Institutions have a lot to consider when assessing third party risk, but if vendor risk management hasn’t followed the process of understanding the inner workings of their third party vendors, they may be in for a surprise to learn that their third parties operate in a similar function to themselves in the sense they too also use third party vendors.
These additional vendors in turn become the financial institution's fourth party vendors. The best way to think about this is that your process is made up of links and the more participants to the service you’ve outsourced opens your organization up to additional layers of risk.
There are many examples of fourth party vendors and all vary in terms of criticality and risk that they present to you. The level of oversight will vary depending on the criticality, but foundational best practices will help in addressing your initial risk assessment of these fourth parties and identify what types of risk they could present to you.
Fourth Party Vendor Oversight Examples
Consider the following company types:
- Appraisal Management Firms - This is your direct third party vendor, the Appraisal Management Firm (AMC) leverages networks of individual fee appraisers. Your traditional oversight on the AMC is just the tip of the iceberg. Keep in mind that a regulator would not expect you to perform additional oversight on 10,000 appraisers who are registered with a AMC. They would expect that you understand the oversight and approval of this vendor type at the AMC operational level.
- Cleaning Companies - Depending on the organization, sub-contractor temporary employees are used and have direct physical access to your company. Do you operate a paperless environment? Are your shred bins always locked? How well do you know “Joe the friendly cleaner”? Why was Joe’s friend filling in for him; due to sickness? Why is the new guy using Joes’ badge to access the office?
The above examples are clear but with the increased use of technology in financial services companies, there is great demand on IT outsourcing and firms do leverage sub-contractors to fulfill many of the outsourced vendor risk management services.
Consideration must be given to the amount of access that any third party and fourth party vendor will be granted as part of the outsourcing agreement. There is overwhelming evidence that many data breaches are caused by third and fourth party vendors and the level of mistrust regarding data breach notification increases significantly between client and the fourth party.
The Biggest Issue with Fourth Parties
Out of sight, out of mind. Since the institution does not have a direct contract with a fourth party, the thought of risk and liability have the tendency to be overlooked and this offers the potential to be the weak link in many third party risk management programs.
Surely, our third party is responsible for their own contractors, right? It’s a great question but considering the limited rep and warranty relief which vendors provide institutions, they are unlikely to be able to protect you from the fall out should something go wrong. We’re a big proponent of knowing your vendor and in light of the importance of fourth party oversight, the internal vendor management team must drill down into more detail with their existing and potential new third party vendors.
How Do You Organize the Oversight?
- Review your existing vendor list.
- In your pre-contract due diligence of assessment questionnaires include that the third party provide their vendor partnerships along with clarification if these newly identified vendors will be interacting with your consumers or accessing your primary technology systems.
- Ask for your third party’s own vendor management policy along with control evidence. Does your direct vendor perform a sufficient, or any, level of oversight? If the response is No, then this should be cause for concern. It’s a great catch at the pre-contract stage because you may have dodged a lightening bolt! However, if the same answer is for an existing vendor relationship and you didn’t know that fourth parties were being leveraged for the outsourced service, you have some work to do. This really points back to where strong contractual language and ensuring that you have assessed, scoped and set expectations with the potential new vendor is a priority.
Items to Request on Your Fourth Party Subcontractor Vendor
- Resume - Are they qualified to perform this function?
- Licensing - If required to perform this specific function
- References - Make sure to call them!
- Insurance Information - The certificate of insurance should be on file
- OFAC check - A department of the U.S. Treasury that enforces economic and trade sanctions against countries and groups of individuals involved in terrorism, narcotics and other disreputable activities
- User Access Logs - Noting IP address capture and time stamps around when the subcontractor was accessing your network
- Any Risk-Based Assessment and Control Data - These are the documents showing that your third party vendor has performed this on the fourth party. If the information cannot be shared due to confidentiality, then request an attestation that the third party has conducted a level of oversight and review on the worthiness of the sub-contractor.
While this list isn’t exhaustive, it does provide a framework which you can include in your policy and program and be specifically geared towards fourth party oversight. The key point to remember as you further develop your fourth party oversight practices is that you need to scale the oversight requirements relevant to the level of criticality of the vendor and the type of data access they will be working with meaning critical and non-critical to the operations. There are many different types of fourth party vendors and each will offer a different type of risk which you need to be aware of and mitigate.
Want to know how to conduct vendor oversight on your other third and fourth party vendors? Download our infographic to learn how.