When Third-Party Vendors Mean Quadruple the Risk

Michael Berman

3 min read

Jun 10, 2016

Financial institutions outsource to be efficient. Whether it’s offering competitive products and services or making good use of staff resources, smart institutions weigh the costs and risks of using a third-party provider against the benefit to the institution.

But are you fully measuring those risks and costs? If your vendors are outsourcing, you may be underestimating your exposure to fourth-party vendors.

Fourth-party vendors go by a lot of names. Some companies call them providers. Others call them strategic partners. They can provide bill pay, mobile banking, core processing, legal or other services.

The problem arises when fourth-party vendors are critical service providers. They may not be your primary vendor, but should they face a critical failure, so will your institution. If there is a weakness in their data security or business continuity plan or if they break up with your primary vendor, it could wreak havoc on your institution.

Every vendor relationship has a cost of ownership, but when a vendor outsources to three or four critical vendors, it can triple or even quadruple those costs and risks. And there is a potential for greater liability when an institution doesn’t have a direct relationship with a vendor.

There are ways to limit fourth-party vendor risk. When considering vendors, ask them about outsourcing and have them disclose their vendors so you can consider the potential cost of managing these relationships when comparing prices and risk. Make sure you allow for the impact on these four key areas:

Due diligence. Your institution should already be risk assessing and conducting due diligence on vendors, especially critical ones, as part of your vendor management program. But as Appendix J of the FFIEC IT Examination Handbook and guidance from the other agencies make clear, you are also responsible for due diligence on each of one your vendors’ critical vendors. That means for every critical vendor your primary vendor uses, the more due diligence is needed—not just the upfront work but also the ongoing and annual monitoring of financials, test results, summary findings and evaluations. An institution can handle this in one of three ways. It can conduct its own independent due diligence for each critical fourth-party vendor. It can hire a firm to handle it (after conducting due diligence on that firm.) Or it can decide to trust the primary vendor’s due diligence of subcontractors. That decision may depend on whether the vendor uses a third-party audit firm and whether financials are audited or unaudited. The vendor should have its own vendor management program. Regardless of approach, regulators will hold your institution responsible for any of vendor failings.
Multiple vendor agreements. In some cases, fourth-party vendors are subcontractors covered under your primary vendor’s agreement. But in the case of partnerships, you may have to sign and manage a contract with each individual vendor. One contract becomes four, meaning more time and resources devoted to contract management.
Failed relationships. What happens if your vendor ends its relationship with a critical fourth-party vendor? Depending on the contract, you may find your institution awkwardly positioned between two vendors that are unhappy to be working together. Or you may find your institution unexpectedly starting over with a new subcontractor at an inopportune time—scrambling to conduct due diligence, move sensitive data and retrain staff. Even if your primary vendor has plans for a replacement, you’ll still have to review that new fourth-party vendor carefully to see if it’s a good a match for your needs. The primary vendor may have something other than your best interests in mind when choosing a replacement.
IT security. Your institution should know what each third- and fourth-party vendor is using for cybersecurity and when and how it is tested. The same is true for audited testing of continuity planning and incident response.

Also, be careful with contracts. Unless a contract specifically prohibits it, a vendor can transfer its rights and responsibilities to another vendor. Your contracts should require an assignment clause that provides notice and consent before a vendor outsources—giving you the ability to control fourth-party risk. Left unchecked, there’s the potential for exponential growth of fourth-party risk as each vendor relationship (and the costs that go with it) morph into three, four or more subcontractors.

Outsourcing is meant to make your institution more efficient. Make sure you have a handle on fourth-party vendors before 3 critical vendors quadruple into 12.

Subscribe to the Nsight Blog

All Topics Risk & Compliance Product Insight Banks Lending Compliance Credit Unions Risk Management Fair Lending Nfairlending Cluster: Risk Management Compliance Lending Compliance Management Integrated Risk Blog Nrisk Regulatory Compliance Management News & Updates HMDA Risk Mortgage Lenders Ncomply Vendor Management Business Resiliency CRA Lending Compliance Blog Vendor CFPB Ncontinuity Third-Party Vendor Management Business Continuity Cybersecurity Fintech NVendor Strategic Planning Ncyber Ntransmittal Audits & Findings Company Culture OCC Regulatory Updates Audit Nverify Regulatory Compliance Exams FDIC Compliance Management Findings Nfindings NCUA Contract Management Employee Intranet Contract FRB Business Continuity Management FFIEC Findings Management Ncontracts manager Third-Party Vendors Vendor Risk Enterprise Risk Management ABA Bank Access Control Audit Findings Board Portal Call Report Due Diligence Efficiency Employee Engagement Exam findings FIEC Inc. 5000 Internal Audit Management Nboardportal Verify Wealth Management

Solutions

Risk Solutions

Vendor Solutions

Compliance Solutions

Lending Compliance

Risk Performance Management

Software Solutions

Risk Management Software

Vendor Management Software

Compliance Management Software

Continuity Management Software

Fair Lending Compliance Software

Findings Management Software

Audit Management Software

Cybersecurity Assessment Software

1071 Compliance Software

Employee Network/Intranet Software

Accredited Certification Program

Banks

Credit Unions

Mortgage Lenders

Fintech

Wealth Management

Nsight Blog

Webinars

Ncast Podcast

Regulatory Pulse

Events

Nsider Community

Dig into our Nstitute Certified Vendor Management Professional Training!

Featured Resources

Webinar: What Does Resilience Look Like?

Regulatory Pulse March 2024

Webinar: The Future of Risk Management

9 Fair Lending Compliance Training Essentials

Podcast: Succeeding All Together, Banking and Company Intranets

Book: The Upside of Risk

Resource Hub

About Us

News

Leadership

Partnerships

Join the Team

Ncontracts Highlights

Ncontracts Launches Nstitute & the Certified Vendor Management Professional (NCVMP) Certification

Ncontracts named Top Workplace for Third Consecutive Year in 2023

Ncontracts and CBANC Release New Report

Event: Ngage 2023 Nashville

When Third-Party Vendors Mean Quadruple the Risk

Subscribe to the Nsight Blog

Share this

You May Also Like

Are Your Third-Party Vendors Protecting the Rights of Servicemembers?

Third-Party Vendor Breach Costs Texas Credit Union

Documentation is Key: Takeaways from the OCC’s Third-Party Vendor Risk Management Procedures