Third party risk management is not just for suppliers, IT vendors and service providers. In many cases, subsidiaries or other organizations within your enterprise, and even well-known business customers should be brought into the third party management program.
The problems at Deutsche Bank and Danske Bank reminded me of an inquiry I had with a CISO at a large high tech equipment manufacturer. We were discussing best practices in third party risk management. I asked him what types of companies he was monitoring and he told me they were subsidiaries. He was putting these subsidiaries through the same hoops as he would any other third party vendor, classifying them into three risk categories, doing deep dives and continuous monitoring on the higher risk ones, and documenting certification and accreditation on all of them.
The Financial Times today recounted Deutsche’s current regulatory rows — money laundering by a former subsidiary Regula that it had acquired in the British Virgin Islands and Deutsche’s role as a corresponding bank processing over €160billion in suspicious payments for Danske Bank Estonia. And of course Danske Bank Estonia was a subsidiary acquired by Danske.
Being “in the family,” it is apparent that Regula and Danske Bank Estonia did not get enough scrutiny by their parents. Had they been treated as high risk third parties, the risks and lack of effective controls to prevent money laundering may have been discovered earlier, avoiding the heavy supervisory presence and regulatory investigations that the parents now enjoy.
Also, Danske Estonia’s use of Deutsche Bank instead of its own parent to transfer money out of Estonia could have helped to bypass parental scrutiny. Should Deutsche have raised a red flag — like a neighbor who lets the neighbor kid smoke pot in her backyard? Deutsche didn’t raise a red flag, instead stating they weren’t the ones responsible for validating the source of the funds — that was Danske’s problem.
Yet, now it’s all come back on Deutsche, and the lesson learned for the rest of us — when a lot of money is on the line, treat your family and your friends as acquaintances.
1 — Bring high risk subsidiaries into your third party risk management program
2 — High risk customers should also be included in your third party risk management program