Regulations

We are a Fintech company providing core banking services.  Vendor Risk Mgmt. is very new to the organization and there is an ongoing use of what I would define as 4th party vendors but in a different perspective.  Our banks often have relationships with other service providers that require extracts of data, API integration etc. in order for them to perform functions on behalf of the bank.  Of course, we have all the bank's data so we have to have an indirect relationship with the 4th party to ensure information is passed back and forth according to the need.  There is an inherent risk as they often times have access to our network which service other banks that might not utilize their services.  How do you handle the delicate relationships when the Bank (customer) has the direct contract with them.  Sometimes, we pay that 4th party and then bill our customer.  

I would love to hear input on this and how others might handle. Thank you in advance for your insight.

Original Message:
Sent: 3/6/2024 1:29:00 PM
From: Anonymous Member
Subject: 4th Party Vendors as it relates to Customer designated vendors

This message was posted by a user wishing to remain anonymous

We are a Fintech company providing core banking services.  Vendor Risk Mgmt. is very new to the organization and there is an ongoing use of what I would define as 4th party vendors but in a different perspective.  Our banks often have relationships with other service providers that require extracts of data, API integration etc. in order for them to perform functions on behalf of the bank.  Of course, we have all the bank's data so we have to have an indirect relationship with the 4th party to ensure information is passed back and forth according to the need.  There is an inherent risk as they often times have access to our network which service other banks that might not utilize their services.  How do you handle the delicate relationships when the Bank (customer) has the direct contract with them.  Sometimes, we pay that 4th party and then bill our customer.  

I would love to hear input on this and how others might handle. Thank you in advance for your insight.

Thanks for your feedback.  I still think it is murky on this issue of responsibility of due diligence as it relates to 3rd party regulations.  We have a responsibility to all our customers and protecting their data.  When Bank A asks often times tell us to use Service Provider A for this function and that requires that Service Provider A to integrate into us it opens us and our other customers to vulnerabilities b/c now that Service Provider A has an access point to our core services that provides multiple Banks our core service.  Who is performing or should be performing the DD on Service Provider A.  I feel we should be just as responsible in getting that information as the Bank having the direct relationship b/c we have a responsibility to our other customer Banks that are on our core.  In some situations multiple banks use this Service Provider A for same services requiring a level of integration into each data point for each Bank.  

This is likely a very complex question and might not be fully illustrated for understanding by text. But I do appreciate the feedback.  

Original Message:
Sent: 03-07-2024 03:05 AM
From: Hannah MacDonald
Subject: 4th Party Vendors as it relates to Customer designated vendors

Original Message:
Sent: 3/6/2024 1:29:00 PM
From: Anonymous Member
Subject: 4th Party Vendors as it relates to Customer designated vendors

This message was posted by a user wishing to remain anonymous

We are a Fintech company providing core banking services.  Vendor Risk Mgmt. is very new to the organization and there is an ongoing use of what I would define as 4th party vendors but in a different perspective.  Our banks often have relationships with other service providers that require extracts of data, API integration etc. in order for them to perform functions on behalf of the bank.  Of course, we have all the bank's data so we have to have an indirect relationship with the 4th party to ensure information is passed back and forth according to the need.  There is an inherent risk as they often times have access to our network which service other banks that might not utilize their services.  How do you handle the delicate relationships when the Bank (customer) has the direct contract with them.  Sometimes, we pay that 4th party and then bill our customer.  

I would love to hear input on this and how others might handle. Thank you in advance for your insight.

I agree that your org has a responsibility to do due diligence where it is allowing any party (whether a third party or a fourth party) access to its core service which in turn potentially opens up the data of multiple bank clients. I would think that you would want to do due diligence to ensure the integrity of your system if nothing else. Bank partners will likely want to do their own due diligence as well; accordingly, the integration should be disclosed to all current and potential bank partners so that they can meet their regulatory obligations and do not find themselves with an unknown access point to their customer data. When we evaluate potential partners, we want to know that they have their own robust third party risk programs and it sounds like this is a large third (or fourth depending on contracts) party risk for your org (and potentially for your bank partners as well).

Original Message:
Sent: 03-07-2024 02:13 PM
From: Anonymous Member
Subject: 4th Party Vendors as it relates to Customer designated vendors

This message was posted by a user wishing to remain anonymous

Thanks for your feedback.  I still think it is murky on this issue of responsibility of due diligence as it relates to 3rd party regulations.  We have a responsibility to all our customers and protecting their data.  When Bank A asks often times tell us to use Service Provider A for this function and that requires that Service Provider A to integrate into us it opens us and our other customers to vulnerabilities b/c now that Service Provider A has an access point to our core services that provides multiple Banks our core service.  Who is performing or should be performing the DD on Service Provider A.  I feel we should be just as responsible in getting that information as the Bank having the direct relationship b/c we have a responsibility to our other customer Banks that are on our core.  In some situations multiple banks use this Service Provider A for same services requiring a level of integration into each data point for each Bank.  

This is likely a very complex question and might not be fully illustrated for understanding by text. But I do appreciate the feedback.  

