Subcontractors (also known as "fourth parties") are an important factor when it comes to vendor management. Through the vendor management process, you take steps to make sure your vendors are secure and reliable, but what about their third parties? Do your vendors hold their subcontractors to the same standard of excellence? How can you know?

Effective subcontractor management can seem like a moving target, but it doesn't have to be. Let's talk about what you can do to manage your subcontractor risk with the five simple steps below.

Step 1: Define "Subcontractor"

Before you can begin managing subcontractors, you need to have a good definition of what "subcontractor" means to you. For example, you may define subcontractors as the third parties hired by your vendor to help the vendor provide products or services to your organization.

While this definition may seem unassuming, it does one great thing: It limits the scope of "subcontractors" to only the third parties needed by the vendor to provide service to you. You do not need to know all your vendor's third parties. You just need to know the ones which could impact the confidentiality, integrity, or availability of your systems and data.

Step 2: Review the Regulatory Guidance

For banks, credit unions, and other regulated entities, there are certain guidelines regarding subcontractors that will help you understand what is expected of you.

The Federal Financial Institutions Examination Council (FFIEC) discusses subcontractors in their IT Examination Handbook, Outsourcing Technology Services Booklet.

"Some service providers may contract with third parties in providing services to the financial institution. Institutions should be aware of and approve all subcontractors."

The booklet's Examination Procedures go on to state examiners should:

"Review any material subcontractor relationships identified by the service provider or in the outsourcing contracts. Ensure:

    • Management has reviewed the control environment of all relevant subcontractors for compliance with the institution's requirements definitions and security guidelines; and
    • The institution monitors and documents relevant service provider subcontracting relationships including any changes in the relationships or control concerns."

Other regulator-specific guidance which discusses oversight of subcontractors includes:

Step 3: Review Contracts

The most frequently discussed topic about subcontractors in guidance is effective contract management. However, the language regarding subcontractors can be boiled down to these six questions.

Does your contract with the vendor:

  1. Define if the vendor can use subcontractors?
  2. Outline what services the vendor can subcontract?
  3. Define what information is authorized to be shared with subcontractors?
  4. Include notification requirements if the vendor decides to use or change subcontractors?
  5. Place responsibility and accountability for the subcontractors on the vendor?
  6. Address the need for foreign-based subcontractors to adhere to U.S. regulatory standards?

If you are not sure whether your vendor contracts address these items:

  • Consider reviewing your existing contracts again. If these topics are not addressed, determine if they should be and if so, consider renegotiating the contract upon your next renewal.
  • Communicate expectations to contract reviewers. Work with your organization's legal team, compliance department, or others who may be involved with contract reviews to make sure these items are considered in all future contracts.

Step 5: Perform Subcontractor Due Diligence

In our experience with vendor managers, due diligence is typically the most confusing part of subcontractor management. 

Once you know who the subcontractors are, what should you do with that information? Should you add them to your vendor management program? Should you track subcontractors separately from or included with the vendor? What due diligence documents should you request from them? What about reviews? The list of questions goes on… But it doesn't have to. 

Let's keep it simple: Subcontractors are not your vendors. Your vendors are your vendors. 

Trying to fit subcontractors into your vendor management program can be tedious, time-consuming, and ultimately, unfruitful. Since your organization does not have an agreement directly with the subcontractor, they technically do not have to provide you with any information, and in many cases, they will not. 

So, what can you do? 

The OCC says it best in OCC Bulletin 2020-10

"As part of due diligence and ongoing monitoring, bank management should determine whether a third party appropriately oversees and monitors its subcontractors." 

In other words, in your vendor management processes, you should make sure your third parties do effective vendor management. 

To help you review your vendor's subcontractor due diligence processes, download our Subcontractor Due Diligence Checklist. This checklist is designed to help you assess the vendor's dependence on the subcontractor, as well as the vendor's contract management and due diligence practices. With this information, you can best understand the nature of the vendor's relationships and, by extension, your relationship to the subcontractors. 

Conclusion

Managing subcontractors may not be your responsibility, but you might be held accountable should the subcontractor have an incident that compromises your organization or customer and member data. As such, you should take certain steps to understand the nature of your vendor relationships with subcontractors. 

To help you manage all your vendor relationships, including tools and templates for contract management, due diligence, and reviews, check out Tandem Vendor Management. Our web-based application has been created with vendor managers in mind and can streamline your third-party risk management processes, giving you the tools you need to effectively oversee your vendors and their subcontractors.