Risks can stem from many sources, including internal operations, customers, vendors, and their outsourced parties (vendors). Are you and your team members properly prepared to manage the risks that financial institutions (FIs) face today?
Let’s explore first, second, third, fourth, fifth, and nth parties and the risks they may pose to your FI.
Risk tiers
While not all risks are critical or high, FIs are responsible for addressing and mitigating the risks they face, whether they arise internally or externally.
- First-party risk: These risks come from within an organization, including operational, financial, and compliance issues.
- Second-party risk: This risk comes from customers or members. Regulations like the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) help identify risky customers.
- Third-party risk. This refers to risks from third-party service providers or vendors that an organization relies on, ranging from landscaping services to critical technology support. The Interagency Guidance on Third-Party Relationships: Risk Management emphasizes that a “third-party relationship may exist despite a lack of a contract or remuneration.” In other words, any business arrangement with an outsourced party or vendor may present third-party risk.
- Fourth-party risk: This risk develops when a primary vendor hires another vendor, known as a fourth-party vendor.
- Fifth-party and nth-party risk: As your vendors have vendors, the risks can extend indefinitely, hence the term "nth parties" to describe this expanding web of vendors.
Related: Due Diligence Documentation: 9 Common Mistakes
Diving deeper: Managing a range of risks
First-party risk
From employee errors and system failures to inadequate internal controls and poor know-your-customer (KYC) procedures, FIs face many internal risks that require strong controls, oversight, and ongoing monitoring.
Integrated risk management (IRM) is ideal for first-party risks. IRM takes enterprise risk management (ERM) one step further by taking an institution-wide approach to risk. From employing data to understand risk trends to integrating risk management into assessing performance and strategy, IRM emphasizes a risk-aware culture that starts with the tone from the top and trickles down to identify, address, and mitigate risks throughout the organization.
Related: GRC vs. ERM vs. IRM: Understanding Risk Management Frameworks
Second-party risk
While FIs should aim to serve their customers and members, it’s also crucial to remember that they present second-party risks. Customers who can’t or won’t pay back loans present credit risk. Second parties also create security risks in online and mobile banking. If customers do not have the latest security updates on their devices, hackers may find it easier to access the bank’s systems or impersonate them.
Managing second-party risks is not only a best practice but also a regulatory requirement. For instance, FinCEN’s Customer Due Diligence (CDD) rule strengthened customer due diligence requirements for U.S. banks, mutual funds, securities brokers or dealers, and other parties to mitigate bad actors from using FIs for money laundering and other illicit activities. To address second-party risk, ensure compliance with regulations and industry best practices related to the Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) and Customer Identification Program (CIP) requirements.
Related: Emerging Risks in the Securities Industry 2025
Third-party risk
According to a study from Prevalent, 61% of companies experienced a third-party data breach or cyber incident in 2023. Breaches have risen 49% year over year since 2021—a trend that highlights the importance of effective third-party risk management.
FIs remain responsible for the outcomes of third-party activities, which is why it's crucial to identify critical or high-risk vendors that could significantly impact operations—including those involved in card payment transactions, custody, and settlements. For example, about 60 credit unions experienced outages due to a ransomware attack against a third-party IT vendor in 2023. While the credit unions eventually recovered and brought their systems back online, customer data was compromised in the process.
Fortunately, more FIs are investing in third-party risk management (TPRM) programs than ever. According to the Ncontracts 2025 Third-Party Risk Management Survey, 85% of FI use either a dedicated TPRM software platform or a module inside an enterprise risk management platform.
As your organization continues to navigate third-party relationships, look to enforcement actions and regulatory guidance. The Interagency Guidance offers a wealth of information to help FIs navigate the complexities of vendor management, including vendor due diligence, contract negotiation, ongoing monitoring, and, if necessary, termination.
Watch the Webinar: What a Difference a Vendor Makes: Determining Your Critical Vendors
Fourth-party risk
If your financial institution (FI) works with vendors, it's likely that many of those vendors also outsource their services. A fourth-party vendor refers to the vendors that your vendors partner with, and they are often known as providers or strategic partners. These fourth-party vendors can offer services such as bill payment, mobile banking, and legal support.
Fourth-party risks have become common as FIs expand their vendor circles. According to a 2023 report from SecurityScorecard, 84% of FIs have been exposed to a fourth-party breach. In 2022, Capital One and 29 other institutions experienced a fourth-party data breach when more than 100 million individuals’ information—including credit card details—was stolen from the cloud platform, resulting in more than $270 million in compensation and regulatory fines.
Ask your vendors about how they manage and mitigate fourth-party risk. Assessing the strength of a vendor's TPRM program is essential for due diligence, and program documentation should be maintained and reviewed for effectiveness. The Statement on Standards for Attestation Engagements 18 (SSAE 18) helps manage fourth-party risk by requiring vendors to define their third-party management processes and conduct performance reviews. Contracts should include an assignment clause to ensure we have notice and consent before a vendor outsources, allowing us to manage fourth-party risk effectively.
Related: Managing Fourth-Party Risk: What You Need to Know
Fifth-party risk and beyond
A fifth party refers to a vendor's vendor that outsources further. This chain can continue, creating additional or "nth parties." For example, the 2020 SolarWinds hack infiltrated thousands of customers, including federal agencies such as the U.S. Treasury Department, indirectly impacting financial institutions.
Once again, your FI is responsible for these vendors' actions on your behalf.
Related: TPRM 101: Top Third-Party Vendor Risks for Financial Institutions
Streamlining risk management with technology
FIs face more risks from more sources than ever, underscoring the importance of automated risk management technology. As you revisit your institution’s IRM framework and vendor management program, consider how automated risk and compliance management systems and solutions can help you identify, manage, and monitor risks more effectively.
Not all risk management solutions are created equally. Learn what to look for when selecting a risk management system for your FI.
Subscribe to the Nsight Blog
Share this
Navigating Fintech Partnerships: Best Practices for Financial Institutions
Inside the New SSAE 18: Vendor Management Changes
