Understanding and Managing Fourth-Party Risk in Business

Introduction

Picture this: your fintech's payment processing goes dark. Customers can't transact. Support tickets flood in. Your direct vendor — the BaaS provider you contracted with — is technically online. The problem sits one layer deeper, with the cloud infrastructure provider they depend on. You have no contract with that provider. No SLA. No incident notification rights. And yet, your operations are down, your customers are affected, and your regulator wants answers.

This is fourth-party risk. And it's the layer most fintech compliance programs don't cover.

Most fintech startups and financial services companies have invested in third-party risk management (TPRM): vendor questionnaires, due diligence reviews, contractual protections. But those programs stop at the direct vendor relationship. The layer beyond — your vendors' vendors — stays largely invisible, even as regulators across the US, UK, and EU actively scrutinize it.

This article covers:

  • What fourth-party risk actually is and how it differs from standard TPRM
  • Why it creates disproportionate exposure for fintechs and embedded finance companies
  • Where it hides across key risk categories
  • What regulators in the US, UK, and EU now expect
  • A practical five-step framework for managing it

TL;DR

  • Fourth-party risk = exposure from your vendors' vendors, where no direct contract or oversight leverage exists
  • Fintechs are disproportionately exposed due to layered, API-driven vendor stacks
  • The July 2024 CrowdStrike/Microsoft outage showed how a single technology provider failure cascades across unrelated financial firms
  • US, UK, and EU regulators hold you accountable for the full vendor chain — not just direct relationships
  • Effective management requires vendor mapping, tiering, contract flow-downs, SOC 2 review, and continuous monitoring

What Is Fourth-Party Risk? Understanding the Vendor Chain

Fourth-party risk is the operational, cyber, compliance, and financial exposure introduced by the suppliers, subcontractors, and service providers that your vendors depend on — entities you have no direct contract with, but whose failures can still affect your business.

The Vendor Hierarchy

The chain works like this:

  • First party — your organization
  • Second party — your internal teams or affiliates
  • Third party — your direct vendors (the ones you contract with)
  • Fourth party — your vendors' vendors (no direct contract with you)
  • Nth party — every layer beyond, each adding exposure you can't contractually control

Vendor chain hierarchy from first party to Nth party with decreasing control

Each level down the chain means less visibility and fewer contractual rights — but not less liability.

A Concrete Fintech Example

Consider a common BaaS arrangement: you contract with a BaaS provider to handle account issuance and payment processing. That BaaS provider runs its infrastructure on a major cloud platform.

If that cloud provider experiences a regional outage, your payment and account services go offline — even though your direct vendor's application layer is functioning normally.

You never engaged the cloud provider. You have no incident notification agreement with them. But your customers are affected, and your regulator still expects you to explain your business continuity controls.

That cloud provider is your fourth party — and when it goes down, the regulatory exposure lands on you, not on your vendor.

Why Fourth-Party Risk Is a Critical Blind Spot for Fintech

Fintechs and embedded finance companies are structurally more exposed to fourth-party risk than traditional financial institutions. Their business models are built on layered, API-driven vendor relationships — payment rails, sponsor banks, KYC providers, cloud platforms, fraud detection services — creating deep dependency chains with limited visibility at each layer.

The Consequences of Ignoring It

When fourth-party failures occur, the consequences don't stay contained:

  • Operational disruption — services go down when a subcontractor's infrastructure fails, even if your direct vendor is unaffected
  • Data liability — if your vendor shares customer PII or financial records with a subcontractor without your knowledge, and that subcontractor suffers a breach, your organization may still carry liability under GLBA (US), GDPR (EU), or UK GDPR
  • Regulatory enforcement — regulators don't accept "it happened two layers down" as a defense; the accountability stays with you

The July 19, 2024 CrowdStrike/Microsoft outage made this concrete. Reuters reported that the outage disrupted financial firms from London to Singapore, including the London Stock Exchange Group's Workspace platform, hitting organizations with no direct contract with CrowdStrike.

Business continuity plans that didn't model sub-dependency scenarios were caught flat-footed.

The Concentration Problem

Many fintechs share the same underlying infrastructure across multiple vendors without realizing it. Several of your vendors may simultaneously run on AWS, route payments through the same rails, or use the same identity verification subprocessor. When that shared fourth party fails, the impact hits your entire vendor stack at once — not one vendor, but all of them.

The US Treasury's 2023 report on financial-sector cloud adoption specifically identifies concentration and dependency risks as financial institutions adopt cloud services. Regulators view heavy dependence on a small number of providers as a direct resilience concern — and they've said so on the record.

Cloud infrastructure concentration risk diagram showing multiple fintech vendors sharing one provider

Why Traditional TPRM Programs Miss This

Standard third-party risk programs rely on vendor questionnaires and point-in-time assessments. The fundamental problem: they only capture what your direct vendors choose to self-report. There's no mechanism to surface what those vendors' vendors are doing, what controls exist two layers down, or where shared dependencies create concentration risk.

