Banks, especially small ones, cannot afford to gloss over the risk that extends through the supply chain of their vendors.
“Community banks are essentially a collection of third-party technology contracts with customer service reps and lenders stacked on top,” said Bob Koncerak, the chief operating officer of the $498 million-asset American Commerce Bank. “The only delivery channel that my bank truly owns is the little piece of real estate in front of our teller windows.”
The question of fourth party risk, or that posed by a bank’s vendors’ vendors, has become more pressing over time as these relationships become increasingly complex and regulators have scrutinized the practice of risk management, most recently in interagency guidance released in June that focused on third-party partnerships.
The dangers of neglecting third-party due diligence were laid bare in compliance failures by Comerica Bank and American Express National Bank, as two recent examples. The Office of the Comptroller of the Currency penalized American Express with a $15 million fine in July, partly because it did not ensure that its affiliate implemented adequate call-monitoring controls and mechanisms for tracking customer complaints. Comerica has faced investigations and litigation stemming from its compliance failures while operating the Direct Express program. The bank was penalized for allowing fraud disputes and data on Direct Express cardholders to be handled out of a vendor’s office in Lahore, Pakistan.
But the threat of fourth parties lurks deeper in the background.
“The web of relationships is getting more complex, but the expectation is that banks and other companies will be liable for everything throughout the chain,” from cybersecurity to forced labor to environment, social and governance, or ESG, principles, said Josh Resnik, the president and chief operating officer of market intelligence company FiscalNote.
The fast pace of emerging technologies and increased focus from regulators means CCBank’s approach to fourth-party risk “has been evolving,” said Jory Norton, chief risk officer at the Provo, Utah-based bank. “Fourth-party risk has increasingly come on our radar in the last couple of years.”
The report released in June from the Federal Reserve, Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency on third-party relationships touches on the issue of subcontractors. The proposed guidance invited comment in the fall of 2021; the final report noted that many commenters were concerned about the potential challenges in conducting effective due diligence on subcontractors, perhaps because they lacked a relationship or leverage.
“The proposal took more of a firm stance on fourth-party risk management with the expectation that banks would conduct more direct oversight of their third parties’ vendors,” said Patrick Haggerty, a senior director at Klaros Group.
The final guidance, that banks should review their third parties’ risk management programs to ensure they meet their standards, “probably works scenarios where you have less ‘critical’ vendors,” said Haggerty. “But in a lot of the arrangements today you will have fourth parties or maybe even fifth parties who have critical roles with respect to customer-facing functions, whether they are handling disputes or customer service more generally, or performing fraud monitoring. These things are essential to managing the risk of the customer relationship and it’s not okay to insulate them.”
Banks “should not read the interagency guidance as giving a pass on this issue,” he added.
“The issue with fourth parties is you don’t know what will hit you until it does,” said Rafael DeLeon, senior vice president of industry engagement at the risk management and compliance software firm Ncontracts. “This is the sleeping giant.”
Financial institutions are addressing such risk in a variety of ways.
Haggerty has seen some banks establish direct contractual relationships with the critical providers in their supply chain where feasible. Others will insert language in their third-party contracts that requires these entities to hold their vendors to the same standards as the bank-vendor relationship, or require approval from the bank before hiring new vendors.
American Commerce in in Bremen, Georgia, expects its high-risk or critical vendors (those that have access to customer-sensitive information or the ability to transmit across its IP addresses) to provide annual SOC [Systems and Organization Controls] audits, business continuity policies and disaster recovery plans to attest to their viability, as well as demonstrate that they are demanding the same from their vendor networks. (SOC relates to how companies secure and manage information.)
“The more we depend on a vendor to operate, the more we require such things as SOC audits, financial disclosure, insurance policies and service level agreements,” said Koncerak.
Fourth-party risks are particularly potent in banking-as-a-service relationships.
“We see the fourth party as presenting almost exactly the same risk as the third party,” said Tarah Herger, the division manager of CCBX, the BaaS division of Coastal Community Bank in Everett, Washington.
Coastal Community Bank has 22 fintechs that it supports in some form of BaaS.
“Most of the time in a banking-as-a-service model, the fourth parties are playing the same roles and providing the same services as a third party would, but the bank is one step removed,” she said. “The end customer is still the bank’s customer. If we have less oversight just because [a service] is a fourth party, we are increasing the bank’s risk.”
Coastal Community Bank’s fintech clients perform due diligence on their vendors, but the $3.5 billion-asset bank requires that audits, assessments and other documentation be turned over for the bank’s own review because it holds the fourth parties to the same standards it holds its third parties, Herger said. This includes areas such as security, privacy and compliance.
“We make sure that any risk accepted by the partner is acceptable to us as well,” she said. “Sometimes it’s not and we’ll go back and require additional controls to be put into place.”
CCBank also engages in banking-as-a-service, typically with lending products. The $716 million-asset bank requires that its third parties hold their vendors to the same standards of compliance that exist between them and CCBank, and will review their due diligence efforts accordingly. For key risk areas, which include anything that might have a dramatic impact on the liability, operational resilience or regulatory compliance of the bank, or that puts its data security at risk, CCBank may monitor the fourth party more directly. For significant third party relationships, that could mean CCBank ensures that the bank has the contractual ability to appropriately monitor and audit all key risk areas, including critical fourth parties.
The bank has also recognized over time that regular checkups are important, because technology is rapidly changing.
“We have been evolving our program to have more of a regular cadence outside of the initial due diligence,” said Norton. “Having a stagnant approach of initial due diligence and saying we checked that box is not sufficient.”
Fourth-party risk assessments tend to be quite manual.
“Each vendor and each fourth party will have different types of documentation,” said Herger. “It takes a human to look and assess those risks and how they relate to the fintech and in turn to the bank.”
FiscalNote launched its RiskConnector software in June, which it built with a Fortune 100 U.S.-based financial institution. RiskConnector uses artificial intelligence to map an entity’s suppliers, vendors, investors and more, and flags potential hazards in the operations and supply chains, using data sources ranging from public filings to litigation to news reports.
Some of the banks interviewed use vendor management software that maintains information about third parties and lets them set reminders, such as when contracts are up for renewal.
“We’re continuing to try to find ways to innovate and automate and make that a less manual process,” said Norton. Koncerak is holding off on specialty software that addresses fourth-party risks for now.
The interagency guidance about third-party relationships didn’t change much for the processes of the three banks interviewed. Koncerak says the big part of risk management is knowing which questions to ask. Norton tasked several teams with doing a deep dive and reporting back with areas where the bank excelled and where there is room for improvement.
It did make a small difference for Coastal Community.
“It’s helped in that there is something written from a regulatory perspective of what the expectations of the bank are,” said Herger. “We got pushback early on from a lot of our partners saying they shouldn’t have to have such a robust program as we do as an established bank. We never backed down on our expectation that their program should be in line with ours, [but] this put us in a good position.”