Articles & E-Books

 

When it comes to effective vendor management, financial institutions and fintechs must consider fourth-party risk

Feb 27, 2022

As the operational complexity of retail banking increases in support of today’s digital banking environment, many financial institutions have chosen to hire or partner with a growing number of fintech providers to meet the needs of their customers. While this approach enables institutions to provide key services and capabilities more quickly than in the past, it also increases institutions’ risk profiles — underscoring the importance of an effective vendor management program.

While financial institutions and fintechs are often familiar with best practices for evaluating third-party risk, what we’re seeing today is the need to extend that level of scrutiny one level deeper to include fourth-party risk.

What is fourth-party risk?

In simplest terms, fourth-party risk refers to the risk that is introduced when a third-party vendor subcontracts some part of their service to an additional vendor.

Depending on the particular service being subcontracted, it could mean that some critical portion of an institution’s operations are entrusted to a vendor that the institution may be completely unaware of. For some “low-risk” activities, this may be acceptable, but certainly not for any “high-risk” functions where financial information or non-public customer information is involved.

Some common situations where fourth-party vendors may be involved include: customer service/help desk functions, managed services, check processing and manual reviews, database cleanup, payroll, server co-location companies and outsourced printing of statements.

Community bank guidance

In 2021, the Federal Reserve, FDIC, and OCC published guidance for community banks on conducting due diligence on their fintech partners, focusing institutions’ attention toward vendors’ business experience and qualifications (e.g., financial condition, legal and regulatory compliance, risk management and controls, information security and operational resilience).

The guidance has implications for financial institutions — as well as fintechs — to follow in their management of third- and fourth-party risk.

For financial institutions:

  1. It’s key to articulate exactly where risk lies within operations. Clearly define “high” vs. “medium” vs. “low” risk services that are being supported by third-party vendors and use those determinations to prioritize your due diligence initiatives. Any activity that involves the processing of financial information or customer information, or that is integral to delivering banking services, should be prioritized as high risk.
  2. When evaluating potential fintech partners’ vendor management programs, particular attention and weight should be directed toward the fintech’s SOC reports/findings, business continuity plan and the company’s financials. Go beyond this to have a clear understanding of the fintech’s own use of third-party subcontractors and the due diligence that has been conducted on each of these as well.

For fintechs:

  1. Understand that the quality (or lack thereof) of your own due diligence and vendor management programs can have a direct impact on the reputation of your financial institution’s customers and investors.
  2. In a competitive situation, the quality of a fintech’s vendor management program can be the difference-maker in selection by an institution.
  3. It is advisable to have a clearly defined road map in place (especially for early-stage fintechs) that includes PCI compliance, ISO certification, SOC auditing and reporting and cybersecurity and resilience testing.

Today, successful due diligence of third-party vendors includes the vetting of those vendors’ vendor management of their third-party providers.

How Wipfli can help

To ensure that your organization is properly assessing fourth-party risk and that your vendor management program is effective, it’s important to work with a partner that understands all the levels of banking operations. Wipfli advisors have deep experience working closely with financial institutions of all sizes as well as the innovative technology companies that serve them. That depth of experience and industry perspective helps our clients succeed in the marketplace. Contact us to learn more.

Sign up to receive additional financial institutions content and information in your inbox, or continue reading on:

Author(s)

Mike Morris, CISA
Principal
View Profile