Navigating the unknown: The rising threat of fourth-party risk to credit unions

by Hilary Jewhurst, Venminder, a CUNA Strategic Services alliance provider

As a credit union, you may have already established a solid vendor risk management program. However, over the past few years, auditors and examiners have started to focus on yet another concern that you might not be familiar with – fourth-party vendors. If you’re wondering who these vendors are, it’s actually quite simple.

Every vendor that you work with has their own set of vendors, and these vendors are considered your fourth-party vendors. In turn, those vendors also have their own vendors, known as nth parties, and so on. Tracking fourth- and nth-party vendors involved in providing products and services to your credit union can be challenging. These vendors aren’t under your organization’s direct control, so while important to understand the risk posed, it’s incredibly difficult to assess their risk management practices or ensure compliance with regulations and standards.

Fourth-party vendors can pose a significant threat to your credit union, particularly if they manage sensitive information or critical processes. They may not have the same level of security measures in place that you do, leaving your credit union and its members vulnerable to data breaches and other security incidents. Additionally, if a fourth-party vendor does experience a breach or outage, it can have a ripple effect throughout the entire supply chain, causing disruptions in the services you offer to members.

5 ways credit unions can manage fourth-party risks

Understandably, it can be overwhelming to think about all the potential risks of fourth- and nth-party vendors, and It’s not practical or realistic to try to manage an endless chain of vendors with whom you have no direct relationship. So, how can your credit union efficiently and effectively address these risks, meet regulatory expectations, and protect your credit union and its members? It may not be as difficult as it seems.

The good news is that by implementing a few tried and true methods, you can successfully identify and address fourth- and nth-party risks:

  • Identify fourth parties and create an inventory – This may seem challenging, but there are several ways to identify who your fourth parties are:
    • Require your third parties to disclose any of their vendor relationships (your fourth parties) that are instrumental in delivering products and services to your credit union or its members, or that have elevated risk attributes as listed above.
    • Review the SOC reporting of your third-party. Under the SSAE 18 standard, third-party service providers are required to inform your organization about their critical vendors, which are referred to as your fourth parties, in their SOC reporting.
    • Create a comprehensive list of all relevant fourth parties and their associations with your third parties. It’s necessary to ensure the list can be sorted to easily identify any significant concentration risk, such as multiple third parties using the same fourth party. If such a risk exists, you must work with your third parties to mitigate potential issues.
  • Narrow your focus – It’s not necessary to be concerned about every single fourth or nth party out there. For instance, you shouldn’t worry about the fourth-party vendor who provides office supplies to your third party or mows their lawn. Even though your third party might have fourth-party vendors they consider to be high-risk, if those fourth parties aren’t involved in servicing your credit union, they probably don’t require your attention. Knowing which fourth parties pose the most risk to your credit union or its members can help you reduce the number of extended vendor relationships to keep track of and manage.

Here are the fourth and nth parties that present the highest risks to your credit union: 

    • The fourth party accesses, transmits, processes, or stores sensitive credit union information or member personally identifiable information (PII)
    • The fourth party is critical to your third party’s operations or is instrumental to your critical or high-risk third party’s business continuity and disaster recovery plans or processes
    • The fourth party interacts in any way with your members (in person, digitally, marketing, etc.)
    • Your third party is dependent on the fourth party to help maintain regulatory or legal compliance
  • Use a risk-based approach – It’s important to prioritize the disclosure of fourth-party risks associated with your critical and high-risk vendors first, then work your way through the rest of your vendor inventory as soon as possible.
  • Review your vendor’s third-party risk management practices – It’s essential to realize that unless you have a direct contract with a fourth- or nth-party vendor, your ability to effectively manage them is nonexistent. It’s the responsibility of every organization to manage the risks associated with their vendor relationships, so the best way to “manage” fourth-party risks is to ensure your third parties are responsible for their own third-party risk management practices that are executed consistently. Your vendors should have skilled third-party risk management team members and robust policies, processes, and procedures in place.
  • Consider your contracts – Leverage third-party contracts to help manage fourth-party risk. Whenever possible add specific contract language to:
    • Require disclosure of any fourth party considered critical to your vendor’s operations
    • Require your vendor to perform suitable third-party risk assessment, due diligence, risk monitoring, performance monitoring and management, and vendor issue management
    • Require breach notifications for fourth and nth parties
    • Notify your organization in writing of any new or terminated critical fourth party

Tips for collaborating with third-parties to manage your fourth-parties

As mentioned above, understanding your vendors’ third-party risk management practices is the best way to manage fourth-party risk management. Here’s what your credit union should review from your vendors and questions to ask:

  • Review your vendors’ third-party risk management framework, policy, and processes. Ask the following questions:
    • Is the policy reflective of best practices and regulatory requirements?
    • Do they have formalized and documented processes for inherent risk assessment, vendor due diligence, periodic risk re-assessment and due diligence, risk and performance monitoring, and termination?
    • Do they follow the third-party risk management lifecycle?
    • Can they provide proof of documented inherent risk assessments, due diligence, and monitoring for their critical and high-risk vendors?
    • How do they manage and monitor vendor issues?
  • Review the staffing and qualifications of your vendors’ third-party risk management team. Effective third-party risk management depends on having enough skilled staff to execute the complex and interdependent processes involved. Here are some questions to help you review:
    • Do they have dedicated employees responsible for the third-party risk management function or is it a part-time role?
    • How qualified are the employees responsible for third-party risk management? What level of experience do they have and is it relevant to their industry?
    • Do they have any professional credentials or certifications?
  • Ask about subject matter experts (SMEs). Your credit union should know who is responsible for conducting vendor risk reviews at your vendors’ organization. Here are some questions to ask your vendors:
    • Do they have in-house SMEs for each risk domain?
    • Do SMEs hold professional certifications for their respective risk domains?
    • Does the vendor outsource their reviews, and if so, to whom?
    • Do SMEs provide a documented qualified opinion for each vendor risk review?

When dealing with third-party relationships, it’s impossible to avoid the risks that come with fourth-party involvement. However, there are steps credit unions can take to identify and address these risks. By implementing a risk-based approach, creating an inventory of fourth-party vendors, reviewing vendor third-party risk management practices, and including contract language that specifically addresses fourth-party involvement, credit unions can stay ahead of the game and effectively identify and address fourth-party risks.

Although you don’t have a direct contract with your fourth parties, it’s essential to understand how your third-party vendors manage their risk. Learn fourth-party due diligence questions to ask your third party.


Visit our CSS website to learn how Venminder can help you drive membership growth and operational excellence at an attractive price.

Hilary Jewhurst

Hilary Jewhurst

Hilary leads the advancement and promotion of third-party risk management best practices and solutions through thought leadership, subject matter expertise and support for Venminder’s clients, Marketing, Sales and Third-Party ... Web: Details