dashboards using ServiceNow GRC to map control effectiveness to regulatory outcomes, providing the transparency the FCA valued. 2. Data Privacy: GDPR vs U.S. Patchwork In Europe, data privacy is governed by General Data Protection Regulation (GDPR), a sweeping regulation that applies across EU member states. In contrast, the U.S. has a fragmented framework, with laws like CCPA (California), GLBA, and HIPAA applying based on jurisdiction and industry. Lesson: A U.S.-based fintech client of mine, with operations in Paris and Berlin, had to completely revamp their customer onboarding workflows. We implemented OneTrust for consent tracking and automated Subject Access Requests (SARs) using Salesforce Service Cloud, reducing risk and increasing customer trust. 3. Anti-Money Laundering (AML): Scope and Reporting Both regimes require strong AML programs, but the enforcement is more aggressive in the U.S., particularly under FinCEN and the Bank Secrecy Act (BSA). Europe aligns through 4AMLD and 5AMLD, but reporting thresholds and enforcement rigor can differ. Lesson: While consulting for a bank operating under both regimes, we used Actimize AML to streamline transaction monitoring and SAS AML for intelligent alert prioritization. We adjusted rulesets regionally and created a crosswalk between Suspicious Activity Report (SAR) requirements in the U.S. and STRs in the EU. 4. Operational Resilience and Recovery Planning U.S. regulators now expect banks to integrate Operational Resilience into their Recovery & Resolution Planning (RRP) processes—especially under OCC Bulletin 2019-64 and FRB expectations. Europe mandates resilience under DORA (Digital Operational Resilience Act) and EBA Guidelines on ICT and security risk. Lesson: At a prior institution, we centralized BCP and resilience planning across regions using Fusion Framework System. It helped standardize risk appetite statements, impact tolerance thresholds, and crisis playbooks. This not only ensured compliance but created a proactive resilience culture across both jurisdictions. 5. Best Practices: Bridging the Divide Here’s what we’ve learned from working on both sides of the pond: Harmonize Where You Can: Use tools like MetricStream, Archer, or LogicManager to unify risk taxonomies and reporting standards. Customize Where You Must: Accept that some requirements can’t be harmonized. Build region-specific controls where needed. Invest in RegTech: Automate regulatory horizon scanning with tools like Thomson Reuters Regulatory Intelligence or Wolters Kluwer OneSumX. Cultural Adaptability Matters: The success of any framework lies in how well it’s embraced. Train teams on both U.S. and EU expectations, not just the rules but the “why” behind them. Final Thoughts Navigating regulatory expectations across U.S. and European borders isn’t about choosing sides—it’s about understanding both. The best firms use these differences as opportunities to elevate their governance, sharpen their risk posture, and foster international credibility. And if you’re still building those bridges? Don’t worry. We all start somewhere. About the Author Laksh Vaswani is a global financial services executive and regulatory advisor who has helped institutions navigate complex regulatory environments across the U.S., Europe, and the Caribbean. A best-selling author and International Achievers Award winner, Laksh specializes in operational transformation, risk governance, and cross-border compliance. Connect with him on LinkedIn or visit www.lakshvaswani.com for insights and advisory services. Share this article :

