Increased risks from technology, fourth-party vendors

Most third-party vendors present little risk to the bank. It might be the vendor that mows the lawn at the branches or provides office supplies. It’s only the vendors that have access to or manage bank data that reach a higher risk threshold and thereby a higher level of vendor management and due diligence. Vendor management gets more complicated when a third party has access to data — and even a fourth party.

Fourth-party vendors are vendors of third-party vendors. Typically, a bank has no contractual obligation with the fourth-party vendor and may not even be aware of its existence unless the third-party vendor discloses the relationship. Technology providers such as SaaS companies may regularly use fourth-party vendors to host data, provide integrations that move data, or other functions that are essential to the product’s usage. 

Rafael DeLeon, senior vice president of industry engagement at Ncontracts, noted that, especially in the last five years, banks are partnering with fintechs at a rapid rate. “What makes managing these relationships more difficult is: Who are these companies, fintechs, or partners partnering with?” He also said that in the past banks would partner with existing and longstanding businesses. Now, they’re taking risks on startup fintechs that have good products and price points. But the evaluation of these vendors is different and banks need to pay close attention to the fourth-party relationships.

DeLeon also thinks that it’s easy for banks to assume that if they’ve evaluated a fintech vendor in the past year, not much has changed. “But if you really look at how much the company has grown and what type of acquisitions they did, that changes the whole risk spectrum,” he said.

Banks should be routinely identifying the level of risk associated with each vendor. High-risk vendors should be asked to provide a list of their critical vendors. Banks must also evaluate their third parties’ due diligence policies for partnerships and outsourced services that impact data. 

“If you’re not addressing risk, you’re creating risk,” DeLeon admonished. “You’re only as strong as your weakest link.”