Managing Business Supplier Risk – Real Time

A discussion with Alan Nagel, CEO and founder of KYP, where Alan explores how continuous, change-driven monitoring, behavioural analytics, and graph-based techniques can strengthen supplier resilience and financial crime defences.

The discussion covers post-pandemic supply-chain complexity, regulatory expectations, AI-enabled fraud, API/open-banking risks, cultural and organisational barriers, and the imperative to move from periodic checks to real-time, auditable oversight.

Find out more about KYP-> Here.

Key Take Aways

  • Continuous monitoring of counterparties is essential; static, annual reviews are no longer sufficient given dynamic risk (e.g., director or jurisdiction changes).
  • “Know Your Partner/Provider” extends KYC principles to suppliers and third/fourth parties, aligning with FCA operational resilience expectations.
  • Post-pandemic outsourcing has multiplied exposure through complex, multi-tier supply chains; ultimate accountability remains with the customer-owning firm.
  • Real-time, change-driven alerts (rather than periodic checkbox reviews) create actionable oversight and robust audit trails.
  • Effective monitoring blends macro indicators (sanctions, beneficial ownership, addresses, credit scores) with micro signals (payments behaviour, website traffic, BIN patterns).
  • Fraudsters move faster than corporates and regulators, exploiting APIs, AI, and organisational silos; resilience requires speed and adaptability.
  • Graph-based link analysis is needed to connect related entities and uncover hidden relationships across supplier ecosystems.
  • Financial resilience of suppliers is critical; over-reliance on a single provider can create systemic operational risk.
  • Culture and training matter: staff must be empowered to challenge authority and unusual requests to counter social engineering.
  • Large-enterprise inertia (lengthy buy-in cycles, stakeholder churn) slows preventative controls; startups can iterate faster.
  • Open banking/API ecosystems expand the attack surface; banks have limited control over third-party connections once enabled.
  • Regulatory scrutiny (e.g., FCA, gaming commission) and evidencing “what you said you would do” are increasing; auditability is as important as detection.
See also  AI Transformation in Contact Centres and Beyond

Innovatation

  • Change-triggered alerting with daily checks; notify only when risk or profile changes, supported by full audit logs.
  • Fusion of behavioural telemetry (SEO/web traffic flows, BIN shifts, volumetrics) with traditional onboarding and credit/risk data.
  • Graph databases to link directors, entities, and soft identifiers across networks to reveal concealed relationships.
  • Layered risk frameworks with automated actions (e.g., shutdowns once risk thresholds are breached).
  • Continuous dark-web, cybersecurity, and ransomware exposure checks integrated into supplier monitoring.
  • Real-time sanctions and jurisdictional monitoring to capture mid-term relocations or ownership changes.

Key Statistics

  • Transaction-monitoring techniques in use for ~20 years were cited as insufficient for today’s business-risk context.
  • Keep was founded “3 or 4 years ago.”
  • Behavioural red flags can spike at “about 5:00 on a Friday” (e.g., sudden high-value goods sales).
  • Operational thresholds discussed: checks over £500, £1,000, £2,000 per transaction.
  • Risk-action thresholds referenced: <20% not strong enough; >40% triggers shutdown.
  • A firm “transferred 20 million to a bank account via a Teams call” after voices were cloned.
  • Another example cited a “24 million” Teams-call transfer scenario.
  • An IoT fish-tank sensor incident led to “50 million” ransomware exposure.
  • The SolarWinds case was referenced with “4 billion” in losses.
  • A contract worth “50 million” was signed with a supplier that went out of business “two weeks later.”
  • Monitoring cadence: daily checks (credit score, risk score, stakeholders) with alert-on-change.
  • Scale risk: tier-one buyers now expect continuous third-/fourth-party monitoring and updates as part of contracts.

Key Discussion Points

  • The shift from static onboarding and annual reviews to continuous, real-time supplier monitoring.
  • Regulatory drivers (FCA, operational resilience) and reputational concerns (media exposure) elevating supply-chain transparency.
  • Multi-layered outsourcing and the compounding risk of “suppliers’ suppliers.”
  • Combining macro risk indicators with micro behavioural signals to detect subtle profile shifts.
  • Exploitation of APIs and open banking as emerging vectors; limited bank control post-connection.
  • AI-enabled deepfakes and social engineering (voice/video impersonation) as rising threats.
  • Cyber exposure from overlooked entry points (e.g., IoT devices) and the need for holistic controls.
  • Necessity of graph-based approaches to connect entities and identify hidden linkages.
  • Enterprise change-management challenges: slow buy-in, project delays, and stakeholder churn.
  • Cultural interventions and training to legitimise escalation and challenge of unusual requests.
  • Evidence-based compliance: demonstrating that controls operated as stated, with audit logs.
  • Financial robustness of suppliers as a core component of resilience planning.
See also  Regulatory and Cultural Changes upon us

#KYP

RO-AR insider newsletter

Receive notifications of new RO-AR content notifications: Also subscribe here - unsubscribe anytime
Tags: