Third-Party Risk: Focus on Cyber

My colleague Jessica Washington recently blogged about the four-corner payments model as a useful framework for understanding the responsible parties in the payments system. The model shows the minimum number of parties required to conduct clearing and settlement. (The answer is four: the payee, the payer, and their respective financial institutions.)

Jessica pointed out that various fintechs and third-party services providers can be interjected into this model. In remarks on July 17, 2024, Acting Comptroller of the Currency Michael Hsu amplified this point with this graphic that shows where various partners to a payment transaction may sit:

Source: Acting Comptroller of the Currency Michael Hsu, Remarks Before the Exchequer Club, "Size, Complexity, and Polarization in Banking," July 17, 2024.

This model is relevant to understanding consumer protection, anti-money laundering and Bank Secrecy Act compliance, and the cybersecurity infrastructure underpinning a payments chain. Recent disclosures to the Securities and Exchange Commission (SEC) of cybersecurity incidents reveal the prevalence of third-party vendors as the source of breaches or service interruptions. For example, in a July 1 filing a fintech company reported that the third-party issuer of its debit card experienced a cybersecurity incident that compromised card users' personal information. The fintech's own info systems were not compromised.

Such events are not limited to the payments industry. If you wanted to buy a car in June, you probably remember that many auto dealers were reduced to using paper and pen for purchase and loan transactions when an incident brought down a provider of auto-dealer sales and account software. At least five publicly held auto dealers filed SEC reports describing the incident.

And who can forget the many health care providers who were unable to get insurers' approvals for procedures or to bill for services earlier this year in the wake of the cyberattack on a widely used insurance software package for medical practices and hospitals.

For payments providers, the interconnected payments chain heightens the risk of exposure to a third party's data breach or service interruption. As I have previously blogged, some 100,000 credit union members lost access to digital accounts due to an attack on a third-party service provider late last year. The FDIC recognized the danger of such supply chain attacks in its 2024 Risk Review:

Supply chain attacks on third-party providers of software, hardware, and computing services remain an important source of risk to the financial industry. Compromised third-party software can result in disclosure of credentials or confidential data, corruption of data, installation of malware, and application outages.

A risk manager I know says it's shortsighted to look at this category of cyber risk as simply the need to manage an inventory of third-party software or perform regular risk reviews of vendors and customers. In addition to constant monitoring and assessment, more partnerships and information sharing in the payments supply chain like that envisioned by the US Treasury Department's Project Fortress can strengthen defenses across the chain.

Public link

Please use the above public link if you want to share this noodl on another website.