Today, the third and fourth-party risk management programs are enabled and supported by the MetricStream Platform running on Amazon Web Services (AWS) cloud, which provides a unified, holistic view of all third- and fourth-party risks.
As per license agreement, customers are responsible for third parties brought to the Mastercard ecosystem to comply with Mastercard Rules. Previously, Mastercard had no visibility into the risk controls in place for fourth parties brought by customers to its ecosystem.
While this lack of visibility might not have been an issue earlier, it increasingly became one as Mastercard’s fourth-party ecosystem began to expand. Thousands of new fourth parties entered the technology provider’s network, bringing with them new risks around data security, fraud, compliance with Mastercard rules, and more. All these risks heightened Mastercard’s own risk exposure.
In response, the payments giant took the proactive step of building a new fourth-party risk management program from the ground up. Unlike some of the company’s peers in the financial services industry who continued to rely on customers to monitor their fourth-party risks, Mastercard was committed to taking ownership and responsibility for all the risks in its enterprise. The company’s goal was to build a safer payments ecosystem. And to support these efforts, the company chose MetricStream Third-Party Risk Management built on the MetricStream Platform and running on AWS cloud.
Comprehensive visibility into the risks of fourth parties
Faster risk assessments with automatic segmentation of fourth parties into various risk categories
Efficient risk assessment process with automatic distribution of questionnaires and population of responses
More actionable and timely fourth-party risk insights which accelerate Mastercard’s risk response
Running on AWS Cloud delivers scalability and security
The product automatically segments Mastercard’s fourth parties based on critical parameters such as service type, volume of transactions, access to personally identifiable information (PII), and exposure to fraud and money laundering. Each entity is then categorized based on the level of risk exposure and impact. In this way, fourth parties have been categorized as low maintenance, moderate maintenance, and high maintenance. This segmentation has helped Mastercard prioritize its risk assessments efficiently, while making informed decisions about its extended enterprise.
Based on the assessment findings, the product generates reports and graphical dashboards that provide comprehensive insights into the risk exposure of the fourth-party ecosystem. In-built risk heat maps help in categorizing fourth parties by risk likelihood and impact, so that at a glance, decision-makers can determine the percentage of high-risk fourth parties. Various stakeholders can also be kept informed about the status of fourth-party risk profiles and escalate relevant cases.
Based on the results of the segmentation process, Mastercard can define the appropriate level of fourth-party due diligence and type of risk assessment required. For low-risk fourth parties, the company monitors exposure levels; from low to medium.
For medium and high-risk fourth parties, the MetricStream product triggers risk assessment surveys which help the company determine if each fourth party has established appropriate controls. All vendor responses are captured in the product, enabling Mastercard to quickly spot areas of concern that need to be acted on proactively.
Some fourth parties can have a significant impact on Mastercard. In such cases, the product enables both risk assessment questionnaires and reports to identify which fourth parties require an onsite review. The system also supports the company in managing the results of onsite reviews through an issue management capabilities.