Financial institutions that engage in relationships with third parties, such as partner banks, Banking-as-a-Service platforms, or other similar financial service providers, should exercise appropriate financial crime compliance oversight of their third parties and implement effective measures for third-party risk management to meet regulatory requirements and expectations. This requires institutions to understand both the financial crime risk posed by each third-party and also how that relationship impacts the institution’s own risk profile.

Cable provides a suite of tools enabling institutions to achieve this understanding and effectively manage third-party risk, including Cable’s Direct Customer Risk Assessment (DCRA), which builds on and supplements the capabilities offered by Cable’s Risk Assessment.

This document details the methodologies used in Cable’s DCRA. The DCRA is based on regulatory guidance, industry experience, and user feedback. It enables an institution to automatically take into account the risk ratings of its third parties and produces an aggregate assessment of risks faced by an institution on its own and across its third-party portfolio.

As with all of Cable’s products, the DCRA is highly configurable to each institution’s own risk appetite. Users are always able to manually adjust any automatically calculated risk ratings as needed to reflect their own assessment of risk.

Cable’s Risk Assessment

Cable’s Risk Assessment is a financial crime risk assessment tool that can be used by institutions to understand the risk posed by each of their third parties.

Each third-party that completes Cable’s Risk Assessment will produce inherent and residual risk ratings across a wide range of risk categories within 10 high-level financial crime risk areas, as well as an overall business-wide inherent and residual risk rating.

The 10 high-level risk areas are as follows: Regulatory Risk, Operational Risk, Geographic Risk, Size and Nature of Business Risk, Processes and Systems Risk, Product/Services Risk, Delivery Channel Risk, Customer Risk, Transaction Risk, and Typology Risk.

Cable’s Direct Customer Risk Assessment

Cable’s DCRA then enables institutions to understand how each of their third-party relationships affects their own risk profile by leveraging the outputs of Cable’s Risk Assessment. After an institution and its third parties have gone through Cable’s Risk Assessment, the institution can use Cable’s DCRA to integrate the relevant risk ratings from its third parties into the institution’s own risk ratings.

The DCRA provides a comprehensive approach for institutions to account for risks across their third-party portfolio by assessing risk at an underlying customer and transaction level as well as at the third-party level.

Fintech Diligence and Onboarding Administration

Institutions also need to be able to easily demonstrate effective oversight and risk management of their third parties.

Cable’s DCRA helps institutions achieve this by providing easy workflows to collect and record company profile information and key documentation from each third-party. Additionally, it gives institutions access to essential third-party portfolio risk information and streamlined processes to obtain senior management or other stakeholder approval of their risk assessment.

Risk Rating Aggregation Methodologies

The DCRA methodology is composed of two parts, which together account for risks to an institution that are posed by its third parties’ underlying customers and transactions, as well as risks posed by a third-party itself.

Part 1

Institutions should take into account the risks associated with its third parties’ underlying customers and transactions for financial crime compliance purposes.

To achieve this, the risk ratings for select risk areas related to third parties’ underlying customers and their transactions should be integrated into the institution’s own risk ratings. For institutions, this means that, among the 10 high-level risk areas in Cable’s Risk Assessment, the DCRA produces an aggregate risk rating for the risk categories within the following five risk areas:

• Geographic Risk
• Customer Risk
• Product/Services Risk
• Transaction Risk
• Typology Risk

The following steps set out how an institution and its third parties’ risk ratings for each risk category in these areas are consolidated into a final aggregate risk rating through a weighted average approach (with one exception described further below):

• First, each third-party is weighted according to the total customer number for each third-party.
• Second, the institution’s own pool of customers that it serves directly (i.e., not through a third-party) is also weighted based on total customer numbers.
• Third, using the weights determined above, for each risk category in the relevant risk areas, a weighted average of the inherent risk ratings from each third-party and the institution is calculated.
• Fourth, for each risk category, the weighted average inherent risk rating calculated above is compared to the inherent risk rating generated in the institution’s own risk assessment, and the greater value is determined to be the final inherent risk rating for that risk category.

This methodology reflects an approach such that if an institution’s own risk assessment has the greater risk rating for a particular risk category, greater priority is placed on this determination than the aggregate rating determined above, as the institution may have more complete information informing a more holistic assessment of the risks it faces.

An exception to the above methodology is implemented for the high-level risk area of Geographic Risk as follows:

• For each risk category in this risk area, the maximum inherent risk rating from among each third-party and the institution is determined to be the final inherent risk rating for that risk category. Taking these steps together, Cable’s DCRA enables an institution to automatically integrate risks from its third parties’ underlying customers and transactions in the institution’s own risk assessment.

Part 2

Beyond accounting for risks from third parties’ underlying customers and transactions, institutions should also consider any risks posed to the institution by a third-party itself (e.g., historic compliance issues or high risk processes and systems at the third-party that are not addressed through appropriate controls).

To achieve this, Cable’s DCRA enables an institution to account for third parties’ overall business-wide risk ratings – which reflect all 10 high-level risk areas – in its own risk assessment as follows:

• The Customer Risk area includes an additional risk category for “Third Party Programs” that encompasses the institution’s third parties, with an inherent risk rating determined to be the greatest overall business-wide residual risk rating across all third parties.

As a result, Cable’s DCRA also lets an institution automatically update its own risk assessment to reflect risks that may come from a third-party itself, whether due to the presence of high-risk factors across the 10 risk areas or insufficient controls at the third-party to effectively mitigate risks.