In today’s dynamic financial services industry, the concept of third-party risk management has been widely acknowledged and implemented. However, the increasing reliance on third parties, who in turn rely on further entities known as fourth parties, introduces additional complexities in managing risk.
Understanding and categorising fourth-party risks
Regulatory bodies mandate financial services organisations to thoroughly evaluate both the volume and type of activities outsourced to fourth parties, as well as the extent to which these third parties depend on fourth parties. This evaluation is crucial for organisations to effectively identify, assess, and manage risks posed by fourth parties. For further details on regulatory references to fourth-party risks, please refer to Table 1 below. The list of regulations is illustrative and not exhaustive.
A fourth party can be defined as any organisation engaged by a third party to provide services or products. A further distinction between types of fourth parties, i.e., subcontracting fourth parties and non-subcontracting fourth parties, helps organisations calibrate their efforts for fourth-party oversight and risk management.
Fourth-party risks may encompass data breaches, reputational damage, compliance issues, and operational failures, all of which are challenging to monitor and manage due to the indirect relationship with the principal organization.
This blog explores the intricacies of fourth-party risk identification and management, underscoring the significance of understanding these risks to maintain regulatory compliance and operational resilience. These strategies are equally adaptable to sectors beyond financial services, as businesses are becoming increasingly dependent on the fourth-party ecosystem across sectors.
Strategies for fourth-party risk management
As suggested above, distinguishing between types of fourth parties helps organisations devise suitable strategies for fourth-party oversight and risk management, these are elaborated below:
Subcontracting fourth parties
-
Permissibility of subcontractor relationships should be explicitly documented and agreed upon through a contract or an equivalent agreement between the principal organisation and third-party.
-
The principal organisation should have processes to identify subcontractor relationships and assess the extent of dependency of third-party obligations due to fourth-party relationships. These may include, but are not limited to:
- Maintaining an inventory of subcontracting fourth parties
- Reviewing contracts between third parties and their respective subcontracting fourth parties for alignment with obligations towards the principal organisation
- Directly evaluating subcontracting fourth parties, subject to contractual allowances
- Mandating third parties to demonstrate due diligence and ongoing monitoring of subcontracting fourth parties
- Understanding interlinkages across the supply chain and the impact on the principal organisation’s critical business processes due to concentration risk.
Non-subcontracting fourth parties (also referred to as other fourth parties in the diagram above):
-
The principal organisation should recognise the limitations in mandating third parties to disclose non-subcontracting fourth parties
-
The principal organisation should therefore derive assurance from assessing key controls related to the third-party risk management framework's effectiveness at its third parties. These may cover the following areas at a minimum, but are not limited to third-party entity coverage, risk domain coverage, lifecycle processes for inherent risks, due diligence, contracting, ongoing monitoring and termination processes, issue management, and overall TPRM governance and reporting.
Leveraging technology for enhanced fourth-party risk management
Technology can play a pivotal role in identifying and managing fourth-party risks effectively, as outlined below:
S.No | Regulation | Definition | Guidelines on managing fourth-party risk |
| EBA - European Banking Authority Guidelines on Outsourcing arrangements Version - EBA/GL/2019/02 Date - 25 February 20191 | A situation where the service provider under an outsourcing arrangement further transfers an outsourced function to another service provider. | 12.2, 13.1 Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions to other service providers, institutions and payment institutions should consider the risks associated with sub-outsourcing. Sub-outsourcing, of critical or important functions (or part of them), should be in the scope of the risk assessment. |
| DORA - Digital Operational Resilience Act Effective Date - 27 December 2022 Implementation - 17 January 20252 | An ICT third-party service provider or ICT intra-group service provider that provides ICT services to another ICT third-party service provider in thesame ICT service supply chain. | Article 29 Financial entities shall weigh benefits and risks that may arise in connection with subcontracting, in the case of an ICT subcontractor established in a third country. Where the contractual arrangements on the use of ICT services supporting critical or important functions provide for subcontracting, financial entities shall assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions and the ability of the component authority to effectively supervise the financial entity in that respect. |
| Interagency guidance on Third-Party Relationships: Risk Management Date - 07 June 20233 | *An organisation that is engaged by the third-party as a supplier or service provider. | An assessment is required of the third-party's ability to identify, manage, and mitigate risks associated with subcontracting, including how the third-party selects and oversees its subcontractors and ensures that its subcontractors implement effective controls. Other important considerations include whether additional risk is presented by the geographic location of a subcontractor or dependency on a single provider for multiple activities. |
| MAS - Monetary Authority of Singapore Notice 658 and Notice 1121 | Banks and merchant banks must manage risks associated with outsourced relevant services, including subcontracting. | Banks must maintain an outsourcing register, perform due diligence on service providers and subcontractors, and include terms in outsourcing agreements that allow for audits of the service provider and its subcontractors. They must also ensure that subcontractors are assessed for risk and that customer information is protected. |
| PRA - Prudential Regulation Authority Outsourcing and Third-Party risk management Version - SS2/21 Date - March 20215 | A service provider may perform ‘a process, a service or an activity which would otherwise be undertaken by the firm itself directly or by sub-outsourcing. | 5.21, 9.3 - The PRA expects firms to assess the relevant risks of sub-outsourcing before they enter into an outsourcing agreement. In line with risk control and risk management, firms should, in a proportionate manner, assess the potential risks of all third-party arrangements, including outsourcing arrangements to consider financial risks, including the potential support to a material outsourced or sub-outsourced service provider in distress or take over its business, including because of an economic downturn. |
Conclusion: Strengthening financial services through comprehensive fourth-party risk management
The rising complexity in the web of third-party and fourth-party relationships necessitates a strategic approach to risk management within the financial services sector. Enhancing transparency, employing technology, and rigorously applying regulatory guidelines can help organisations navigate the nuanced landscape of fourth-party risks. Embracing these practices allows not only for compliance but also for safeguarding operational integrity and reputation in a connected world.
[1] Guidelines on outsourcing arrangements, European Banking Authority, 25 February 2019
[2] Digital Operational Resilience Act, European Union, 27 December 2022
[3] Interagency Guidance on Third-Party Relationships: Risk Management, Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency, 07 June 2023
[4] Notice 658 and Notice 1121 on Management of Outsourced Relevant Services, Monetary Authority of Singapore, 11 December 2023
[5] Outsourcing and Third-Party risk management, Prudential Regulation Authority, March 2021