Original Message:
Sent: 03-07-2024 03:05 AM
From: Hannah MacDonald
Subject: 4th Party Vendors as it relates to Customer designated vendors

Original Message:
Sent: 3/6/2024 1:29:00 PM
From: Anonymous Member
Subject: 4th Party Vendors as it relates to Customer designated vendors

This message was posted by a user wishing to remain anonymous

We are a Fintech company providing core banking services.  Vendor Risk Mgmt. is very new to the organization and there is an ongoing use of what I would define as 4th party vendors but in a different perspective.  Our banks often have relationships with other service providers that require extracts of data, API integration etc. in order for them to perform functions on behalf of the bank.  Of course, we have all the bank's data so we have to have an indirect relationship with the 4th party to ensure information is passed back and forth according to the need.  There is an inherent risk as they often times have access to our network which service other banks that might not utilize their services.  How do you handle the delicate relationships when the Bank (customer) has the direct contract with them.  Sometimes, we pay that 4th party and then bill our customer.  

I would love to hear input on this and how others might handle. Thank you in advance for your insight.

Original Message:
Sent: 3/7/2024 3:28:00 PM
From: Anonymous Member
Subject: RE: 4th Party Vendors as it relates to Customer designated vendors

This message was posted by a user wishing to remain anonymous

I agree that your org has a responsibility to do due diligence where it is allowing any party (whether a third party or a fourth party) access to its core service which in turn potentially opens up the data of multiple bank clients. I would think that you would want to do due diligence to ensure the integrity of your system if nothing else. Bank partners will likely want to do their own due diligence as well; accordingly, the integration should be disclosed to all current and potential bank partners so that they can meet their regulatory obligations and do not find themselves with an unknown access point to their customer data. When we evaluate potential partners, we want to know that they have their own robust third party risk programs and it sounds like this is a large third (or fourth depending on contracts) party risk for your org (and potentially for your bank partners as well).

Original Message:
Sent: 03-07-2024 02:13 PM
From: Anonymous Member
Subject: 4th Party Vendors as it relates to Customer designated vendors

This message was posted by a user wishing to remain anonymous

Thanks for your feedback.  I still think it is murky on this issue of responsibility of due diligence as it relates to 3rd party regulations.  We have a responsibility to all our customers and protecting their data.  When Bank A asks often times tell us to use Service Provider A for this function and that requires that Service Provider A to integrate into us it opens us and our other customers to vulnerabilities b/c now that Service Provider A has an access point to our core services that provides multiple Banks our core service.  Who is performing or should be performing the DD on Service Provider A.  I feel we should be just as responsible in getting that information as the Bank having the direct relationship b/c we have a responsibility to our other customer Banks that are on our core.  In some situations multiple banks use this Service Provider A for same services requiring a level of integration into each data point for each Bank.  

This is likely a very complex question and might not be fully illustrated for understanding by text. But I do appreciate the feedback.  

Original Message:
Sent: 03-07-2024 03:05 AM
From: Hannah MacDonald
Subject: 4th Party Vendors as it relates to Customer designated vendors

Original Message:
Sent: 3/6/2024 1:29:00 PM
From: Anonymous Member
Subject: 4th Party Vendors as it relates to Customer designated vendors

This message was posted by a user wishing to remain anonymous

We are a Fintech company providing core banking services.  Vendor Risk Mgmt. is very new to the organization and there is an ongoing use of what I would define as 4th party vendors but in a different perspective.  Our banks often have relationships with other service providers that require extracts of data, API integration etc. in order for them to perform functions on behalf of the bank.  Of course, we have all the bank's data so we have to have an indirect relationship with the 4th party to ensure information is passed back and forth according to the need.  There is an inherent risk as they often times have access to our network which service other banks that might not utilize their services.  How do you handle the delicate relationships when the Bank (customer) has the direct contract with them.  Sometimes, we pay that 4th party and then bill our customer.  

I would love to hear input on this and how others might handle. Thank you in advance for your insight.

Thanks for your feedback.  I still think it is murky on this issue of responsibility of due diligence as it relates to 3rd party regulations.  We have a responsibility to all our customers and protecting their data.  When Bank A asks often times tell us to use Service Provider A for this function and that requires that Service Provider A to integrate into us it opens us and our other customers to vulnerabilities b/c now that Service Provider A has an access point to our core services that provides multiple Banks our core service.  Who is performing or should be performing the DD on Service Provider A.  I feel we should be just as responsible in getting that information as the Bank having the direct relationship b/c we have a responsibility to our other customer Banks that are on our core.  In some situations multiple banks use this Service Provider A for same services requiring a level of integration into each data point for each Bank.  

This is likely a very complex question and might not be fully illustrated for understanding by text. But I do appreciate the feedback.  

Original Message:
Sent: 03-07-2024 03:05 AM
From: Hannah MacDonald
Subject: 4th Party Vendors as it relates to Customer designated vendors

Original Message:
Sent: 3/6/2024 1:29:00 PM
From: Anonymous Member
Subject: 4th Party Vendors as it relates to Customer designated vendors

This message was posted by a user wishing to remain anonymous

We are a Fintech company providing core banking services.  Vendor Risk Mgmt. is very new to the organization and there is an ongoing use of what I would define as 4th party vendors but in a different perspective.  Our banks often have relationships with other service providers that require extracts of data, API integration etc. in order for them to perform functions on behalf of the bank.  Of course, we have all the bank's data so we have to have an indirect relationship with the 4th party to ensure information is passed back and forth according to the need.  There is an inherent risk as they often times have access to our network which service other banks that might not utilize their services.  How do you handle the delicate relationships when the Bank (customer) has the direct contract with them.  Sometimes, we pay that 4th party and then bill our customer.  

I would love to hear input on this and how others might handle. Thank you in advance for your insight.