Do You Need to Manage Fourth-Party Risk?

Do You Need to Manage Fourth-Party Risk?

You’re a pro at managing third-party risk, but how do you deal with fourth-party risk? Your vendors are likely farming out critical activities to other vendors.

It’s all a part of ordinary business operations. Just as you want to maximize efficiencies, so do your vendors. However, your vendors’ contracts with fourth parties introduce additional operational, financial, cybersecurity and compliance risks for your financial institution.

Financial institutions often wonder how closely they need to monitor fourth-party risk. What are the regulatory expectations? How far down the ladder does it go? Do you need to evaluate fifth-party and sixth-party vendors?

Thankfully, the recent Interagency Guidance on Third-Party Relationships: Risk Management answers the above questions.

What the regulators expect from fourth-party risk management

Financial institutions are responsible for having a strong vendor management program – and a large part of having a robust vendor management program is ensuring that your vendors have one as well. Regulators don’t expect you to follow up with all your vendors’ vendors. They expect you to ensure your vendors are properly managing vendor risk.

The role of contract management in managing fourth-party risk

Contract provisions play a vital role in managing fourth-party risk. As a financial institution, you need access to information about your vendor’s third-party risk management (TPRM) program.

Regulators expect two essential items to be included in contracts with third-party vendors to ensure their vendor oversight is sufficient.

First, as part of planning and vendor due diligence, you must stipulate in your contracts that vendors must inform your financial institution if they outsource a critical function to a third party. Second, you need a contract that requires vendors to inform you if they change critical vendors. The essence of quality vendor management begins with quality contract management. You should also evaluate the strength of critical vendors’ TPRM programs. How do they perform due diligence on third parties? How is their vendor monitoring program? Do they have foreign-based third-party vendors that pose additional compliance risks? How do they manage these relationships?

Regulators have recognized that for financial institutions, it would be nearly impossible to manage fourth parties themselves. They don’t have a direct contractual relationship with these parties and lack leverage over them.

At the same time, financial institutions have the power to demand that their vendors control this risk in the contract process. You should focus on evaluating your vendors’ third-party risk management policies and processes and not on managing fourth-party risk directly.

SOC 2 reports and fourth-party risk

One of the best tools in your arsenal for evaluating your vendors' TPRM program is their SOC 2 report. SSAE 18 audits offer the following on your vendors’ vendors:

Scope: SSAE 18 mandates that a vendor clearly outlines the roles and duties of every third-party vendor it engages. This includes detailing the significance of each vendor, pinpointing critical vendors and assessing their dependability through service-level agreements (SLAs), contractual terms, warranties and guarantees.

Performance Review: Vendors need to evaluate the performance of their third parties. This can be achieved by verifying the accuracy of output reports, conducting on-site inspections and using questionnaires. It is crucial to keep a record of each measure – if it’s not documented, it didn’t happen.

Audit Evaluation: Vendors must establish a procedure for examining their third-party vendors' audits and SSAE reports and communicate these findings to management. It is particularly vital to assess how the vendor addresses issues identified in these reports, as this provides insight into the reliability and effectiveness of their vendors.

Monitoring: It is essential for a vendor to scrutinize customer complaints, reports from regulatory agencies and information concerning financial status, legal disputes, shifts in key personnel and other relevant data. Vigilant monitoring is necessary to identify any significant issues.

Final thoughts

Without regular vendor oversight, particularly in cyber monitoring, banks leave themselves vulnerable to unforeseen third- and fourth-party risks. Financial institutions that allocate resources to top-tier vendor management programs actively mitigate risk and position themselves to capitalize on growth opportunities from third-party collaborations. Both your institution and vendors must have robust TPRM programs in place.


Michael Berman is the founder and CEO of Ncontracts, a leading provider of risk management and compliance solutions. His extensive background in working at Regtech and Fintech firms on legal and regulatory matters has afforded him unique insights into solving operational risk management challenges and drives Ncontracts’ mission to efficiently and effectively manage operational risk. Mr. Berman is a subject matter expert on Regtech with such notable presentations as: featured speaker at American Bankers Association, Independent Community Bankers of America, as well as numerous state association conferences; well-regarded host of monthly webinar series with up to 800 registrants; and published author of national and regional banking publications, including a regular contributor to the ABA Bank Compliance magazine. He is the author of a book about strategic risk management, The Upside of Risk: Transforming Complex Burdens into Strategic Advantages for Financial Institutions, which is available on Amazon. Michael received his undergraduate degree from Cornell University and holds a J.D. degree from the University of Tennessee.