FINRA's 2024 cybersecurity advisory noted an increase in cyberattacks and outages at third-party providers used by member firms since 2023 — and explicitly called out "Fourth-Party Providers" (their term) as entities that may handle firm data but fall outside standard due diligence scope. That's a regulator naming the gap directly.

Where Fourth-Party Risk Hides: Key Risk Categories

Operational Risk

Fourth-party operational failures can interrupt your services even when your direct vendor's systems are working normally. Common examples include:

  • A subcontractor's data center going offline
  • A cloud provider's regional outage affecting hosted services
  • A payment infrastructure provider hitting capacity limits

The problem is that most business continuity plans are designed around first- and third-party failure scenarios. They ask: what if our vendor goes down? They rarely ask: what if our vendor's infrastructure provider goes down? That's the gap.

Data and Compliance Risk

When your vendor shares customer data — PII, transaction records, account information — with a subcontractor, your regulatory obligations follow that data. The subcontractor's breach becomes your compliance event.

If your vendor agreement doesn't require disclosure of data-sharing arrangements with subcontractors, you may not know this exposure exists until after a breach occurs. Flow-down provisions — covered in the framework below — close this gap.

Concentration Risk

Concentration risk in the fourth-party context means multiple vendors in your ecosystem share the same underlying provider. When that shared provider fails, you don't have one vendor problem — you have every vendor problem simultaneously.

For fintechs, this often looks like multiple vendors all running on the same cloud backbone, using the same payment infrastructure, or processing identity verification through the same third-party data provider. When that shared dependency goes down, the impact isn't contained to one relationship — it cascades across your entire vendor stack at once.

What Regulators Expect From Your Fourth-Party Risk Program

Across every major jurisdiction, the message from regulators is consistent: the fact that a failure originated outside your direct vendor relationship does not reduce your accountability.

US Regulatory Expectations

The Interagency Guidance on Third-Party Relationships, issued June 6, 2023 by the OCC, FDIC, and Federal Reserve, addresses subcontractors directly in due diligence, contracts, and ongoing monitoring requirements. Specifically, banks should evaluate:

  • Volume and type of subcontracted activities
  • Subcontractor geographic locations
  • The vendor's ability to identify, monitor, and control subcontractor risk
  • Contractual limits on subcontracting, notice rights, and audit rights

US UK EU fourth-party regulatory requirements comparison across OCC DORA FCA frameworks

The OCC's January 24, 2024 Consent Order against Blue Ridge Bank, N.A. required corrective action for third-party risk management failures, including annual board review of TPRM program effectiveness. Vendor risk management failures are an active enforcement theme, not a future risk.

FINRA explicitly uses the "fourth-party" label in its guidance, recommending that broker-dealer fintechs assess any vendor handling firm data below the tier-1 level.

UK and EU Regulatory Expectations

DORA (Digital Operational Resilience Act, applicable from January 17, 2025) is the EU's most prescriptive regime. It explicitly covers ICT subcontractors within its definition of ICT third-party risk and mandates full ICT service supply chain mapping.

The Commission's Implementing Regulation (EU) 2024/2956 goes further, requiring register templates that identify subcontractors, their ranks in the supply chain, and the links between them.

The UK framework covers similar ground through two instruments:

  • FCA PS21/3: Required firms to complete mapping and testing of important business services, including third-party dependencies, by March 31, 2025
  • PRA SS2/21: Sets expectations for sub-outsourcing governance, supply-chain risk assessment, audit and access rights, and exit planning

The Practical Implication

Regulators don't require you to directly manage every fourth party. But they do expect:

  • Contract provisions requiring vendor disclosure of subcontractors
  • Evidence that your vendors have adequate TPRM programs of their own
  • Documented awareness of concentration risk
  • SOC 2 (SSAE 18) reports as auditable evidence of controls

How to Manage Fourth-Party Risk: A Practical Framework

Step 1: Map Your Fourth-Party Exposure

You cannot manage what you cannot see. Start by embedding fourth-party discovery questions into your vendor due diligence questionnaires. At minimum, ask vendors to disclose:

  • All critical subcontractors supporting the service
  • Cloud and infrastructure providers they depend on
  • Any third parties with access to your customer data
  • Subcontractor locations and jurisdictions
  • Whether any subcontractors support critical or important functions

Build a fourth-party inventory as part of your broader vendor register. This doesn't need to be comprehensive on day one — prioritize vendors with data access or operational dependencies first.

Step 2: Tier Your Oversight Based on Risk

Not every fourth party warrants the same scrutiny. A risk-based tiering approach keeps the program manageable:

Tier Criteria Oversight Approach
Tier 1: Document & Monitor Non-critical vendors, no data access Capture in inventory; set notification triggers for changes
Tier 2: Enhanced Validation Data access or operational dependencies Review SOC 2 subservice disclosures; assess concentration risk
Tier 3: Targeted Deep Oversight Systemic, regulatory-critical, or sponsor bank-relevant Active monitoring; board-level reporting; concentration testing

Three-tier fourth-party risk oversight framework from document and monitor to deep oversight

Trying to apply Tier 3 scrutiny to every fourth party makes the program unmanageable. Tier your effort where the risk actually lives.

