Recently, we received a question from one of our Tandem Vendor Management software users.
"I recently saw Tandem announce they are supporting documentation of third-party relationships, and the option to include or exclude as a part of the vendor management program. I am a little confused as I am not understanding the difference between a 'Vendor' and a 'Third Party.' To me, they are synonymous and was wondering if someone could shed some light on this."
This is a great question. When we began building features in Tandem to handle both vendors and other entities an institution may want to track (but may or may not have a contract with), we adopted the term "third-party" and the definition used by the FFIEC.
In the Glossary of the Information Security booklet, the FFIEC defines a third-party relationship as, "Any business arrangement between a financial institution and another entity, by contract or otherwise." However, this can be confusing because the FFIEC and other financial institution regulatory bodies (i.e., NCUA, FDIC, OCC, FRB) also use a term "third-party service provider" to mean a specific type of contracted vendor to which an institution outsources activities.
To bring some clarity to the topic, we will explore the following:
- Definitions from the Federal Banking Agencies
- How your institution should define these terms
- How Tandem defines these terms
Definitions from the Federal Banking Agencies
The FFIEC Information Technology Examination Handbook Infobase Glossary does not define "vendor," but it does define a "third-party relationship," as is mentioned above. It also defines the more narrow term "third-party service provider" as "any third party to whom a financial institution outsources activities that the institution itself is authorized to perform, including a technology service provider."
In the various handbooks published by the FFIEC, the terms "vendor" and "third-party" appear to be used in combination or interchangeably with no, overly distinctive differentiation.
There is an exception. A "third-party" may not be a contracted entity, whereas the expectation would seem that an institution would have a contract in place with a "vendor" or "third-party service provider."
Below are a few examples of how the FFIEC uses the terms "vendor" and "third-party" within the various IT Examination Handbooks:
- In the Oversight of Third-Party Service Providers section of the Information Security booklet, the FFIEC defines a third-party service provider as "any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to a financial institution."
- In the Third-Party Service Providers section of the Business Continuity Management booklet, the FFIEC simply says third-party providers are entities who "perform and support critical operations."
- In the Introduction of the Outsourcing Technology Services Booklet, the FFIEC states "financial institutions increasingly rely on external service providers" and that "generally, the term 'outsourcing' is used to describe these types of arrangements." The booklet continues to use various terminology to describe the outsourced relationship, including both "vendor" and "third party" interchangeably.
There are many similar references to third-party resources throughout the FFIEC's E-Banking, Management, and Information Security booklets.
In the Financial Institution Letter called Guidance for Managing Third-Party Risk, the FDIC defined the term "third party" to include "all entities that have entered into a business relationship with the financial institution, whether the third party is a bank or a nonbank, affiliated or not affiliated, regulated or nonregulated, or domestic or foreign." This definition is used consistently throughout most of the FDIC's documentation.
While the Federal Reserve Board's Supervisory Letter on Managing Outsourcing Risk does not define the terms "third party" or "vendor," the guidance broadly defines service providers as "all entitles that have entered into a contractual relationship with a financial institution to provide business functions or activities." This definition is significant to this conversation in the fact that it connects the term "service provider" with the existence of a contract.
The NCUA wrote a Supervisory Letter on Evaluating Third-Party Relationships, explaining how "credit unions have increasingly developed third party relationships to meet strategic objectives and enhance member services." While they don't explicitly define any terms, the NCUA almost exclusively uses the term "third-party relationships."
In the OCC's Bulletin on third-party risk management, the OCC defines third-party relationships as "any business arrangement between a bank and another entity, by contract or otherwise."
As you can see, there is no definitive answer. Based on what we found in FFIEC guidance, we believe there are slight, but clear distinctions among the terms "third-party," "vendor," and "third-party service provider."
- A third-party is the most exhaustive term, meaning any entity connected to the institution, independent of a contract's existence.
- A vendor is a subset of a third-party, including those entities with whom the institution has a contract or conducts commerce.
- A third-party service provider describes a subset of vendors who provide outsourced services for the institution.
Let's take a look at some examples:
- The FBI might be considered a third party an institution has a relationship with to report or track an incident, but the FBI is not a "vendor" or "third-party service provider."
- The institution may purchase software from Microsoft. Microsoft would be considered a "third-party" and a "vendor." However, if Microsoft only sold software and did not provide any services, then Microsoft would not be a "third-party service provider."
- An institution may hire an outside consultant like CoNetrix Security to provide cybersecurity consulting services. In this case, CoNetrix Security could be called a "third-party," "vendor," or more specifically, a "third-party service provider."
We chose to use the two terms to differentiate between the concepts of a contracted service provider (i.e., a vendor) and, more broadly, any external entity with whom the organization has a relationship (i.e., a third party). In other words, all vendors are third parties, but not all third parties are vendors.
In practice, our customers using Tandem's Vendor Management software would manage vendor contracts, perform risk assessments, gather due diligence, and conduct reviews. If a third party doesn't warrant this amount of oversight, users can document the third party in other Tandem products, as needed.
Here are some examples of third parties which may not be vendors:
- Emergency Services
- Law Enforcement
- Utility Providers
- Government Agencies
- Local Media
As you can see, each of these third parties are very important when creating a BCP. However, they are not vendors because a contractual agreement likely does not exist for these kinds of relationships.
While the industry may sometimes use the terms interchangeably, our goal is to help users more intentionally document both vendors and third parties within Tandem, as needed.
- FFIEC Information Security Booklet - Oversight of Third-Party Service Providers
- FFIEC Business Continuity Management Booklet – Third-Party Service Providers
- FFIEC Outsourcing Technology Services – Contract Issues
- FFIEC Outsourcing Technology Services – Multiple Service Provider Relationships
- FDIC Guidance for Managing Third-Party Risk
- FRB Guidance on Managing Outsourcing Risk
- OCC Third-Party Relationships: Risk Management Guidance
- NCUA Supervisory Letter – Evaluating Third Party Relationships