First, Second, Third, Fourth and Fifth Parties: How to Measure the Tiers of Risk
Everyone knows that third-party relationships introduce risk. But what about second parties, fourth parties and beyond?
Let’s take a quick look at first, second, third, fourth, and fifth parties to understand who they are and the potential risks they pose.
This is your institution, and it’s where it all begins. Risk comes in many forms: operational, transaction, financial, credit, strategic, compliance, reputation, concentration, and cyber, among others. Every decision your institution makes has the potential to introduce risk from big picture moves like a change in strategy or a new business line to smaller details like new disclosures.
First-party risk is best handled with enterprise risk management (ERM). ERM is the unified systems, processes, culture, and approach your institution uses to manage risk. It ensures that risk management isn’t a solo activity but one that links your institution’s mission, vision, and values with strategy and decision making to ensure that the amount and types of risk your institution takes on is commensurate with its risk appetite. It makes sure risks are identified, measured, monitored, and mitigated.
These are your customers or members. While much of risk management is dedicated to protecting customers and their data, it’s important to remember that customers can pose risks too.
For example, Bank Secrecy Act/Anti-Money Laundering (BSA/AML) rules are designed to weed out customers that use the financial system for nefarious purposes. FinCEN’s new customer due diligence (CDD) rules requiring the establishment of beneficial ownership for business relationships were developed for the same reasons. While most customers are just going about their business, those who use the banking system for criminal activities create extra work and compliance risk.
There’s the risk that customers won’t pay back loans or might sue the institution. Customers also introduce security risks, particularly when it comes to online and mobile banking. Customers may not have the latest security safeguards on devices, making it easier for hackers to gain access to the bank’s systems or impersonate customers.
It’s important to recognize these risks and put safeguards in place to properly manage and mitigate them.
When your institution outsources an activity to some other provider, that institution is a third-party provider. This includes everyone from your landscaper to your technology service provider.
Whether you handle an activity or you outsource it to a third-party vendor, your institution is responsible for the outcome just the same. That means it’s essential to identify critical vendors or high-risk vendors. These are vendors involved in critical activities that could have a major impact on operations such as payments or IT.
Regulators provide detailed guidance on monitoring these relationships, including understanding how the vendor relationship fits into the institution’s overall strategic plan, vendor due diligence, contract negotiation, ongoing monitoring, and termination. Financial institutions are expected to know what vendors are doing, how they are doing it, and what steps they are taking to remain compliant with all laws, regulations, policies and procedures. That makes vendor management an essential element of any ERM system.
Your institution outsources functions and your vendors probably do too. A fourth-party is someone your vendor outsources to. Fourth-party vendors go by a lot of names. Some companies call them providers. Others call them strategic partners. They can provide bill pay, mobile banking, core processing, legal or other services.
Your institution isn’t just responsible for what your vendor does. It’s also responsible for the activities of its third-party vendors (aka fourth-party vendors). The more critical third-party vendors your vendor has, the greater the costs and risks of vendor management.
There are ways to limit fourth-party vendor risk. When considering vendors, ask them about outsourcing and have them disclose their vendors so you can consider the potential cost of managing these relationships when comparing prices and risk. Due diligence on these vendors is a must. That includes everything from financials and test results to cyber security and business continuity planning.
Unless a contract specifically prohibits it, a vendor can transfer its rights and responsibilities to another vendor. Your contracts should require an assignment clause that provides notice and consent before a vendor outsources—giving you the ability to control fourth-party risk.
The good news is that fourth party risk got a little simpler with the Statement on Standards for Attestation Engagements 18 (SSAE 18) that came out last year. The SSAE 18 contains a vendor management element that requires a vendor to define the scope and responsibilities of each third-party vendor it uses, and addresses performance reviews, audits, and monitoring. Third-party vendors that can provide SSAE 18 make fourth party risk management simpler.
This is where things can get extra convoluted. When your vendor’s vendor outsources, this is a fifth-party. (It doesn’t necessarily even stop here as that vendor can outsource to yet another vendor creating a sixth, seventh, eighth-party and beyond.)
Once again, your institution is responsible for the actions these vendors take on your behalf. It’s important to know about any critical third-party vendors your vendors’ vendors are using to understand potential risks and to have strategies for mitigating them. The SSAE 18 is your ally in understanding these relationships. The alternative is following the chain of critical vendors, making vendor management onerous.
Now that you understand all the parties involved, make sure you have systems in place to manage the risks they present. With so many parties to track, don’t use a casual approach to management. It’s too risky.