When Third-Party Vendors Mean Quadruple the Risk
Financial institutions outsource to be efficient. Whether it’s offering competitive products and services or making good use of staff resources, smart institutions weigh the costs and risks of using a third-party provider against the benefit to the institution.
But are you fully measuring those risks and costs? If your vendors are outsourcing, you may be underestimating your exposure to fourth-party vendors.
Fourth-party vendors go by a lot of names. Some companies call them providers. Others call them strategic partners. They can provide bill pay, mobile banking, core processing, legal or other services.
The problem arises when fourth-party vendors are critical service providers. They may not be your primary vendor, but should they face a critical failure, so will your institution. If there is a weakness in their data security or business continuity plan or if they break up with your primary vendor, it could wreak havoc on your institution.
Every vendor relationship has a cost of ownership, but when a vendor outsources to three or four critical vendors, it can triple or even quadruple those costs and risks. And there is a potential for greater liability when an institution doesn’t have a direct relationship with a vendor.
There are ways to limit fourth-party vendor risk. When considering vendors, ask them about outsourcing and have them disclose their vendors so you can consider the potential cost of managing these relationships when comparing prices and risk. Make sure you allow for the impact on these four key areas:
- Due diligence. Your institution should already be risk assessing and conducting due diligence on vendors, especially critical ones, as part of your vendor management program. But as Appendix J of the FFIEC IT Examination Handbook and guidance from the other agencies make clear, you are also responsible for due diligence on each of one your vendors’ critical vendors. That means for every critical vendor your primary vendor uses, the more due diligence is needed—not just the upfront work but also the ongoing and annual monitoring of financials, test results, summary findings and evaluations. An institution can handle this in one of three ways. It can conduct its own independent due diligence for each critical fourth-party vendor. It can hire a firm to handle it (after conducting due diligence on that firm.) Or it can decide to trust the primary vendor’s due diligence of subcontractors. That decision may depend on whether the vendor uses a third-party audit firm and whether financials are audited or unaudited. The vendor should have its own vendor management program. Regardless of approach, regulators will hold your institution responsible for any of vendor failings.
- Multiple vendor agreements. In some cases, fourth-party vendors are subcontractors covered under your primary vendor’s agreement. But in the case of partnerships, you may have to sign and manage a contract with each individual vendor. One contract becomes four, meaning more time and resources devoted to contract management.
- Failed relationships. What happens if your vendor ends its relationship with a critical fourth-party vendor? Depending on the contract, you may find your institution awkwardly positioned between two vendors that are unhappy to be working together. Or you may find your institution unexpectedly starting over with a new subcontractor at an inopportune time—scrambling to conduct due diligence, move sensitive data and retrain staff. Even if your primary vendor has plans for a replacement, you’ll still have to review that new fourth-party vendor carefully to see if it’s a good a match for your needs. The primary vendor may have something other than your best interests in mind when choosing a replacement.
- IT security. Your institution should know what each third- and fourth-party vendor is using for cybersecurity and when and how it is tested. The same is true for audited testing of continuity planning and incident response.
Also, be careful with contracts. Unless a contract specifically prohibits it, a vendor can transfer its rights and responsibilities to another vendor. Your contracts should require an assignment clause that provides notice and consent before a vendor outsources—giving you the ability to control fourth-party risk. Left unchecked, there’s the potential for exponential growth of fourth-party risk as each vendor relationship (and the costs that go with it) morph into three, four or more subcontractors.
Outsourcing is meant to make your institution more efficient. Make sure you have a handle on fourth-party vendors before 3 critical vendors quadruple into 12.