Third Party and Fourth Party Management
In recent years, financial institutions have seen a significant amount of new guidance on third party risk management and new terms coined such as Fourth Party Management. FFIEC Cybersecurity Assessments Tool (CAT) encourages financial institutions to expand questioning around third party risk management practices and suggests more rigorous oversight. The FFIEC coined the term “External Dependencies” in CAT guidance. This expands requirements beyond vendors to include any third-party relationship, including customers. Regulators also suggest that the FFIEC CAT can be leveraged against Third Parties; not just financial institutions. In addition to the FFIEC, the OCC has issued additional guidance for examiners when reviewing third party management programs. We will explore best practices for Vendor Management, Third Party Risk Management, Fourth Party Management and Customer Risk Management.