APIs a ‘Game Changer’ for Third-Party Oversight – BNY Mellon EMEA Commercial Lead

Regulated banks are looking to application programming interfaces (APIs) and vendor control dashboards to manage their third-party operations.

This comes as UK regulators propose new rules aimed at zeroing in on third- and fourth-party risk.

On December 5, 2019, the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority jointly released a series of consultation papers aimed at strengthening the operational resilience of financial services and modernizing the regulatory framework on outsourcing and third-party risk management.

As a result, institutional firms are looking at new ways of managing vendors and gaining deeper insight into their resilience and recovery capabilities.

Speaking during a panel discussion at the Summit for Asset Management in London on March 10, Marc Rubenfeld, head of sales for Europe, the Middle East and Africa at BNY Mellon Data and Analytics Solutions, said standard APIs provide a unique opportunity to “unlock data” and can enable instant access to operational data.

“Being able to open up data to anyone who has the right permissions to access that data on demand is really a game changer,” Rubenfeld said.

On the use cases for APIs, he said, “As you look for and work with a service provider that has access to provision data through an API, you no longer have to call them up and say, ‘Can you give me a file every Friday at 3pm local time that has this column, that column’, and when you want another column, you have to make a request.”

With an API, Rubenfeld said, a user could extract that data whenever it was needed.

The ability to access vendor data will become particularly important as the new rules will expect heavily regulated institutions to obtain detailed information about their third parties’ operations and impact tolerances, as part of ensuring that critical services can recover in time to avoid “intolerable risk”, the consultation papers said.

However, rather than requesting this information from third parties, which can cost vendors a large amount of time, Rubenfeld said APIs and control framework dashboards could be used to monitor vendor activity and map systems directly.

Jamie Smith, director of international technology at Eze Castle Integration, who was also speaking on the panel, said responding to multiple client requests for operational data will be tough, but in some cases, the provider already has processes in place to manage this.

“It depends on where your systems are and what you are doing with them. For us, we often have a lot of reports that we can give to the clients anyway. A lot of the questions they might come in with, we’ve got runbooks and workflows that we stick to … and that will get provided at onboarding so that they know what our process is,” Smith said.

Also important when managing vendors is maintaining relevant oversight within the organization, he said. While some firms have looked to outsource entire functions and businesses to third parties as a way of cutting costs and reducing internal headcount, he noted that recently there has been more appreciation of having key stakeholders that understand the outsourced technologies, and retaining that knowledge within the bank or buy-side firm.

There is a need for a “champion”, who can lead the integration of a vendor’s technology and enable it to “flourish” in the best way for that organization, Smith said.

“Managing your outsourcing provider becomes really critical, because if you get rid of all your stakeholders, and you expect someone else to care about your business as much as you do, it’s just not going to happen. So having someone internally often helps, because we are now directed to someone who understands what we’re trying to achieve together,” Smith said.