1.

Third Party Risk Management Program

1.1. Overview
Collaborating with Fintech firms and telecom operators has become essential for banks in
Ethiopia to stay competitive and drive growth. Partnering with these entities can provide new
capabilities and innovative solutions. It may be more efficient and cost-effective for banks to
partner with Fintech firms rather than develop these capabilities internally. In addition to
traditional vendors, AB is increasingly utilizing new types of partnerships to improve efficiency,
reduce costs, and enhance its digital offerings and expand its reach. The number and complexity
of relationships with third parties continue to increase.

In order to maximize the strategic advantages of collaborating with third parties, 1 the Bank need
to carefully select them and proactively manage and monitor risk factors associated with this
relationships. Poorly managed third parties may introduce new risks or increase existing risks
leading to financial losses, damage to reputation, regulatory issues, and operational disruptions.
It could be the case that certain vendors access, store, or handle the Bank's intellectual property,
records, data, and network, which can potentially create cybersecurity and data privacy concerns.
Some of them may violate applicable laws and regulations, as well as breach the Bank’s ethical
culture and operating standards.

The NBE has recently made it clear that protecting consumer data and privacy is now a serious
legal and regulatory compliance issue in Ethiopia. While banks can delegate certain activities to
third parties, they cannot relinquish their responsibility for safeguarding consumers from
potential harm caused by those third parties. This means that the Bank must ensure that its
financial consumers are shielded from any predatory behavior that may arise from the third
parties they engage with.

Therefore, it is important for the Bank to identify, assess, monitor, and control risks related to
third-party relationships.

1
Includes all business arrangement between the Bank and another entity, by contract or otherwise.
1.2. Elements of sound third-party risk management system
1.2.1. Board and senior management oversight
i. Board oversight

The BoD shall:

a) Understand the nature of the Bank’s third-party relationships and how management is
managing these risks.
b) Ensure that activities performed on behalf of the Bank is performed in a safe and sound
manner and in compliance with applicable laws and regulations.
c) Ensure that management allocates appropriate resources towards managing potential risks
from third-party relationships.
d) Ensure that management have a complete risk-ranked inventory of critical services
provided by third parties.
e) Ensure that internal audit performs periodic review of the key controls associated with a
third-party risk management program.
f) Ensure that the Bank signs contracts or formal agreements once it decides to engage any
third party, and that it has a complete understanding of all elements that need to be
considered before doing so including but not limited to the controls and processes in
place and in use at that third party.
g) Seek periodic updates from the ERCMF as regard to third-party risk exposures
h) Determine the approach the Bank should take to perform due diligence on its third-
parties. That is, whether the assessment shall be made only at the beginning of the
relationship or periodically to assess its longstanding relationships.
i) Ensure that management handles off-boarding relationships with vendors carefully.
ii. Senior management oversight

The senior management shall:

a) Establish third-party diligence processes and monitor potential risk exposures associated
with this relationships
b) Ensure that third-parties meet the Bank’s internal control standards, especially in dealing
with customer data.

c) Off-board relationships with vendors, including processes to ensure destruction of

sensitive data at third parties?
d)
iii. Business units
a) Own the third-party business relationship and day-to-day oversight
b) Identify, measure, monitor and report risks generated by business third-party
relationships.
c) Categorize or tag third parties with whom they are working in a consistent way based on
the service they provide. Different services provided by a single vendor should prompt
additional evaluations.
d) Assess risk for each relationship and determine the level of diligence to tailor needs to
specific circumstances.
e) Track regular metrics related to third parties’ activities, controls, performance, and
compliance to ensure that circumstances still warrant maintaining the business
relationship.
iv. ERCMF
a) Designs and owns the third-party risk management framework.
b) Provide an independent, risk-based viewpoint and guide the first line of defense in risk
responsibilities.
c) Maintaining a complete inventory of the Bank’s third-party relationships and periodically
conducting risk assessments for each third-party relationship.
d) Identify the Bank’s critical activities and third-party relationships that support these
critical activities.
e) Applying a sound methodology to designate which activities and third-party relationships
receive more comprehensive oversight.
a) How much a company spends with a third party will always be part of the risk
calculation. But the amount spent isn’t the sole criterion. A third party that represents a
 relatively minor expense may present significant risk depending on the nature of its
services.
v. Internal audit
a) Independently assess adherence to the TPRM framework and provide assurance that the
third-party risk management process is functioning as designed.
This are not part of the document.

