Is Using Multiple Third-Party Data Providers the New Normal?

In today's complex business landscape, compliance professionals managing Third-Party Risk Management (TPRM) face an ever-increasing challenge: how to effectively assess and monitor the risks associated with their organization's third-party relationships. As the scope and depth of these relationships continue to expand, relying on a single source of third-party data is no longer sufficient.

The new normal in TPRM is the integration of multiple third-party data providers to create a comprehensive and nuanced view of potential risks.

The Evolution of Third-Party Data in TPRM

Traditionally, organizations have relied on a single data provider or internal assessments to evaluate third-party risks. 

Early TPRM mainly centered around manual and reactive processes.  Risk assessments relied on spreadsheets, emails, and static databases, while screening was conducted only at onboarding, with limited follow-up. Data sources included public records, watchlists, and sanctions databases, requiring manual verification.

The limitations of this are significant. Processes were often slow and inconsistent—assessments varied across teams and took weeks or months. In addition, risk coverage was limited with emerging risks (e.g., ESG, cybersecurity) often overlooked. There was no continuous monitoring, risks were only reassessed if flagged manually.

As the TPRM field evolved, centralized risk databases were designed to improve screening efficiency. These tools integrated adverse media searches, sanctions lists, and politically exposed persons (PEP) data. Basic automation reduced some manual work, but false positives remained high, requiring manual triage.

However, reliance on basic keyword matching led to high false positives and increased workloads. Limited risk categories focused mainly on bribery and corruption, neglecting cybersecurity, ESG, and geopolitical risks. In addition, updates to risk data are slowed down by human curation leading to gaps in data, especially when it comes to risk categories not covered by list data, such as adverse media. 

Risks and technologies have evolved, and these historic approaches often lead to blind spots and an incomplete risk picture. As the complexity of global supply chains and business partnerships has increased, so too has the need for more diverse and specialized data sources.

The shift towards using multiple third-party data providers is driven by several factors:

• The expanding scope of risk factors
• Increased regulatory scrutiny
• The need for real-time risk monitoring
• The desire for more accurate and comprehensive risk assessments

Types of Third-Party Data

To understand the value of multiple data providers, it's essential to recognize various types of third-party data available and how they contribute to a robust TPRM program. While these are just a few examples of risk areas companies may manage, they provide a snapshot of domains that data providers can cover.

ESG Data

Environmental, Social, and Governance (ESG) data has become increasingly important in recent years. This data provides insights into a company's sustainability practices, social responsibility, and governance structures. ESG ratings can help organizations assess the long-term viability and ethical standing of their third-party partners.

Financial Health and Performance

Financial data is crucial for assessing the stability and reliability of third-party vendors. This includes information on

• Credit ratings
• Financial statements
• Market performance
• Bankruptcy risk

By analyzing financial health data, organizations can identify potential risks related to supplier insolvency or financial instability.

Financial Crime Data

Financial crime data helps organizations identify potential ABAC risks related to money laundering, fraud, and other illicit activities. This type of data includes sanctions lists, watchlists, regulatory actions, and enforcement proceedings.

Adverse Media

Adverse media monitoring provides real-time insights into negative news or events associated with third parties. This can include:

• Reputation issues
• Legal troubles
• Operational disruptions
• Cybersecurity incidents

Adverse media data helps organizations stay ahead of potential risks and reputational damage.

InfoSec and Cyber Security

Third-party data providers play a crucial role in helping companies identify and manage information security and cyber risks by offering continuous monitoring and assessment of vendor security practices. By leveraging tools that evaluate the cybersecurity posture of external partners, organizations can proactively detect vulnerabilities, ensure compliance with regulations, and mitigate potential threats before they escalate into significant breaches.

Politically Exposed Persons (PEPs)

PEP data is crucial for identifying individuals who may pose higher risks due to their political connections or influence. This information is particularly important for compliance with anti-corruption and anti-money laundering regulations.

