Third-Party Risk Management for a Crypto-Ready Financial Sector

Financial services firms today face the challenge of balancing opportunity and innovation with the security controls and oversight necessary to maintain consumer and stakeholder trust, while building cybersecurity resilience and mitigating financial crime in an evolving threat landscape.

These dynamics are becoming more layered as traditional financial institutions blend their services with those of digital asset firms. Collaboration between established organizations and crypto-native companies is being accelerated by support from the current U.S. administration and their work to make America the “crypto capital of the world.”1

While integration between traditional finance and decentralized finance brings opportunity, it may also create new third-party cybersecurity risks, as financial service firms increasingly approve vendors, partners and fintechs as part of their digital ecosystems. This can expand their attack surface and may provide threat actors with numerous access points to exploit. In turn financial services firms must conduct thorough diligence of their formally contracted third parties and affiliates, understand the corresponding risks, and determine what their third-party risk management programs should include.

How Well Are Approved Third Parties Known?

Third-party risk management, historically a function focused on process and documentation compliance, is receiving fresh scrutiny in many organizations. A range of macro factors have amplified third-party risk, including growing cyber threats, data privacy exposures, supply chain disruptions, geopolitical instability, high inflation and cloud outages. Technology incidents impacting a wide range of customers continue to occur, disrupting business and causing reputational damage.

Finding the balance between protecting the firm while maintaining common sense controls to bring the right degree of scrutiny and diligence is often more complex and onerous to implement than expected. Further, reporting related to the risks rarely illuminates the full state of play to the board and senior management.

One-size-fits-all solutions are not effective, and a high degree of tailoring is necessary to implement a program that properly measures and manages each entity’s specific third-party risk profile. Thoroughly understanding the businesses, broader risk management capabilities and the range of exposures across approved third parties, especially those related to embedding crypto offerings into the traditional value chain, before integrating or refining a third-party risk program is essential. This will help with improving the operating model across processes, including due diligence and onboarding, ongoing monitoring, contract negotiation, reporting and termination.

Third-Party Risks

Integration of risk measurements and control environments to align with other organizational risk policies is essential. Also, when it comes to cryptocurrency, organizations should focus on the specific industry and best practices that apply to the unique aspects and classifications of digital assets. When integrating or formally partnering with cryptocurrency firms, even where a mature risk management program is already in place, if the cryptocurrency company lacks its own set of policies and controls, its third-party risks can be inherited by the organization entering into a partnership agreement with it.

Enterprise risks commonly rooted in formally contracted third-party relationships include:

  • Information security and data leakage risk: Cyber attacks of formal third parties (or their third parties), as well as the deliberate divulgence of private information by a third-party employee.
  • Financial crime and consumer protection risk: Bad actors attempting money laundering, fraudulent schemes, and identity theft that expose users, companies, and the financial system.
  • Technology efficiency and effectiveness risk:> Failures, outages or delays in production or development of technology infrastructure caused by a third-party failure.
  • Strategic and reputational risk: Possibility that the vendor’s strategic objectives no longer align with those of the firm, or that a major reputational event at the vendor spills over the firm.
  • Operational resilience risk: Outage of critical client-facing infrastructure resulting in lost revenue and reputational damage.
  • Regulatory compliance risk: Failure to maintain compliance with regulatory requirements due to a performance failure by an approved third party. Also includes compliance with third-party regulatory expectations.

Elements of a Successful Program

Third-party risk management is inherently a moving target that must adapt to changes in the business. Designing and implementing a program that is effective, compliant and brings the right level of rigor requires a dedicated approach and strategy. When implementing or enhancing a program, key remediation actions to consider include:

Assess Formally Approved Vendors

  • Conduct regular third-party risk assessments to ensure baseline security standards are met, according to specific industry best practices.
  • Evaluate compliance practices.
  • Review incident response plans to determine detection, containment and remediation capabilities.
  • Assess access controls and data handling measures to identify how sensitive information is protected.

Refine Onboarding

  • Refine enhanced due diligence processes to address key risk exposures.
  • Reduce backlog of outstanding onboarding requests.
  • Identify cases suitable for “fast track” onboarding.
  • Refine contract evaluations and negotiations.

Manage Inventory

  • Classify the vendor and other non-vendor third parties that have been approved as formal company affiliates into a custom taxonomy.
  • Refine metadata.
  • Monitor and track data in a structured process.
  • Make inventory reporting fit for purpose and at the right granularity.

Administer the Program

  • Refine process workflow documentation to meet audit expectations.
  • Respond to specific regulatory feedback and articulate the program.
  • Assess quality and integrity controls on the procurement function.
  • Integrate across other risk programs (e.g., Enterprise Risk Management, Operational Risk Management, model risk, etc.)

Conclusion

While partnerships between traditional financial institutions and cryptocurrency and digital asset firms offer clear business benefits, there are unique nuances that should be addressed through appropriate due diligence and oversight.

However, by following a process that involves identifying risks, remediating operating models and governance processes, aligning to industry standards for digital assets and managing regulatory examinations, risk management can be strengthened to mitigate threats while also aligning with the institution’s overall business strategy.

Footnote:

1: “Fact Sheet: President Donald J. Trump Signs GENIUS Act into Law,” The White House (July 18, 2025).

Related Insights

Related Information

Published

January 16, 2026

temp Key Contacts

Steven S. McNew

Senior Managing Director, Global Leader of Blockchain & Digital Assets

Todd Renner

Senior Managing Director

Jaco Sadie

Senior Managing Director

Most Popular Insights

  1. Navigating Tariffs: 10 Strategies to Protect the Bottom Line
  2. The Hidden Risk for Data Centers That No One is Talking About
  3. It’s La La Land Again in Financial Markets
  4. Geopolitical Risk Management: No Longer Just a “Nice to Have”, But a Corporate Imperative
  5. Corporate Sustainability Report

Sign up to get access to FTI Consulting Insights

Subscribe