Fourth-Party Risk: What Your Institution Has in Common with a Presidential Campaign
Presidential campaigns and financial institutions may seem miles apart in mission and operation, but there’s at least one area where both need to be concerned: vendor management.
This became apparent this week as Democratic candidate Michael Bloomberg got bad press when his campaign used prison workers to make campaign phone calls promoting his candidacy.
How did this happen? Poor vendor management.
The Bloomberg campaign hired a third-party call center vendor. The call center vendor outsourced work to a subcontractor. That subcontractor then outsourced to yet another subcontractor, which hired the prison workers, according to NPR.
Upon hearing the news from reporters, the Bloomberg campaign immediately ended the relationship and promised to make sure its vendors properly vetted their subcontractors going forward.
What is Fourth-Party Risk?
This is a classic example of fourth-party risk. Fourth-party risk is the risk created when a third-party vendor subcontracts to another vendor. The subcontractor may be just as critical to operations as the third-party vendor the FI originally signed a contract to provide the service.
Yet FIs are often unaware of these relationships and find themselves beholden to a vendor they have not vetted through proper due diligence. They don’t know who is responsible for critical activities, even though the FI will be held responsible for any action taken by that subcontractor on its behalf.
The Bloomberg campaign’s snafu is particularly complicated because it involves the subcontractor of a subcontractor. This is called fifth-party risk or Nth party risk because of the number of parties removed from the original third party.
How to Limit Fourth-Party Risk
Good vendor management is essential for limiting fourth-party risk and Nth party risk. It makes it possible to understand who is directly responsible for activities that pose compliance, reputation, operational, cyber or other risks and the controls in place to limit them.
Best practices for limiting fourth-party risk include:
Including an assignment clause in vendor contracts to track outsourcing. Vendors are legally allowed to subcontract to other parties unless it’s specifically prohibited by contract. That’s why assignment clauses are important elements in critical vendor contracts. The assignment clause should require your third-party vendor to provide you with notice and consent before subcontracting to another vendor. This way your FI is aware of who is working on its behalf. The assignment section can also include standards for any subcontractors like business continuity plans, data security, incident response, and similar provisions.
Conducting proper due diligence. An assignment clause is important, but isn’t worth much without vendor due diligence. Make sure your FI is provided with outsourcing information as promised and engage in due diligence to understand the risks and controls of fourth-party relationships. If you don’t trust your vendor’s oversight of subcontractors, you may need to engage in due diligence of fourth-party vendors yourself.
Reviewing SSAE 18 to assess whether third-party vendors use good vendor management. The Statement on Standards for Attestation Engagements 18 (SSAE 18) includes a vendor management section that requires a vendor to define the scope and responsibilities of all its subcontractors. It also documents its vendor management process, including subcontractor performance reviews, audits, and monitoring. This document can give an FI confidence in its vendor’s vendor management.
Don’t get caught off guard by fourth-party risk. Make sure your vendor management program is designed to monitor and control the risk when third-party vendors outsource to others.