Supply Chain Data

Supply chain due diligence data provides visibility into the complex network of suppliers, sub-suppliers, and other entities involved in an organization's value chain. This data can include:

• Supplier locations
• Production capacities
• Shipping routes
• Inventory levels

Understanding supply chain data helps organizations identify potential disruptions and manage concentration risks.

Company Information

Comprehensive company information includes corporate structures, ownership details, management profiles, business registrations, and other datasets.

This data helps organizations understand the full scope of their third-party relationships and identify potential conflicts of interest or hidden risks.

The Limitations of Single-Source Data

While organizations need to manage their third parties within a centralized compliance platform, using only one data provider limits management capabilities. Here's why:

Incomplete Coverage: No single provider can offer comprehensive data across all risk domains and geographies.

Bias and Blind Spots: Relying on a single source may introduce bias or create blind spots in risk assessments.

Lack of Specialization: Different providers excel in different areas of risk data, and using only one may result in suboptimal insights in certain domains.

Limited Perspective: A single provider may not capture the full complexity of global risks and regional variations.

Benefits of Using Multiple Data Providers

Integrating multiple third-party data providers into your TPRM program offers several significant advantages:

Comprehensive Risk Coverage

By combining data from various specialized providers, organizations can create a more complete risk profile for each third party. This holistic view enables better-informed decision-making and more effective risk mitigation strategies.

Enhanced Accuracy and Validation

Using multiple data sources allows for cross-validation and verification of information. This can help identify discrepancies and improve the overall accuracy of risk assessments.

Specialized Insights

Different vendors provide various types of risk data, measuring different aspects of third-party risk. By leveraging specialized providers, organizations can gain deep insights into specific risk domains, such as financial crime, ESG performance, or supply chain resilience.

Real-Time Risk Intelligence

Integrating multiple data feeds enables organizations to create a dynamic risk monitoring system. This real-time intelligence allows for faster response to emerging risks and changing circumstances.

Improved Regulatory Compliance

With regulatory requirements becoming increasingly complex, using multiple data sources helps ensure compliance across various jurisdictions and regulatory frameworks.

Customization and Flexibility

Different industries and organizations have unique risk profiles and priorities. Using multiple data providers allows for greater customization of risk assessments to align with specific organizational needs and risk appetites.

Challenges and Considerations

While the benefits of using multiple third-party data providers are clear, there are challenges to consider:

Data Integration: Combining data from multiple sources requires robust integration capabilities and data standardization efforts.

Cost Management: Subscribing to multiple data providers can be expensive, requiring careful cost-benefit analysis.

Overload of Information: Managing and analyzing large volumes of data from multiple sources can be overwhelming without proper tools and processes.

Implementing a Multi-Provider Strategy

To successfully implement a strategy using multiple third-party data providers, consider the following steps:

Assess Your Needs: Identify the specific risk domains and data types most relevant to your organization and industry.

Evaluate Providers: Research and evaluate different data providers based on their specializations, coverage, and data quality.

Develop an Integration Plan: Create a plan for integrating multiple data sources into your existing TPRM platform or processes.

Establish Data Governance: Implement strong data governance practices to ensure data quality, consistency, and security.

Train Your Team: Provide training to your compliance and risk management teams on how to effectively use and interpret data from multiple sources.

Monitor and Refine: Continuously monitor the effectiveness of your multi-provider strategy and refine it as needed.

Conclusion

As the complexity of third-party relationships continues to grow, using multiple third-party data providers is indeed becoming the new normal in TPRM. This approach offers a more comprehensive, accurate, and dynamic view of third-party risks, enabling organizations to make better-informed decisions and more effectively mitigate potential threats.

While challenges exist in implementing a multi-provider strategy, the benefits far outweigh the drawbacks. By leveraging a centralized platform to integrate and analyze data from various specialized sources, compliance professionals can create a robust TPRM program that adapts to the evolving risk landscape and meets the demands of today's complex business environment.

As we move forward, the ability to effectively harness and synthesize data from multiple providers will become a key differentiator in TPRM effectiveness. Organizations that embrace this new normal will be better positioned to navigate the complexities of global business relationships and maintain a competitive edge in risk management and compliance.