U.S. vs Europe: Navigating Regulatory Expectations Across Borders

When the System Blinks: Understanding and Managing Technology Risk in Financial Services One late afternoon, in a well-known financial services firm, a routine end-of-day batch job failed to kick off. A simple scheduling error, it seemed. But that single misfire led to an overnight reconciliation backlog, delayed settlements, and an early morning call with a regulator who’d noticed the delayed reporting. That was the moment we learned: in today’s digitized financial landscape, technology risk isn’t just a back-office concern—it’s front-page news waiting to happen. Technology risk refers to the potential for losses stemming from the failure of systems, software, networks, or third-party tech services. It may be triggered by outdated infrastructure, coding errors, cyberattacks, third-party failures, or even well-meaning automation that no one quite tested properly. The consequences? Reputational damage, financial loss, and regulatory scrutiny. The Chain Reaction Nobody Wants Several years ago, I worked with a global asset manager undergoing a cloud migration. It sounded exciting. The cost savings and scalability benefits were all there. But what wasn’t on the slide deck was how many business-critical applications still depended on legacy architecture that wasn’t cloud-compatible. In one instance, a reporting tool that pulled position data for risk oversight failed to retrieve accurate feeds after the cloud switchover. The result? Inaccurate risk reports sent to internal committees and a scramble to recall and correct them before external eyes got involved. What did we learn? The importance of technology change governance. Before any major tech overhaul, every upstream and downstream dependency needs to be mapped, tested, and retested. Simple rule: if it can break, it probably will—unless you’ve planned for it not to. Cyber Risk: The Ever-Present Shadow No article on tech risk is complete without mentioning cybersecurity. And it isn’t just about firewalls and encryption. A breach can come from an innocuous email attachment. At another institution I advised, a phishing email compromised an employee’s credentials. No big deal, right? Wrong. The compromised ID had access to a dormant third-party file transfer protocol (FTP) server still linked to live customer data. That one oversight turned into a multi-month breach investigation. We took action quickly: reviewed all privileged access, killed off dormant accounts, revamped endpoint monitoring, and launched mandatory cyber-awareness training. But we also rewrote our third-party risk policy to emphasize identity lifecycle management and data minimization. Regulations and Frameworks: A Compass, Not a Crutch Regulators have taken note. The NYDFS Cybersecurity Regulation (23 NYCRR 500), GDPR, and FFIEC guidance all outline expectations for managing tech risk. Yet compliance with these laws shouldn’t be the ceiling—it should be the floor. One client of mine adopted the NIST Cybersecurity Framework as a strategic blueprint. By pairing it with FAIR (Factor Analysis of Information Risk) modeling, we quantified risk exposure in dollar terms. This helped the board better understand why we needed a budget increase for endpoint detection and response. Dollars and metrics speak louder than fear. The People Side of Technology Risk Technology risk is never just about the tech. People build, maintain, and use systems. And people are fallible. At a mid-sized bank, a developer wrote a script that bypassed a manual review step to speed up processing. It worked. Until one day, it didn’t. The script ingested corrupted data, which went unchecked, leading to a cascade of reconciliation issues across six business lines. It took days to untangle. This incident led to our “Human Factors in Technology Risk” initiative. We didn’t just audit the code. We started asking: Why did the developer feel the need to create a workaround? Was it a culture that celebrated speed over controls? Were teams empowered to report fragilities? These are cultural questions as much as operational ones. What Financial Institutions Must Do Map Dependencies – Understand how your systems connect, where the single points of failure lie, and who is accountable for each. Simulate Failure – Run tabletop exercises. Pull the plug (figuratively) on a major system and see what happens. Be surprised in a safe setting. Invest in Culture – Tech awareness, ownership of controls, and a psychologically safe environment to report issues are just as vital as tools and policies. Benchmark to Frameworks – Use NIST, COBIT, ISO 27001, or FFIEC not just for compliance but to drive maturity. Vendor Vigilance – Third-party risk is first-party risk in disguise. Have your vendors been tested? Audited? What’s their incident response time? About the Author Laksh Vaswani is a senior financial services executive and technology risk advisor with over 20 years of experience guiding institutions through digital transformation, regulatory compliance, and operational resilience. A best-selling author and International Achievers Award recipient, he is passionate about building governance frameworks that don’t just satisfy regulators, but make institutions stronger, safer, and smarter. Share this article :

The Silent Saboteur: Navigating Reputational Risk in Financial Services

The Silent Saboteur: Navigating Reputational Risk in Financial Services There are breaches that hit the front page, and then there are whispers that spread like wildfire. In the world of financial services, reputational risk is the kind that doesn’t knock—it slips quietly through the cracks, often catching even the most vigilant firms off guard. And unlike credit or market risk, it doesn’t show up neatly on a balance sheet. It lingers, shadows performance, and—if left unchecked—erodes trust at the core. I learned this the hard way. The Ripple Effect of a Client Misstep Several years ago, I was working with a bank that had a solid operational backbone, robust compliance program, and a stellar record with regulators. On paper, it was nearly flawless. But all it took was one client. A well-known fund that had questionable practices in a foreign jurisdiction made headlines for the wrong reasons. Although our firm had conducted standard due diligence, the association alone triggered media speculation, investor anxiety, and internal confusion. What stung the most wasn’t the direct financial impact—it was the reputational fallout. Clients began asking questions, business leads started slowing down, and internally, there was a surge of second-guessing across departments. It didn’t matter that we hadn’t done anything wrong. Perception had already taken hold. Reputation is the Shadow of All Other Risks Reputational risk rarely appears in isolation. It’s the consequence of other risks—compliance failures, cybersecurity breaches, poor leadership decisions, or even third-party blunders. It’s why we can’t treat it as a PR issue alone. It’s a risk category that needs its own governance, its own escalation protocol, and above all, a cross-functional ownership model. The challenge? Reputational risk often emerges from decisions that seem completely logical at the time. Launching a new product too quickly. Partnering with a fintech firm that hasn’t scaled its controls. Hiring a high-profile executive with skeletons in their closet. The market doesn’t wait for your side of the story—it runs with what it knows. Building a Proactive Reputational Risk Framework In one of the firms I worked with, we embedded reputational risk considerations into our product approval process. Every major initiative—whether it was a new market launch or a vendor partnership—had to go through a reputational risk lens. This wasn’t just about legal sign-off or compliance checklists. It involved risk officers, communications teams, and senior leadership asking the hard questions: What could go wrong, and how would that be perceived? Who are we partnering with, and what is their public history? How do we prepare for an external narrative that’s out of our control? We also created a “Reputation Risk Radar”—a real-time dashboard tracking social media sentiment, legal escalations, regulatory changes, and client behavior trends. The goal wasn’t to eliminate noise, but to detect early patterns. Transparency is Your Best Armor When a reputational issue does arise—and it will—it’s tempting to go quiet. Wait it out. Minimize exposure. But experience has taught me that transparency builds far more credibility than silence. We had an incident where sensitive client data was mistakenly shared—not a breach, just human error. Instead of burying the incident, we reached out directly to the affected clients, explained what happened, and detailed the corrective actions we were taking. Not only did we retain their trust, but in several cases, clients thanked us for the honesty. About the Author Laksh Vaswani is a senior financial services executive, mentor, and best-selling author who has spent over two decades leading governance, risk, and compliance transformations across global banks and financial institutions. His leadership has helped organizations navigate complex regulatory environments while preserving stakeholder trust and brand reputation. Share this article :