Policy, Program and Procedures

Hi,
My company is relatively new, and I was tasked with creating a fourth-party policy. I've never created a fourth-party policy and wanted to see if anyone here can assist and point me in the proper direction to get this off the ground. We are a fin-tech/bank in the States, and I can only Google so much and look to see if anyone here has been in my shoes. Many thanks for your assistance!

Hi,
My company is relatively new, and I was tasked with creating a fourth-party policy. I've never created a fourth-party policy and wanted to see if anyone here can assist and point me in the proper direction to get this off the ground. We are a fin-tech/bank in the States, and I can only Google so much and look to see if anyone here has been in my shoes. Many thanks for your assistance!

Hi,
My company is relatively new, and I was tasked with creating a fourth-party policy. I've never created a fourth-party policy and wanted to see if anyone here can assist and point me in the proper direction to get this off the ground. We are a fin-tech/bank in the States, and I can only Google so much and look to see if anyone here has been in my shoes. Many thanks for your assistance!

Hello,

In my experience, your third parties (vendor) should be responsible for conducting risk assessments and they should have an effective TPRM framework in place. A good TPRM program ensures that your vendors perform their due diligence and track their fourth parties through appropriate metrics. Because your organization likely has thousands of fourth-party relationships, which would be impossible to evaluate independently. To effectively monitor fourth-party risk, you should establish a manageable fourth-party risk program, but the monitoring methods depend on your third-party, because your organization doesn't have a direct relationship with the fourth-party. Therefore, for this type of monitoring to be successful it requires close collaboration with your third-party vendors. I think it is better to include in your due diligence a request to your third-party for a list of their critical vendors, and with this you can request a risk assessment report from your vendor. But like I said this is my experience. I would simply include a chapter in the TPRM policy about the fourth-party monitoring. 

Best.

Hi,
My company is relatively new, and I was tasked with creating a fourth-party policy. I've never created a fourth-party policy and wanted to see if anyone here can assist and point me in the proper direction to get this off the ground. We are a fin-tech/bank in the States, and I can only Google so much and look to see if anyone here has been in my shoes. Many thanks for your assistance!

Hi,
My company is relatively new, and I was tasked with creating a fourth-party policy. I've never created a fourth-party policy and wanted to see if anyone here can assist and point me in the proper direction to get this off the ground. We are a fin-tech/bank in the States, and I can only Google so much and look to see if anyone here has been in my shoes. Many thanks for your assistance!

Hello

Consider your organization's risk management practices, which are influenced by factors such as size, complexity, risk profile, and the nature of your third party relationships. My recommendation would be to incorporate this consideration into your third-party risk or vendor management policy. When dealing with fourth-party risk, adopt a risk-based approach since assessing all fourth parties directly may not be feasible.  If your critical provider outsources to their own critical fourth party, expect them to apply similar controls for assessing their third parties (which are your fourth parties). Additionally, establish a foundation within your agreements with these third parties, specifying how they manage their key third parties.  Prioritize key fourth parties, often this can overlap within your third party assessments.

Original Message:
Sent: 07-10-2024 04:33 PM
From: Anonymous Member
Subject: 4th Party Policy Creation

This message was posted by a user wishing to remain anonymous

Hi,
My company is relatively new, and I was tasked with creating a fourth-party policy. I've never created a fourth-party policy and wanted to see if anyone here can assist and point me in the proper direction to get this off the ground. We are a fin-tech/bank in the States, and I can only Google so much and look to see if anyone here has been in my shoes. Many thanks for your assistance!