You know that you’re overseeing your third-party vendors – but who is looking out for your vendors’ vendors (aka fourth-party vendors)?
That is the defining question of fourth-party risk, the risk that exists when your vendor outsources critical activities to other vendors.
Fourth-party risk is very common in banking and financial services. Vendors often outsource activities to improve efficiency, just like financial institutions do. It’s a necessary part of doing business, but it also poses operational, cybersecurity, compliance, and financial risks that need to be managed.
Financial institutions often ask: how closely do they need to manage their vendors’ vendors? After all, if they are responsible for their third-party vendors’ behavior, are they responsible for monitoring fourth-party vendors too? What about fifth-party or sixth-party vendors? And how does an institution even manage a party it doesn’t have a direct contractual relationship with? Where does it end?
Related: First, 2nd , 3rd , 4th, 5th Parties: How to Measure the Tiers of Risk
The good news is that the Interagency Guidance on Third-Party Relationships: Risk Management, released in June 2023, has definitively answered that question.
Table of Contents
What Regulators Say About Fourth-Party RiskWhat does the guidance say? In short, it says financial institutions don’t have to go down a rabbit hole following up on vendors’ vendors – but they need to ensure their vendors have strong vendor management programs and are successfully managing their own third-party risk. Financial institutions also need their own strong vendor management programs.
That’s great news for financial institutions, which don’t necessarily have the resources – or even the ability to evaluate their vendors’ vendors.
There are two key regulatory expectations:
1. A financial institution's vendors should be contractually obligated to inform your institution if they are subcontracting a critical function to a vendor – or if that vendor changes. Good vendor management requires good contract management, and that includes negotiating contracts that ensure your institution is aware of key partners, especially if they are foreign-based.
2. Evaluate the strength of critical and high-risk vendors’ vendor management programs. Do they perform due diligence on their vendors? Do they have a robust third-party risk management program? How do you know?
Again, the answer here begins with contract management. You want to ensure that third-party vendor contracts include provisions that guarantee access to information about your vendor’s third-party vendor management program.
One of the best tools for assessing a vendor’s vendor management program is its SOC 2 report. The standards used to assess vendor management (SSAE 18) in this report are similar to banking guidance and cover areas like scope (including contract management), critical vendors, performance review, audit processes, monitoring, and complaint management.
Related: Inside the New SSAE 18: Vendor Management Changes
Lacking consistent vendor monitoring, especially cyber monitoring, many banks expose themselves to unexpected third- and fourth-party risks. Financial institutions that invest in high-quality vendor management programs proactively manage risk and are better poised to take advantage of revenue growth opportunities from third-party partnerships.
Make sure both your institution and your vendors have effective vendor management programs.
Brush Up On Your Vendor Management Basics