Third Party Risk

From Open Risk Manual


Third-Party Risk is any risk associated with engaging a third party in the context of providing a service or product to a client (the second party). It is an umbrella term covering several potential risk types depending on the product or service, the third party and the nature of the engagement / relationship.

Potential Risks due to Third-Party Risk

There are numerous risks that may arise from a financial institution’s use of third parties[1]

Some of the risks are associated with the underlying activity itself, similar to the risks faced by an institution directly conducting the activity. Other potential risks arise from or are heightened by the involvement of a third party. Failure to manage these risks can expose an institution to regulatory action, financial loss, litigation and reputation damage, and may even impair the institution’s ability to establish new or service existing customer relationships.

  • Reputation Risk. Reputation risk is the risk arising from negative public opinion. Third-party relationships that result in dissatisfied customers, interactions not consistent with institution policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information, and violations of law and regulation are all examples that could harm the reputation and standing of the financial institution in the community it serves. Any negative publicity involving the third party, whether or not the publicity is related to the institution’s use of the third party, could result in reputation risk
  • Operational Risk. Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. Third-party relationships often integrate the internal processes of other organizations with the bank’s processes and can increase the overall operational complexity
  • Transaction risk. Transaction risk a form of operational risk (Business Execution). It is the risk arising from problems with service or product delivery. A third party’s failure to perform as expected by customers or the financial institution due to reasons such as inadequate capacity, technological failure, human error, or fraud, exposes the institution to transaction risk. The lack of an effective business resumption plan and appropriate contingency plans increase transaction risk. Weak control over technology used in the third-party arrangement may result in threats to security and the integrity of systems and resources. These issues could result in unauthorized transactions or the inability to transact business as expected
  • Credit Risk. Credit risk is the risk that a third party, or any other creditor necessary to the third-party relationship, is unable to meet the terms of the contractual arrangements with the financial institution or to otherwise financially perform as agreed. The basic form of credit risk involves the financial condition of the third party itself. Some contracts provide that the third party ensures some measure of performance related to obligations arising from the relationship, such as loan origination programs. In these circumstances, the financial condition of the third party is a factor in assessing credit risk. Credit risk also arises from the use of third parties that market or originate certain types of loans, solicit and refer customers, conduct underwriting analysis, or set up product programs for the financial institution. Appropriate monitoring of the activity of the third party is necessary to ensure that credit risk is understood and remains within board-approved limits
  • Compliance risk. Compliance risk (Legal Risk) is the risk arising from violations of laws, rules, or regulations, or from non-compliance with internal policies or procedures or with the institution’s business standards. This risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies, or ethical standards. For example
    • Third parties may engage in product marketing practices that are deceptive in violation of Section 5 of the Federal Trade Commission Act, or
    • Lending practices that are discriminatory in violation of the Equal Credit Opportunity Act and the Federal Reserve Board’s Regulation B.
    • Additionally, the ability of the third party to maintain the privacy of customer records and to implement an appropriate information security and disclosure program is another compliance concern. Liability could potentially extend to the financial institution when third parties experience security breaches involving customer information in violation of the safeguarding of customer information standards under FDIC and Federal Trade Commission regulations. Compliance risk is exacerbated when an institution has inadequate oversight, monitoring or audit functions.



  1. FDIC, Guidance for managing Third-Party Risk