The US Office of the Comptroller of the Currency has no plans to offer further guidance on the way firms manage the risk posed by their vendors’ vendors, despite concerns around so-called fourth-party risk.
Beth Dugan, the deputy comptroller for operational risk at the OCC, says a firm’s protection from its supplier’s subcontractors boils down to the contract it has with the vendor – a task best left to the bank itself, not regulators.
“These are contractual relationships that the OCC doesn’t get in the middle of,” Dugan says. “We are not here to say how to approach and what to put in to [a vendor contract] specifically.
“We are not going to get in the middle of contract negotiations – that is what bank management is responsible for.”
Worries over fourth-party risks have grown in tandem with fears of cyber breaches. In June, for instance, Ticketmaster said the data of 5% of its users was stolen when an outside supplier of a live chat widget was hacked. It is the universe of long links to many businesses – and the unevenness of their data defences – that trouble banks.
The OCC last issued guidance on fourth-party risk management in 2013, though it freshened it as recently as last year. In Bulletin 2013-29, it set standards for overseeing relationships with suppliers and vendors involved in “critical activities”, things like payments, clearing, settlements, custody or IT, including subcontracting.
The OCC’s guidance states firms should require notification from its vendors if they plan on using a subcontractor, specify activities that can’t be outsourced, determine who’s liable for the subcontractors’ work and “reserve the right to terminate the contract without penalty if the third party’s subcontracting arrangements do not comply with the terms of the contract”.
The US Federal Reserve Board also issued guidance in 2013 touching on fourth-party risk, saying contracts should clearly make primary service providers accountable for services including those of any subcontractor – essentially Dugan’s position. She admits the OCC’s 2013 guidance is “pretty open”, but says there are two reasons it opted for the principles-based approach.
“One, you don’t put yourself in the corner, when the industry changes, dynamics change or constructs of how things are done change. You keep the concept, and you just say what is appropriate for what type of relationship you have,” Dugan says.
“It also then allows the institutions to say: ‘What is the right way it needs to look for what I am specifically doing? What type of relationship do I have with that third party?’ It gives them the flexibility to make sure they definitely have the appropriate level of risk management because of the actual construct of the relationship.”
But banks have not necessarily made the most of the added flexibility, one of the rare areas in which the industry is actually seeking regulation instead of whingeing about it.
In a recent Deloitte survey of extended enterprise risk management, 81% of financial services firms said they did not have enough knowledge and visibility over their fourth and fifth parties. Only 15% said they reviewed concentration and other risks from their fourth and fifth parties quarterly or semi-annually.
A risk manager at a large European bank says only major institutions with mature third-party risk management frameworks in place have the luxury of vetting the fourth parties.
“For fourth-party risk, you can probably count on your fingers the financial institutions that are doing it,” he says. “By not including fourth-party, there is a risk which is not being taken care of.”
But firms aren’t likely to be thorough unless the regulator steps in, he says. Most firms are also unlikely to screen fourth parties, given the cost-cutting pressures facing banks across the industry, he says.
“If the regulatory loophole is there, I am sure that a lot of banks will try not to put cost behind it, because it is not a cheap affair,” the risk manager says. “As long as there is no regulation, it is not going to happen. It’s as simple as that.”
Dugan says she sees why banks might want more prescriptive guidance, but maintains it’s not the OCC’s responsibility.
“I can understand where institutions would, at times, like to say here is a regulatory requirement that they can try to use in contract negotiations,” Dugan says.
But to do that effectively is the banks’ job, she says. In particular, they must know “how well the direct third party manages any subsequent parties”.
A risk manager at a large US bank says no firm wants the open-ended responsibility of directly overseeing fourth parties, a labyrinthine and almost unending task. Instead, most banks will have language in their contracts holding vendors liable for their subcontractors in every way possible, he says.
Programmes that actually screen the companies beyond arm’s-length are not as common. A bank would have to create an inventory of material fourth parties in their network and their services, the risk manager says. The end goal, he adds, would be to gain more insight into the fourth parties.
Over the past year, his firm has attained enough clarity on its fourth parties that it now has veto power over its vendors’ cloud providers, he says.
“We’ll ask what data is being shared with the fourth party. Are they branded with our name? What is the geographic location of them? Provide to us a data flow diagram that shows where our data is going, and explain to us if there are fourth parties involved,” the risk manager says. “After about a year-and-a-half of work, we have a pretty comprehensive inventory of all of our fourth parties.”
Dan Kinsella, who leads Deloitte’s extended-enterprise and third-party assurance, told a story that put the issue in some perspective. A chief executive of a global bank he works with told him his firm had 100 third parties it deemed critical. Each of those vendors in turn likely had 100 third parties they considered critical. That meant, the CEO said, his firm had 10,000 critical vendors.
And for some firms, Kinsella says, gaining that amount of oversight is just too much.
“About half of the contacts we have are all over this,” Kinsella says. “The other half are like: ‘Listen, I’ve got to get my third parties under control before I worry about my fourth parties.’”