An interview with Stefan Moser, Head Group Compliance & OpRisk at VP Bank AG
Interview
What is currently the most significant challenge in bridging the gap between evolving regulatory frameworks and third-party risk execution?
The pace of regulatory change is outstripping operational implementation. For example, frameworks such as the EBA Guidelines on Outsourcing and DORA (Digital Operational Resilience Act in the EU) all place heightened emphasis on resilience, concentration risk, reporting and surveillance duties etc. The challenge lies in timely and procedurally embedding these evolving standards into existing risk programs without disrupting business operations, particularly where legacy contracts and fragmented oversight structures or cross border complexities exist.
In your view, how can compliance and procurement teams work more effectively to deliver aligned third-party governance?
Integration is key. Procurement tends to focus on cost and efficiency, while compliance is driven by regulatory adherence. Alignment can be achieved through defined ownership of processes and a harmonized end-to-end thinking. This results in a procurement process that already involves compliance and operational risk teams and requirements, harmonizing due diligence processes on the third party risk management perspective, and embedding compliance checkpoints within procurement workflows. Clear accountability reinforces this collaboration.
What are some best practices you’ve adopted to manage regulatory expectations across different supervisory jurisdictions?
Consistency in baseline controls, with flexibility for local nuances. We maintain a centralized third-party risk framework aligned to global standards and then adapt for local rules such as MAS Guidelines (Singapore) or EU or Swiss requirements. Ongoing regulatory horizon scanning especially with regard to regulatory developments in the various locations ensures teams can implement a proactive compliance approach rather than reactive fixes and bring them to the ground before supervisory attention breaks in.
What areas are you looking at over the next 3–6 months in terms of investment for support with your third-party risk and compliance strategies?
We’re prioritizing:
- Automation and continuous monitoring tools to reduce manual assessments.
- Contract lifecycle management upgrades to embed regulatory necessary clauses (exit strategies, subcontracting, resilience testing) and stay up-to-date
- Enhanced cyber and concentration risk analytics, given heightened scrutiny from various regulators
How do you think participating in a peer-focused conference, like this one, helps bring clarity or new approaches to regulatory implementation?
Conferences provide benchmarking against peers and early insights into supervisory focus areas. Regulators often signal priorities informally—whether it’s fourth-party oversight, AI in procurement, or resilience testing under DORA. Hearing how others operationalize complex requirements helps refine our own frameworks and avoids reinventing the wheel. It also builds industry alignment, which regulators view positively when assessing proportionality and best practices and in the end, getting a personal connection to people tasked with likewise activities is always helpful on a personal level.
