Advanced supply chain assessment in electronic payment services with eTPC

Advanced supply chain assessment in e-payment services with eTPC

Challenge

An international operator of electronic payment processing services managed an extensive network of suppliers and third parties: issuers, acquirers, processors, technology providers, cloud services, support, cybersecurity, etc.

Its activity - online payment gateways, physical POS, mobile solutions and integration with payment brands such as Visa and Mastercard - is subject to a financial over-regulation and very demanding requirements of:

Information security and cybersecurity.
Service continuity and operational resilience.
Financial, technological and critical outsourcing compliance.

The assessment of the supply chain was carried out through a process of very manual and fragmentedThis model was not always easy to implement, with multiple questionnaires, exchanges of documentation and ad hoc reviews by different teams (risk, compliance, security, procurement). This model generated several problems:

Difficulty in maintaining a unified view of third party risk.
Complexity in justifying to regulators and branding schemes (e.g. international payment schemes) the adequacy of critical suppliers.
Time-consuming and unscalable processes as the business and number of suppliers grew.

Approach

ECIX Tech implemented the solution eTPC as a central platform for the supply chain assessment and certification of the payment operator.

The approach was structured along three lines:

Standard third party assessment model
- Definition of homogeneous risk criteria for suppliers according to their role in the payment chain (infrastructure, software, security, support, etc.).
- Design of evaluation forms and scenarios aligned with the regulatory requirements of the financial sector and the obligations of payment brands.
Process orchestration with eTPC
- Registration of all providers and service lines in eTPC, linking each one to their level of impact on business and/or business continuity.
- Automated submission of questionnaires, collection of evidence, and calculation of levels of reliability combining impact and evaluation results.
- Centralised management of associated contracts, their status and supplier performance evaluations.
Traceability and regulatory support
- Using the scoreboard eTPC to have a consolidated view of the assessment status of the entire supply chain.
- Ability to extract structured reports and evidence before internal audits, reviews by financial supervisors or international payment scheme requirements.

Results

With the implementation of eTPCthe payment operator succeeded in transforming its supplier management model into a process of structured, auditable and scalable:

Global and near real-time vision of the risk associated with suppliers participating in the payment chain, classified by criticality and impact on the business.
Standardisation of third party assessmentapplying the same criteria and compliance thresholds to suppliers from different countries, technologies and languages.
Significant reduction of manual workloadby automating the request for information, the collection of evidence and the calculation of reliability levels.
Strengthening the responsiveness to supervisors and payment schemesThe supply chain risk is assessed, classified and managed by having clear evidence of how supply chain risk is assessed, classified and managed.

In short, the combination of ECIX Tech's regulatory knowledge and the technology of eTPC allowed the international operator to consolidate a model of third party risk management aligned with hyper-regulation of the financial sectorThe new system will be able to provide the agility required by a global payments business.