Financial services firms have become increasingly reliant on third party providers to support their business. The services offered by these providers bring many benefits. They are, for example, enabling widespread digital transformation across the organisation.
This shift poses a growing risk to both firms and functioning markets. In particular, there is a growing focus on the supply chain that exists beyond direct (third-party) suppliers. These vendors-of-vendors – referred to as ‘nth parties’ – form an often hidden, but critical, layer of risk exposure. Understanding and managing these extended vendor relationships is crucial to maintaining regulatory compliance, achieving operational resilience and retaining the trust of your customers.
While third-party vendors are well understood and often closely managed, “nth parties” refer to the additional layers of suppliers that exist deeper in the supply chain. Here's how the terminology breaks down:
Although these nth parties may be several steps removed from your direct operations, they can still access or influence critical systems, data, and infrastructure. This makes them a significant, often overlooked source of risk that must be understood and managed as part of a robust vendor governance strategy.
Although these nth parties may be several steps removed from your direct operations, they can still access or influence critical systems, data, and infrastructure.
There are numerous ways in which this impacts your organisation. There may be high-value data flowing through multiple external systems. Subcontractor outages can cause severe service disruptions. Frameworks like DORA, FFIEC and APRA are tightening their scrutiny on these extended vendor chains, and any breach or failure in these chains can damage customer trust and the value of your brand.
Frameworks like DORA, FFIEC and APRA are tightening their scrutiny on these extended vendor chains.
Financial institutions often map only their immediate third-party vendors, leaving downstream dependencies uncharted. There is frequently an over-reliance on vendor self-assessments which fail to uncover whether critical services are being outsourced to high-risk or non-compliant nth parties. Most contracts with third parties don’t include any requirements for transparency or security compliance. Rather than proactively monitoring the situation, many companies review vendor risk either annually or only after an incident has happened.
Begin by working towards complete supply chain visibility. Use automated tools to identify the relationships between your vendors and their subcontractors.
Introduce specific clauses into your third-party contracts that require a full disclosure of all subcontractors, a right to audit and compliance with your institution’s risk standards.
Tier your vendors (and their nth parties) according to their criticality and risk level. Force high-risk vendors to disclose all their dependencies and associated mitigation plans.
Set up cross-departmental governance teams – including personnel from legal, compliance, procurement and IT – to review on a regular basis vendor and nth party risks.
There are multiple tools and technologies available to achieve risk visibility. Platforms like ProcessUnity, OneTrust and Archer IRM enable automated risk workflows and nth party mapping.
Companies such as SecurityScorecard, Bitsight and RiskRecon provide continuous, non-intrusive, cyber risk scoring of both your vendors and their networks.
Employing predictive AI and behavioural analytics will detect unusual activity or risk exposure trends across extended vendor ecosystems. Using blockchain will achieve transparency by tracking the provenance of digital services and data handling through decentralised ledgers.
Employing predictive AI and behavioural analytics will detect unusual activity or risk exposure trends across extended vendor ecosystems.
Industry trends are shifting as the regulatory landscape is evolving. We have selected but a few relevant regulatory regimes that aim to drive greater transparency and control
Achieve visibility of the entire supply chain. Start with your risk and IT departments, encouraging them to map your ecosystem and uncover nth party dependencies. Your legal and procurement teams then need to update contracts to include clauses that mandate subcontractor disclosures. Your risk and compliance departments can then tier your vendors, classifying them accordingly to criticality and exposure. It will then be the responsibility of your security and IT teams to monitor in real time these relationships, using real-time cyber scoring and alerts. Governance can then be provided by your risk, legal and operational teams who will have oversight of the entire process.
Nth party risk is not a theoretical threat – it is a material exposure with tangible consequences.
Regulators increasingly expect companies to have real-time visibility, to introduce accountability models that extend to board level and to potentially be able to test and prove resilience across their vendor ecosystems.
To build true resilience, financial institutions must extend their risk management lens beyond third-party relationships and actively govern the full service-delivery chain.
To build true resilience, financial institutions must extend their risk management lens beyond third-party relationships and actively govern the full service-delivery chain. With the right strategy, tools and collaboration, companies can mitigate these risks before they become incidents. Prevention will always be better than cure.
Projective Group is opgericht in 2006 en is een toonaangevende change specialist voor de financiële dienstverlening.
We worden binnen de sector erkend als een provider van complete oplossingen, die samenwerkt met klanten in de financiële dienstverlening om oplossingen te bieden die zowel holistisch als pragmatisch zijn. We hebben ons ontwikkeld tot een betrouwbare partner voor bedrijven die willen gedijen en bloeien in een steeds veranderend landschap van financiële dienstverlening.
