What is a Third-Party Vendor?

A third-party vendor refers to any external organization that engages in business activities with your financial institution.  This includes everyone from your core provider and loan origination software to your outside counsel and the company that prints account statements.  

Third-party vendors go by other names: service providers, third-party technology providers (TPSPs), suppliers, affiliates, partners, etc.  

Outsourcing your financial institution’s activities to a third-party vendor offers many advantages, including access to the best and newest technologies, improved products and services, and a better experience for your customers.  

It also comes with increased risk. 

Third-Party Vendor Risk Management for Financial Institutions: What Can Go Wrong? 

Why is it important that your financial institution monitors third-party risk? It is necessary so that you don’t violate regulations and laws. 

Recently, the Consumer Financial Protection (CFPB) took enforcement action against ACI Worldwide, which provides real-time payment processing. ACI initiated roughly $2.3 billion in unlawful payments for half a million homeowners of the mortgage service provider Mr. Cooper. 

In processing fraudulent and unauthorized payments, homeowners with mortgages serviced by Mr. Cooper were hit with overdraft fees from their banks, and the CFPB handed ACI a $25 million-dollar civil penalty. 

Additionally, Mr. Cooper suffered significant reputational damage because of this. 

Is My Financial Institution Responsible for Managing Third-Party Vendor Risk?

Yes, your financial institution is on the hook should your third-party vendor fail to comply with laws and regulations. In employing a third party, you must ensure they have the operational resilience to recover from any service disruption. Assessing vendor uptime, your customers’ access to services, and their business continuity plans are necessary to mitigate against potential risk. 

Additionally, you need to assess and monitor transactional risk from service providers, which can falter because of the complexity of your vendor’s product, the speed at which they process transactions, human error, or some other factor.  

Guidance from the OCC, FDIC, and Federal Reserve and the NCUA make it clear that financial institutions should treat all third-party service providers as extensions of their own organization when it comes to risk management.  

A financial institution’s use of third parties does not remove the need for sound risk management. On the contrary, the use of third parties, especially those using new technologies, may present elevated risks to the FI and its customers, according to guidance. 

The involvement of third parties does not eliminate or reduce a financial institution's obligation to ensure the execution of activities in a secure, compliant, and reliable manner. That includes safeguarding consumers from unfair lending practices, prohibiting unjust or abusive practices, and complying with BSA/AML. 

Besides the legal and regulatory liability financial institutions face when their third-party vendors fail to comply with laws and regulations, consumers also have expectations. Third-party vendor risk management for financial institutions also means protecting your organization from reputational risks. 

Protecting Your Financial Institution from Vendor Risk 

How do you protect your FI from risk? You need a vendor management program at each stage in the vendor lifecycle. 

1. Planning – Thoroughly assess the risks posed by third-party vendor relationships. 
2. Due Diligence – When choosing a third-party vendor, confirming an appropriate fit is critical. Remember that past vendor collaborations do not exempt you from ongoing due diligence or conducting due diligence for each new venture. 
3. Contract Negotiation – Relationships with third parties necessitate contracts outlining the scope of activities and performance indicators. Even though most vendors offer a standard contract, these are designed to benefit the vendor. Your financial institution might opt to alter, supplement, and extend these agreements to protect against risk. 
4. Monitoring – Regularly monitoring third-party vendors enables financial institutions to evaluate their internal controls and confirm they adhere to their contractual obligations. 
5. Termination – Ensure the FI can terminate your relationship with a particular vendor for failing to comply with regulatory obligations.   

Do Certain Third-Party Vendors Pose Greater Risks? 

Not every service provider poses the same risk exposure. 

The size of your service providers usually matters less than the specifics of your relationship and the criticality of their activities. The greater the access your vendors have to confidential and sensitive data, the greater your risk exposure, and the more due diligence you must perform in onboarding and monitoring vendors. 

According to the regulatory guidance, financial institutions must engage in more robust oversight with third-party relationships that support higher-risk or critical activities. 

Critical activities are defined as those that: 

• Would cause a financial organization to face significant risk if a third party failed to deliver
• Poses a significant impact on customers
• Has a major impact on your organization’s financial condition or operations 

FIs can take a different approach to mitigate the risk posed by third-party relationships – some may focus on the vendor, while others may identify the activity. 

Whether or not your financial organization assesses risk by vendor or activity, it is essential that you have a sound methodology and a comprehensive vendor management program. 

What is Fourth-Party Vendor Risk?

Your financial institution outsources its activities to third parties, and so do your vendors. Your vendor’s vendors are called fourth-party vendors. Like third-party vendors, fourth-party vendors can go by many names – providers, strategic partners, etc. – and offer payment processing, mobile apps, and many other services. 

Your financial institution isn’t simply responsible for what your vendors do, but also what your vendor’s vendors do. In short, the more vendors your vendors use, the greater the risk to your institution. 

What about fifth-party risk? Or sixth-party risk? There is seemingly no end to the risks posed by third-party vendors and their vendors – or their vendor’s vendor’s vendors. 

Whether you handle an activity internally or outsource it, you’re responsible for managing and mitigating all the risks associated with your vendors and those associated with their vendors. 

Want to learn more about due diligence and vendor management? Check out Nstitute, Ncontracts’ online vendor management certification program.