Questions to Ask Your Third Party for Fourth-Party Due Diligence

When it comes to third-party risk management, managing fourth-party vendors—your vendor’s vendors—is tricky. You have no direct contract with them, and they aren’t obligated to respond to your due diligence requests. Still, you’re responsible for understanding and mitigating the risks they may introduce to your organization.

Regulators across the financial sector have acknowledged this challenge and made it clear that organizations must account for fourth-party risk as part of a strong third-party risk management (TPRM) program.

The Interagency Guidance on Third-Party Relationships: Risk Management (issued June 2023 by the OCC, Federal Reserve, and FDIC) explicitly addresses fourth-party oversight. It states that banks are responsible for understanding the risks associated with subcontractors and other downstream providers that their third parties rely on. As the guidance notes:

“This typically includes an assessment of the third party’s ability to identify, manage, and mitigate risks associated with subcontracting, including how the third party selects and oversees its subcontractors and ensures that its subcontractors implement effective controls.”

Other regulators reinforce this expectation: 

• FINRA has highlighted the importance of understanding how broker-dealers’ third-party vendors manage their own subcontractors — particularly in the context of cybersecurity and data protection. 
• The FFIEC’s Business Continuity Management booklet underscores that risk management should extend to all external dependencies supporting critical operations. 
• The SEC, through its cybersecurity disclosure rules and risk management expectations, emphasizes the need for public companies and registrants to assess risks throughout their vendor ecosystems, including subcontractor access to data or critical systems. 

Fourth-Party Risk Management Expectations 

While you’re not expected to manage these fourth parties directly, you are expected to ensure your third parties are doing it effectively. 

Here’s how to approach fourth-party risk management: 

• Due diligence: Regulators expect financial services organizations to assess how their third parties manage downstream relationships. This means evaluating whether your vendor is performing due diligence on its own critical vendors, especially those involved in sensitive functions like cloud hosting, data storage, or customer communications. 
• Contract clarity: Third-party contracts should clarify subcontracting terms. Can your vendor outsource services? If so, under what conditions? Look for contract language that requires transparency, notification of material changes, and, where appropriate, audit rights. These provisions help ensure you’re not blindsided by disruptions caused by a fourth party you didn’t know existed. 
• Ongoing monitoring: You’re responsible for ensuring your third party continues to manage its own vendor relationships responsibly. This includes monitoring for potential issues in cybersecurity, data privacy, and operational resilience. For example, if your vendor’s cloud provider suffers a breach or outage, you need to know what contingency plans are in place. 

How to Determine Who Needs Fourth-Party Due Diligence 

Identifying which fourth-party relationships need the most attention is challenging. The Statement on Standards for Attestation Engagements 18 (SSAE 18) requires your third parties to identify subservice organization controls in SOC reports, making SOC reports an invaluable tool for managing fourth-party risk.

Use SOC reports to understand the fourth parties involved in the product or service you’re contracting for. Remember: not every fourth party needs attention.  

Focus on your critical third parties’ vendor relationships. One simple way to identify critical third-party relationships is asking whether you agree with any of these three statements: 

• The third party’s failure to meet expectations would cause the organization to face significant risk    
• The third party’s failure to meet expectations would have a significant impact on customers   
• The third party’s failure to meet expectations would have a significant impact on the organization’s financial condition or operations 

Related: How to Build a Fourth-Party Vendor Inventory 

Third-Party Questions to Ask for Fourth-Party Due Diligence 

To understand how well your vendor manages its own third-party relationships, ask targeted questions about their TPRM program during the third-party due diligence process. This not only sheds light on their overall risk management maturity — it also reveals how seriously they take fourth-party risk.

Don’t just take their word for it. Request supporting documentation like a list of their critical vendor inventory, completed inherent and vendor risk assessments, evidence of performance monitoring, and vendor issue tracking logs. 

Here are questions to ask your third party for fourth-party due diligence and oversight: 

• Do you have a TPRM manager? Review the resume, background, and level of experience of the employee managing third-party risks. Are they qualified? 
• What is your TPRM policy? Consider how closely the policy follows regulatory requirements and best practices. It should also detail governance and oversight, roles and responsibilities, and basic TPRM processes. The lack of a TPRM policy is a red flag. 
• Do subject matter experts (SMEs) review third-party documentation? Ask if the SMEs have the right knowledge, skills, and certifications in their respective risk domains. The third party may be able to provide a list of SMEs and their credentials and certifications.  
• What is your issue management process? Consider how issues are identified and who’s responsible for tracking, managing, and monitoring issues.  
• Have you had a TPRM audit or exam in the last year? Look at the results of the last TPRM audit or exam (whether internal or external) and if any issues were discovered. If so, review the remediation status. 
• Do you have a process to identify critical third parties? Review the percentage of the total third-party inventory that’s critical.  
• What are your risk assessment processes and methodology? The third party should perform inherent risk assessments, have a questionnaire to review, and have a documented methodology for risk ratings.  
• How often is the risk assessment updated? It’s best practice to update the assessment within the last one to two years.  
• What are your due diligence processes? Consider if the vendor performs risk-based due diligence. Review a standardized list of required due diligence documentation by risk domain if it’s available.  
• What are your contracting processes? Is there a requirement for legal experts to review third-party contracts? Review a list of required terms and conditions for third-party contracts, if available.  
• Do you reassess third-party risks periodically? If so, what’s the cadence? 
• How do you monitor third-party risks? News alerts, risk intelligence, industry news, etc. 

Although you don’t have a direct contract with fourth parties, they still expose your organization to risk. Asking questions during the due diligence process about your third party’s vendor risk management practices provides greater insight into how to mitigate the risks.  

Protect your organization from fourth-party risks in your third-party contracts. Learn sample clauses and contract considerations.