As one of the world’s largest payments technology providers, with links to issuing and acquiring banks, merchants, service providers, and other entities across geographies, Mastercard has a highly complex operational ecosystem.
On the one hand, the company deals with its own partners and vendors, who support its business operations, and help the payments giant achieve its business strategy. Mastercard has a direct relationship with these third parties through contracts.
On the other hand, the company deals with a rapidly growing digital network of fourth parties, including processors, data storage entities, digital wallet operators, and payments facilitators who provide services to Mastercard’s licensed customers. These fourth parties don’t have a direct relationship with Mastercard but are instrumental to the payments ecosystem.
To keep this entire network running smoothly, Mastercard has developed third and fourth-party risk management programs. These initiatives enable the company to closely monitor its extended enterprise, while taking steps to identify and mitigate any risks that arise.
Today, the third and fourth-party risk management programs are enabled and supported by the MetricStream GRC Platform which provides a unified, holistic view of all third- and fourth-party risks.
As per license agreement, customers are responsible for third parties brought to the Mastercard ecosystem to comply with Mastercard Rules. Previously, Mastercard had no visibility into the risk controls in place for fourth parties brought by customers to its ecosystem.
While this lack of visibility might not have been an issue earlier, it increasingly became one as Mastercard’s fourth-party ecosystem began to expand. Thousands of new fourth parties entered the technology provider’s network, bringing with them new risks around data security, fraud, compliance with Mastercard rules, and more. All these risks heightened Mastercard’s own risk exposure.
In response, the payments giant took the proactive step of building a new fourth-party risk management program from the ground up. Unlike some of the company’s peers in the financial services industry who continued to rely on customers to monitor their fourth-party risks, Mastercard was committed to taking ownership and responsibility for all the risks in its enterprise. The company’s goal was to build a safer payments ecosystem. And to support these efforts, the company chose the MetricStream solution for third-party management built on the MetricStream GRC Platform.
The MetricStream Third-Party Management Solution has helped Mastercard establish a comprehensive risk assessment framework for the extended enterprise. It integrates with Mastercard’s home-grown systems to gather information on existing and new third and fourth parties, including corporates, service providers, merchants, and other institutions. All the data is maintained in a single, comprehensive repository that can be accessed by various risk stakeholders. This approach has helped Mastercard improve data consistency, while also reducing redundancies.
Mastercard uses the MetricStream solution not only for fourth-party risk management and monitoring, but also for fourth-party registration and information management. All registration activities are integrated and automated, so that fourth parties can directly log into the solution, sign up, and enter their information.
The solution automatically segments Mastercard’s fourth parties based on critical parameters such as service type, volume of transactions, access to personally identifiable information (PII), and exposure to fraud and money laundering. Each entity is then categorized based on the level of risk exposure and impact. In this way, fourth parties have been categorized as low maintenance, moderate maintenance, and high maintenance. This segmentation has helped Mastercard prioritize its risk assessments efficiently, while making informed decisions about its extended enterprise.
Based on the results of the segmentation process, Mastercard can define the appropriate level of fourth-party due diligence and type of risk assessment required. For low-risk fourth parties, the company monitors exposure levels; from low to medium.
For medium and high-risk fourth parties, the MetricStream solution triggers risk assessment surveys which help the company determine if each fourth party has established appropriate controls. All vendor responses are captured in the solution, enabling Mastercard to quickly spot areas of concern that need to be acted on proactively.
Some fourth parties can have a significant impact on Mastercard. In such cases, the solution enables both risk assessment questionnaires and reports to identify which fourth parties require an onsite review. The system also supports the company in managing the results of onsite reviews through an issue management module.
Based on the assessment findings, the solution generates reports and graphical dashboards that provide comprehensive insights into the risk exposure of the fourth-party ecosystem. In-built risk heat maps help in categorizing fourth parties by risk likelihood and impact, so that at a glance, decision-makers can determine the percentage of high-risk fourth parties. Various stakeholders can also be kept informed about the status of fourth-party risk profiles and escalate relevant cases.