Step 3: Strengthen Contracts With Flow-Down Provisions

Contracts are your primary oversight lever for fourth-party risk. When negotiating or renewing vendor agreements, require vendors to:

  • Disclose material subcontractors before work begins
  • Notify you in advance of subcontractor changes
  • Flow down equivalent security and compliance standards to subcontractors
  • Report subcontractor breaches on the same timeline as their own incidents

With large vendors where full provisions aren't achievable, prioritize: disclosure, incident reporting, and security flow-down. Those three, in that order, provide the most protection when something goes wrong.

Step 4: Use SOC 2 Reports to Audit Fourth-Party Controls

SOC 2 Type 2 reports (audited under SSAE 18) are the primary auditable tool for fourth-party oversight. Specifically, look at how each report handles subservice organizations:

  • Inclusive method — the subservice organization's controls are included in the audit scope
  • Carve-out method — the subservice organization's controls are excluded from scope

Carved-out subservice organizations represent unvalidated gaps. When you encounter a carve-out, either request the subcontractor's own SOC report or document your rationale for accepting the residual risk.

Step 5: Monitor Ongoing and Escalate Appropriately

Fourth-party risk isn't a one-time assessment. Build ongoing monitoring into your compliance calendar:

  • Review updated SOC 2 reports annually for changes in subservice organization disclosures
  • Run concentration risk analysis across critical vendors each quarter
  • Require vendors to notify you of subcontractor changes as they occur; flag these in vendor reviews
  • Surface material fourth-party exposures in risk committee reporting, not just operational logs

The Role of Compliance Leadership in Fourth-Party Risk Management

Building a defensible fourth-party risk program requires someone who understands both the regulatory expectations and the operational risk frameworks — and who can translate that into contracts, questionnaires, SOC reviews, and board reporting. That function falls to a CCO or CRO within the compliance organization.

For fintech startups and Series A/B companies, that expertise often doesn't exist in-house. The result: fourth-party exposure goes unmanaged, vendor contracts lack flow-down provisions, SOC reports get filed without review, and concentration risk never surfaces in board materials. That gap only becomes visible when an exam or breach forces the issue.

Fractional compliance leadership addresses this directly. Through Fraxtional, growing financial companies can access director-level CCO or CRO expertise, including professionals like Kat Rief who specializes in Compliance, Risk, and TPRM for fintechs and bank sponsors, without the cost or commitment of a full-time hire.

That engagement covers:

  • Fourth-party program design and risk framework buildout
  • Vendor contract review for flow-down provisions
  • SOC report evaluation and findings interpretation
  • Board-level concentration risk reporting

Sponsor banks and regulators increasingly scrutinize vendor risk programs during pre-deal due diligence and examinations. Having experienced compliance leadership in place, even fractionally, can be the difference between passing that scrutiny and facing a remediation requirement.

Frequently Asked Questions

What is fourth-party risk?

Fourth-party risk is the exposure introduced by your vendors' vendors — entities you have no direct contract with. Their operational failures, security incidents, or compliance gaps can still affect your business and create regulatory liability, even though you never engaged them directly.

How do you manage fourth-party risk?

The core steps: map fourth-party exposure through vendor questionnaires, tier oversight by risk level, include flow-down provisions in vendor contracts, review SOC 2 reports for subservice organization disclosures, and monitor ongoing for subcontractor changes and concentration risk.

What is a fourth-party relationship?

A fourth-party relationship exists when your vendor engages its own subcontractors to deliver services. You have no direct contract with those subcontractors, but they sit within your extended risk ecosystem and can affect your operations and regulatory standing.

Who is responsible for managing fourth-party risk?

Regulators hold the contracting organization ultimately responsible for risk across the vendor chain. Direct management of every fourth party isn't expected, but you must ensure your direct vendors have adequate TPRM programs and document your awareness of concentration and subcontractor risks.

What is the difference between third-party and fourth-party risk?

Third-party risk comes from direct vendors you contract with — you have contractual leverage and direct oversight. Fourth-party risk comes from your vendors' vendors, where no direct contract or oversight lever exists. That gap is what makes fourth-party exposure harder to catch before it becomes a problem.

What regulations address fourth-party risk?

Key frameworks include the US Interagency Guidance on Third-Party Relationships (OCC/FDIC/Federal Reserve, June 2023), FINRA's cybersecurity advisory explicitly naming fourth-party providers, EU DORA (applicable from January 2025) requiring full ICT supply-chain mapping, and UK FCA PS21/3 and PRA SS2/21 covering third-party and sub-outsourcing risk.