Does your third-party risk extend enough?

Financial service institutions need a clear understanding of how services are delivered by third parties.

Financial institutions have been working diligently to establish third-party risk management (TPRM) programs to fulfill recent regulatory guidance, such as Office of the Comptroller of the Currency (OCC) Bulletin 2013-29 and Federal Reserve Board (FRB) Supervisory Letter 13-19. .  Regulators expect financial institutions to manage third parties-and by extension, fourth parties-in the same way they manage an internal function or division.  Fourth-party risk management requires even greater consideration given financial institutions have no legal contract with them. Given the high regulatory expectations surrounding third party risk management and the inherent challenge of managing a party where there is no direct contract, it is reasonable to expect that financial institutions will require their third parties to demonstrate that they manage the fourth parties in a similar manner to them.