Both guests discussed the importance of robust monitoring programs that include
regular audits of the riskiest third parties.
At JPMorgan Chase, Mr. Connell’s team uses a five-tier framework to assess supplier risk, categorizing
each vendor as critical, high, medium, low, or nominal risk. “Out of the 6,000 suppliers we rate, about
100 are critical; however, any between critical and low are subject to our assessment,” he said.

it calls for robust risk assessment and monitoring processes to be employed relative to third-party
relationships, and specifically those that involve “critical activities” with the potential to expose an
institution to significant risk

The OCC specifically outlines a new third-party risk management process that is intended to cover each
relationship from end-to-end, as well as continuously, over the relationship life cycle. The following
eight phases are identified:

 Planning (incorporating risk strategy, identification of inherent risks

of activities, and use of third parties)
 Due diligence and third-party selection
 Contract negotiation
 Ongoing monitoring
 Termination, including contingency plans
 Roles and responsibilities for oversight and relationship management
 Documentation and reporting
 Independent review

Third Party Vendor Management Program

Develop and maintain a comprehensive third party vendor management program. It
will go a long way in pleasing the regulators, but will also form a strong
foundation for managing third party vendor cybersecurity risks. Appoint key
personnel with specific roles and responsibilities to manage vendors and associated
cybersecurity risks. Allocate clear reporting chains and accountability. Ensure that
important areas such as classifying and optimizing vendor portfolios, formalizing
an appropriate plan for onboard vendors, managing transitions to support changes,
and terminating relationships with vendors are in place. Also ensure that contracts,
vendor performance and vendor relationships are managed well and closely
monitored. Continuously improve the third party vendor management program by
reviewing it on an ongoing basis.

Regulatory Requirements
Ensure that you address laws, regulations, and critical standards (such as GLBA,
BSA, FACTA, PCI, NIST, and guidance from the FFIEC) applicable for financial
institutions. Regulators will expect that your third party vendor risk management
processes are in line with the level of risk and complexity of your institution’s third
party relationships.Also ensure that you evaluate your third parties and require
them to have a regulatory compliance program in place to determine if they
comply with applicable laws and regulations and whether the cybersecurity posture
and protection profile of the vendor aligns with that of the bank.

Third Party Vendor Risk Assessment

Perform a formal third party vendor risk assessment on a periodic basis or
whenever there is a significant change in either your technical infrastructure or
third party vendor composition. Annually review all the vendors you do business
with.For high risk vendors make sure that you have commensurate cybersecurity
controls in place. An internal or third party assessor should review these controls
and test them for their effectiveness on a periodic basis.

Due Diligence
Due diligence should be performed on all the significant third party vendors
serving your institution. One of the main things to consider when performing due
diligence is to review the vendor’s financial stability and monitor it on an ongoing
basis.The goal is to keep validating and reinforcing that the vendor meets the
standards and stability required to provide the service or product to your bank
without causing any risk to your environment or continued operations.

Monitor Continuously
Banks should continuously monitor third party vendors. Review contracts and
agreements, appoint personnel to monitor the vendors, review SSAE18/SOC
reports from the vendors and also test banks controls that are in place specifically
to address vendor connections and information flows to see how robustly they are
able to manage risks that could potentially arise from vendors.Banks should
periodically rank third-party vendor relationships in accordance with their risk
profile to determine which vendors require closer monitoring.Lastly, it is a good
idea to have your third party vendors perform comprehensive security reviews of
their technical infrastructures. Such reviews include deep-dive, configuration-level
cybersecurity assessments that go to the nuts and bolts of every technical
component that a vendor uses in its organization. Comprehensive security reviews,
owing to their highly technical and deep focus, can provide a significant marker of
cybersecurity health to you and enable confidence in your vendor’s cybersecurity
posture.

Tools
Technological advancements have meant that there is a sea of data constantly
moving in and out of organizations. Given the challenging nature of monitoring
and control in such an environment, tools can act as powerful accelerators to
increase the efficiency and accuracy of third party vendor management and also
provide real-time data with analyses.This will enable you to make more informed
decisions and even provide predictive insights into trends, patterns and warning
indicators.

Fourth Party Risk

A fourth party is your third party’s third party and you need to focus on them too.
You need to know about all the critical vendors your third party relies on.Verify
how capable your third party vendors are in monitoring their critical vendors and
also review your vendor’s policies and procedures in place pertaining to vendor
management. Ensure that your contracts specify that the critical services that are
performed by your bank’s vendors cannot be further outsourced.

Looking Forward
Regulations impacting vendor management will continue to change and evolve for
financial institutions as they should, because they need constant attention. Third
party vendor management should not be a reactive response to changes in
technology and regulations.

Rather, it should be a proactive approach towards making a better and standardized

life cycle of vendor relationships. Board members and management must become
more agile and adaptive in their approach towards third party vendor selection and
management.

At the end of the day, what you want is to make sure that your vendors are taking
cybersecurity as seriously as you do.