Methodologies

Third Party Financial Crime Risk Assessment Methodology

Version 1.1 - March 2025

Introduction

Firms that engage in third party relationships should exercise appropriate financial crime compliance oversight of these partners and implement effective measures for third-party risk management to meet regulatory requirements and expectations1. This requires firms to understand both the financial crime risk posed by each partner and also how that relationship impacts the firm’s own risk profile.

Cable provides a suite of tools enabling firms to achieve this understanding and effectively manage partner risk, including the Third Party Financial Crime Risk Assessment, which builds on and supplements the capabilities offered by Cable’s Financial Crime Risk Assessment.

This document details the methodologies used in Cable’s Third Party Financial Crime Risk Assessment. The methodology is based on regulatory guidance, industry experience, and user feedback. It enables a firm to automatically take into account the risk ratings of its partners and produces an aggregate assessment of risks faced by a firm on its own and across its third party portfolio.
As with all of Cable’s products, the Third Party Financial Crime Risk Assessment is highly configurable to each firm’s own risk appetite. Users are always able to manually adjust any automatically calculated risk rating as needed to reflect their own assessment of risk.

Financial Crime Risk Assessment

Cable’s Financial Crime Risk Assessment is a tool that firms can use to assess their own risk, and an overview of the risk assessment, as well as a detailed methodology, can be found here. It is advisable to read that methodology before continuing with this one.

Using the Third Party Financial Crime Risk Assessment

A firm using Cable’s Financial Crime Risk Assessment can invite their third parties to complete their own financial crime risk assessment through Cable. Any invited third party will go through the same process of completing the questionnaire, mapping controls to Risks, inputting control adequacy and effectiveness scores, and approving a complete risk assessment. Once approved internally, a third party will have the ability to submit the risk assessment to the firm for review and approval, and it is at this point that firms are able to review their third party’s risk assessments.

Once reviewed, if a firm is comfortable with a third party’s risk assessment, then they can approve it. If approved, the third party’s risk assessment is incorporated into the firm’s own risk assessment in two ways, in both instances impacting the inherent risks scores only - no changes are made to residual risks. Firstly, the third party’s customer and transaction risks are incorporated into the appropriate Risks across the firm’s risk assessment. Secondly, the third party’s overall risk is incorporated into the firm’s risk assessment by introducing or updating a new Risk, called Third Party Risk, under the Customer Risk high level Risk Area. The methodology below details how this happens in detail.

Methodology

Incorporating the Third Party’s Customer and Transaction Risks

Risk Areas

Firms should take into account the risks associated with its third parties’ underlying customers and transactions. To achieve this, Cable automatically produces an aggregate inherent risk rating across the firm and any third parties for the Risks within the following five Risk Areas:

  • Geographic Risk
  • Customer Risk
  • Product/Services Risk
  • Transaction Risk
  • Typology Risk

Risk Weightings

The inherent risks in the Risk Areas of Customer Risk, Product/Services Risk, Transaction Risk and Typology Risk are all updated to include the third party risk ratings through a weighted average approach as follows:

  • First, each third party is weighted according to the total number of customers it has. Anyone completing the questionnaire in the Financial Crime Risk Assessment will provide the number of customers it has based on the following buckets, which have the corresponding weightings:
    • <50,000 customers, weighted at 1x
    • 50,000 - 250,000 customers, weighted at 5x
    • >250,000 customers, weighted at 10x
  • Second, the firm is weighted according to its total number of direct customers, according to the same weightings described above.
  • Third, using the weights determined above, for each Risk in the relevant Risk Areas, a weighted average of the inherent risk ratings for each partner and the firm is calculated.

For Geographic Risk, a different methodology is used:

  • For each Risk in this risk area, the maximum inherent risk rating across the firm and all third parties is determined to be the final inherent risk rating for that Risk.

There is no change to the weighting methodology for Risk Area risk ratings or business-wide risk ratings, described in the Financial Crime Risk Assessment Methodology.

New Risks

If a partner has a Risk that the firm did not have, then the Risk is enabled for the firm. The inherent risk is calculated based on the above methodology, with the firm’s inherent risk rating that feeds into that methodology being auto set to 1.

If a Risk that was not present before is added, the firm will be required to review, input appropriate controls and assess their efficacy to generate the residual risk. Only once this is done will the firm be able to finalize and approve their own risk assessment.

Incorporating the Third Party’s Overall Risk

As well as considering the risk of a third party’s underlying customers and transactions, firms should also consider any risks posed to the firm by the third party itself, for example any historic compliance issues or high risk processes and systems at the partner that are not addressed through appropriate controls.

To achieve this, a new Third Party Risk within the Risk Area of Customer Risk is enabled for the firm. The inherent risk score of this new Risk is set at the highest overall business-wide residual risk across all third parties.

As with all new Risks, the firm will be required to review, input appropriate controls and assess their efficacy to generate the residual risk. Only once this is done will the firm be able to finalize and approve their own risk assessment.

For any questions or comments about Cable’s DCRA, or to learn more about Cable, please visit our website at cable.tech or email customers@cable.tech.

Footnotes

  1. https://www.occ.gov/news-issuances/bulletins/2023/bulletin-2023-17.html#ft1