Case Study

Mastercard Builds a Safer Payments Ecosystem with a Fourth-Party Risk Monitoring Program

  • 66%
  • reduction in the time taken for third-party risk assessments*

As one of the world’s largest payments technology providers, with links to issuing and acquiring banks, merchants, service providers, and other entities across geographies, Mastercard has a highly complex operational ecosystem. On the one hand, the company deals with its own partners and vendors, who support its business operations, and help the payments giant achieve its business strategy. Mastercard has a direct relationship with these third parties through contracts. On the other hand, the company deals with a rapidly growing digital network of fourth parties, including processors, data storage entities, digital wallet operators, and payments facilitators who provide services to Mastercard’s licensed customers. These fourth parties don’t have a direct relationship with Mastercard but are instrumental to the payments ecosystem.

To keep this entire network running smoothly, Mastercard has developed third and fourth-party risk management programs. These initiatives enable the company to closely monitor its extended enterprise, while taking steps to identify and mitigate any risks that arise.

Today, the third and fourth-party risk management programs are enabled and supported by the MetricStream Platform running on Amazon Web Services (AWS) cloud, which provides a unified, holistic view of all third- and fourth-party risks.

The Fourth-Party Challenge

As per license agreement, customers are responsible for third parties brought to the Mastercard ecosystem to comply with Mastercard Rules. Previously, Mastercard had no visibility into the risk controls in place for fourth parties brought by customers to its ecosystem.

While this lack of visibility might not have been an issue earlier, it increasingly became one as Mastercard’s fourth-party ecosystem began to expand. Thousands of new fourth parties entered the technology provider’s network, bringing with them new risks around data security, fraud, compliance with Mastercard rules, and more. All these risks heightened Mastercard’s own risk exposure.

In response, the payments giant took the proactive step of building a new fourth-party risk management program from the ground up. Unlike some of the company’s peers in the financial services industry who continued to rely on customers to monitor their fourth-party risks, Mastercard was committed to taking ownership and responsibility for all the risks in its enterprise. The company’s goal was to build a safer payments ecosystem. And to support these efforts, the company chose MetricStream Third-Party Risk Management built on the MetricStream Platform and running on AWS cloud.


  • Insufficient visibility into fourth-party risks and controls.
  • Thousands of fourth parties entering the ecosystem, but no mechanisms in place to determine the associated risks.
  • Lack of a system to register and monitor fourth parties.

Business Value Realized

  • Comprehensive visibility into the risks of fourth parties
  • Faster risk assessments with automatic segmentation of fourth parties into various risk categories
  • Efficient risk assessment process with automatic distribution of questionnaires and population of responses
  • More actionable and timely fourth-party risk insights which accelerate Mastercard’s risk response
  • Running on AWS Cloud delivers scalability and security

Enhanced Agility and Risk-based Decision-making

The product automatically segments Mastercard’s fourth parties based on critical parameters such as service type, volume of transactions, access to personally identifiable information (PII), and exposure to fraud and money laundering. Each entity is then categorized based on the level of risk exposure and impact. In this way, fourth parties have been categorized as low maintenance, moderate maintenance, and high maintenance. This segmentation has helped Mastercard prioritize its risk assessments efficiently, while making informed decisions about its extended enterprise.

More Timely Risk Insights

Based on the assessment findings, the product generates reports and graphical dashboards that provide comprehensive insights into the risk exposure of the fourth-party ecosystem. In-built risk heat maps help in categorizing fourth parties by risk likelihood and impact, so that at a glance, decision-makers can determine the percentage of high-risk fourth parties. Various stakeholders can also be kept informed about the status of fourth-party risk profiles and escalate relevant cases.

Simpler Risk Assessments and Monitoring

Based on the results of the segmentation process, Mastercard can define the appropriate level of fourth-party due diligence and type of risk assessment required. For low-risk fourth parties, the company monitors exposure levels; from low to medium.

For medium and high-risk fourth parties, the MetricStream product triggers risk assessment surveys which help the company determine if each fourth party has established appropriate controls. All vendor responses are captured in the product, enabling Mastercard to quickly spot areas of concern that need to be acted on proactively.

Some fourth parties can have a significant impact on Mastercard. In such cases, the product enables both risk assessment questionnaires and reports to identify which fourth parties require an onsite review. The system also supports the company in managing the results of onsite reviews through an issue management capabilities.


Ready to get started?

Speak to our experts Let’s talk