MANAGING FOURTH-PARTY RISK

R&C: Could you provide an overview of fourth-party relationships and risks?

Fedyuk: A fourth party is an independent entity that provides services to you on behalf of your third-party service provider – also known as your third party’s third party. A fourth party is also known as a subcontractor or sub-outsourcer. Fourth parties have not signed an agreement with your organisation, so they do not have a legally binding obligation to your business. Your third party itself may subcontract all or some obligations of their agreement to you to another service provider.

Matthews: Regulators such as the US Office of the Comptroller of Currency (OCC) expect institutions to ensure “ongoing monitoring of third-party relationships addresses: reliance on, exposure to, or quality of performance of subcontractors; location of subcontractors; and the ongoing monitoring and control testing of subcontractors”. These requirements are also reflected in other global guidance, such as that issued by the European Banking Authority (EBA). 

Dowie: A challenge to maintaining effective fourth-party risk management is that while you have a legally binding agreement with your third party, you have no direct commitment or contract with the fourth party. As a result, it can be very difficult for organisations to effect change, obtain information and oversee fourth-party entities if the overall relationship structure between an organisation and its third and fourth parties is not clearly documented at the onset of the relationship.

Jan-Mar 2020 Issue

KPMG

Join our free mailing list to read the full article