The Other Side of the Risk Framework

Most conversations about a bank’s risk management framework eventually gravitate toward customer risk. We talk about onboarding, KYC, ongoing monitoring, client behaviour, source of wealth, etc… all familiar territory. And that makes sense: customers are visible, tangible, and sit right at the front line of most control frameworks.

But something important often gets lost along the way: third-party risk.

When I joined my current employer, I remember being told that our work focused on three distinct segments: customer risk, third-party risk, and pre-IPO due diligence. At the time, that framing stuck with me: partly because it was so clear, and partly because it highlighted how easily these concepts get blurred in practice. Even today, many people struggle to articulate the difference between customer risk and third-party risk, let alone manage them in distinct ways.

So I thought I’d spend this week’s note unpacking that distinction and why the latest guidance from the Bank for International Settlements (BIS) suggests the industry needs to pay far more attention to the second category than it traditionally has.

Customer risk is familiar. Third-party risk is not.

Customer risk is intuitive. A direct client relationship, say, a high-net-worth individual in wealth management comes with clear obligations around due diligence, monitoring, and escalation. The risks are personal, behavioural, and relatively well understood.

Third-party risk, by contrast, tends to arise indirectly. It often involves corporate structures, supply chains, service providers, vendors, or partners that sit one or two steps removed from the bank’s direct relationship. A classic non-banking example would be a global manufacturer expanding into a new country and relying on a local supplier for a critical component. In banking, the equivalent might be cloud providers, fintech partners, data processors, outsourced compliance services, or even intragroup service centres operating across borders.

What makes third-party risk tricky is that it doesn’t always feel like risk. These arrangements are usually entered into for good reasons: efficiency, expertise, scalability, resilience. And yet, as the BIS makes clear, they can become single points of failure if not properly understood and governed

Asking the right questions

The latest BIS guidance did not introduce any radical new concepts. Banks have always outsourced. What has changed is the scale, complexity, and criticality of third-party dependencies, particularly as digitalisation accelerates and supply chains lengthen.

The key takeaway? In today’s interdependent business world, third-party risk is tightly linked to operational resilience, concentration risk, systemic stability, and even the bank’s ability to meet its regulatory obligations in a crisis.

In other words, the question is no longer simply: “Is this vendor reliable?”
It’s increasingly: “What would happen to us if this service failed?”

Where banks often underestimate the risk

The BIS guidance is explicitly challenges a few comfortable assumptions.

First, intragroup arrangements are not automatically safer. Shared ownership does not eliminate operational, geopolitical, or concentration risk. A service centre in another jurisdiction can still fail, be disrupted, or become inaccessible.

Second, third-party risk doesn’t stop at the first counterparty. Supply chains matter. “nth parties” such as subcontractors of your service provider may be just as critical to delivery, even if the bank has no direct contractual relationship with them.

And third, documentation and contracts are necessary but insufficient. Registers, SLAs, and certifications help, but they do not replace ongoing understanding of how critical services are delivered, where dependencies sit, and how easily they can be substituted if something goes wrong.

Dynamic risk mapping vs. static onboarding checklist exercise

Another highlight relates a somewhat basic, yet often ignored, precaution of viewing risks dynamically, and not just on client level, but also the third-party level.

That means the Board must understand where the institution is genuinely dependent on a small number of providers. It means senior management being clear on what services are truly critical. And it means risk and compliance teams being comfortable asking uncomfortable questions about exit strategies, concentration, and resilience, even when the third party is a trusted long-standing partner.

Why this matters now

As banks increasingly rely on technology providers, cloud infrastructure, data platforms, fintech partnerships, and cross-border service models, third-party risk quietly becomes one of the most amplifying risks in the system. When it goes wrong, it rarely fails gracefully.

The BIS guidance reframes third-party risk as a core prudential issue, not an operational afterthought. And it does so in a way that encourages proportionality: recognising that not all third-party arrangements are equal, but that the most critical ones deserve far more scrutiny than they sometimes receive.

A closing thought

Customer risk will always be front and centre in banking. It’s visible, personal, and heavily regulated. But third-party risk is where complexity, scale, and interconnectedness quietly accumulate.

The latest BIS guidance reinforces the notion that banks are increasingly judged not just by the risks they take directly, but by the risks they depend on others to manage.

As always, if this topic is landing on your desk as well and you’re thinking through how your institution draws the line between customer risk and third-party risk, I’m very happy to compare notes.

These distinctions sound all very academic. Until they aren’t.

Source: BIS on Third-Party Risk Management

Thanks for reading,
Alexey