(270) 506-5140 CONTACT US
Login
Best Practices

What Is the Difference Between a Vendor and Third Party?

Jan 29, 2020 by Gordon Rudd, CISSP

I often hear the two terms vendor and third party vendor used as if they mean essentially the same thing. While this is commonly done, it’s a misconception, or perhaps a misrepresentation, to do so. There’s one key difference between a “vendor” and a “third party vendor”.

Vendor vs. Third Party Vendor vs. Fourth Party Vendor: What are the Differences?

A vendor is a company or entity that provides goods and services to you or your company. Any company or entity that provides goods or services to your organization is your vendor. Your organization is going to have several vendors.

A third party is a company or entity with whom you have a written agreement to provide a product or service on behalf of your organization to your customer or upon whom you rely on a product or service to maintain daily operations. Again, this is someone who you have a direct written agreement with and they’re providing goods or services directly to your customers.

Therefore, vendor is a broader term, used to identify virtually any company or entity providing goods or services to your organization. Third party vendor is a narrower term for a company or entity with a direct written contract with your organization to provide an outsourced product or service on your behalf to your customers.

Your fourth parties are your third parties’ third parties. Confused? So am I! Let’s try to clear it up. Afourth party vendor is defined as a company or entity with whom a third party vendor has a direct written contract with to provide an outsourced product or service on behalf of the third party vendor’s organization. Therefore, you don’t have a written agreement with them, but your third party does.

Fourth parties are literally providing products or services to your customers, on your behalf, for one of your third parties. It’s important to understand who your fourth parties and their vendors are (your fifth parties, your sixth parties, et al) as you’re always going to be responsible for your vendors’ vendors. If your fourth parties are critical to your operations and/or if these vendors have access to sensitive or confidential information, it makes it even more important for you to know exactly what these vendors are doing and how they’re doing it.

Examples of a Vendor

Here are some examples of companies or entities who are likely categorized under the term vendor:

  • Landscaping company
  • Telephone provider
  • Shred company
  • Core system provider (hosted by your fourth party)

Examples of a Third Party Vendor

Here are some examples of companies or entities who are likely categorized under the term third party vendor:

  • Short- and long-term contractors
  • Call center provider
  • Mortgage processor
  • Text banking service provider
  • Core system provider (hosted by you)

Some of these could be on both lists. However, you may be noticing that I put your organization’s core system provider under “third party” and categorized as a “vendor”.  Are you scratching your head? This is a prime example of why vendor and third party are often used interchangeably. Since your core system provider is more than likely a company you have a direct contract with, and they may be providing services directly to your customer base on your behalf.  If they are providing services directly to your customers, they’re technically your third party vendor and also may be categorized as a vendor depending upon how the software is hosted and supported.

It seems complex, but if you break it down, it makes a lot more sense. Remember, a vendor can be any company or entity providing goods or services directly to your organization – so a fourth party vendor is categorized as a “vendor”. A third party vendor is a company or entity you have a direct agreement with, for the provision of goods or services, and the vendor is delivering the goods or services directly to your customers on your organization’s behalf.

Given the distinctions made above, it’s easy to see how the two terms could get misused and even abused. However, the one key difference is this. Your organization has a direct agreement with a third party vendor.

Remember, regardless if it’s a vendor or third party vendor, it’s the risk you’re managing. Normally, any company or entity providing goods or services directly to your customers poses an increased risk to your organization and, therefore, deserves increased scrutiny.

There are more distinctions between a high-risk and critical vendor. Download this infographic.

New call-to-action

Gordon Rudd, CISSP

Written by Gordon Rudd, CISSP

Gordon Rudd is a Third Party Risk Officer at Venminder. Gordon has more than 30 years of experience in the financial services industry in the areas of third party risk management, technology, information security, enterprise risk management and GRC (Governance, Risk Management and Compliance) program development. Gordon works with the Venminder delivery team as a third party risk management and cybersecurity subject matter expert in residence.

Follow Gordon Rudd, CISSP
Subscribe--Bg.jpg

Subscribe to the Venminder Blog