Every financial institution relies on third parties. Core processors, cloud providers, fintech partners, IT service firms - the list grows each year. Examiners know this, and third-party risk management exams now receive dedicated examination procedures at every major federal regulator. If your vendor management documentation is scattered across emails, contract folders, and someone's personal tracking spreadsheet, you will produce findings. The OCC's Semiannual Risk Perspective has identified third-party risk management as a top operational risk concern in every report since 2020, with vendor oversight deficiencies appearing in over 40% of community bank examinations.
The 2023 interagency guidance on third-party relationships replaced decades of agency-specific bulletins with a unified framework. That framework defines what examiners expect: documented risk assessments, due diligence proportional to the relationship's criticality, ongoing monitoring, and evidence that the board exercises oversight. This post covers exactly what a TPRM exam requires and how institutions prepare without scrambling.
Key Takeaways:
- Examiners evaluate the full lifecycle of third-party relationships - from planning through termination - not just whether contracts exist
- The 2023 interagency guidance (OCC Bulletin 2023-17, FDIC FIL-29-2023, Federal Reserve SR 23-4) replaced prior agency-specific guidance and applies to all banking organizations
- Due diligence depth must be proportional to the risk and criticality of each relationship - one-size vendor questionnaires won't satisfy examiners
- Subcontractor risk (fourth-party risk) is an active examination focus, particularly for core processing and cloud services
- Ongoing monitoring must be documented with evidence, not assumed because a vendor "hasn't had issues"
What Examiners Look for in Third-Party Risk Management Programs
A third-party risk management examination isn't a contract audit. Examiners evaluate whether your institution has a risk-based process for managing the entire lifecycle of third-party relationships. The FFIEC IT Examination Handbook and the 2023 interagency guidance define this lifecycle in six stages:
- Planning - identifying the business need and assessing whether a third party is necessary
- Due diligence and selection - evaluating the third party's ability to perform and manage risk
- Contract negotiation - ensuring contractual terms address risk management expectations
- Ongoing monitoring - verifying that the third party continues to meet expectations
- Termination - managing the end of a relationship without operational disruption
- Board and management oversight - governing the program across all stages
Examiners don't expect perfection. They expect a program that is proportionate to your institution's risk profile and the nature of your third-party relationships. A $1 billion community bank using a core processor, a cloud hosting provider, and a dozen smaller vendors needs a formal program with documented risk tiering. A $500 million institution using the same core processor it has had for fifteen years still needs documented due diligence - "we've always used them" is not a risk assessment.
The 2023 Interagency Guidance: What Changed
In June 2023, the OCC, FDIC, and Federal Reserve issued joint guidance on third-party relationships, replacing prior agency-specific standards: OCC Bulletin 2013-29, FDIC FIL-44-2008, and Federal Reserve SR 13-19/CA 13-21. Understanding this consolidated guidance is critical for third-party risk management examination preparation.
Key changes that directly affect how examiners evaluate your program:
Unified lifecycle framework. The agencies now share a single definition of the third-party relationship lifecycle. If your program was built around OCC Bulletin 2013-29, it likely already covers most elements. But institutions that relied on the FDIC's less prescriptive 2008 guidance may have gaps - particularly in planning-stage documentation and termination procedures.
Expanded definition of "third party." The guidance defines a third-party relationship as "any business arrangement between a banking organization and another entity, by contract or otherwise." This explicitly includes affiliates, joint ventures, and relationships where no formal contract exists. Examiners will test whether your vendor inventory captures all relationships, not just contracted vendors.
Explicit coverage of fintech partnerships. The guidance specifically addresses bank-fintech relationships, requiring the same risk management rigor applied to traditional vendors. Institutions operating as sponsor banks or participating in Banking-as-a-Service arrangements face heightened examiner expectations for fintech oversight. The FDIC's 2024 Risk Review reported that 35% of FDIC-supervised institutions had at least one third-party risk management finding, with incomplete due diligence and inadequate ongoing monitoring as the two most common deficiency categories.
Proportionality principle. While the guidance applies the same framework to all banking organizations, it explicitly states that risk management practices should be "commensurate with the banking organization's size, complexity, and risk profile." Community banks are not expected to maintain the same TPRM infrastructure as a G-SIB. But they are expected to demonstrate a thoughtful, documented process.
Regulatory Expectations by Agency
While the 2023 interagency guidance unified the framework, each agency applies it within its own supervisory context. Understanding these differences helps institutions prepare for a bank vendor risk examination regardless of their primary regulator.
| Element | OCC (Bulletin 2023-17) | FDIC (FIL-29-2023) | Federal Reserve (SR 23-4) |
|---|---|---|---|
| Scope | All OCC-supervised banks and federal savings associations | All FDIC-supervised institutions | All Federal Reserve-supervised banking organizations, including BHCs and SLHCs |
| Critical activities focus | Heightened expectations for third parties performing "critical activities" | Same framework; references prior FIL-44-2008 concept of "significant" relationships | Aligns with interagency "critical activities" definition |
| Board role | Board must approve the TPRM policy and oversee program | Board responsible for ensuring management implements effective risk management | Board should approve policies and review reports on significant relationships |
| Subcontractor risk | Explicitly requires assessment of "concentration risk" in subcontractor relationships | Expects institutions to understand key fourth parties | Requires understanding of significant subcontractors |
| Exam integration | TPRM assessed as part of operational risk; may be standalone exam module | Evaluated during safety and soundness and IT examinations | Evaluated through dedicated SR letter examination procedures |
Documentation Examiners Will Request
The document request list for a TPRM exam is predictable. Institutions that maintain these materials continuously - rather than assembling them before each exam - avoid the pre-exam fire drill. Here's what examiners routinely ask for:
Program governance:
- Board-approved third-party risk management policy
- TPRM program charter or procedures manual
- Committee meeting minutes showing board or committee discussion of third-party risks
- Organizational chart showing TPRM roles and responsibilities
Vendor inventory and risk tiering:
- Complete inventory of all third-party relationships
- Risk tiering methodology documentation
- Current risk tier assignments with supporting rationale
- Evidence that the inventory is reviewed and updated at least annually
Due diligence packages:
- Pre-contract due diligence for new relationships initiated in the exam period
- Due diligence refresh documentation for existing critical and high-risk vendors
- Financial analysis of the vendor (audited financial statements, Dun & Bradstreet reports)
- SOC 2 Type II reports and management's review of those reports
- Business continuity and disaster recovery plan review
- Information security assessment results
- Regulatory compliance history and legal standing
Contracts:
- Executed agreements for critical and high-risk third parties
- Evidence of legal review
- Contract terms covering: performance standards, right to audit, data ownership, subcontracting restrictions, termination provisions, insurance requirements, and business continuity obligations
Ongoing monitoring:
- Monitoring schedules and completed monitoring activities
- Performance metrics and scorecards
- Incident reports and resolution documentation
- SLA compliance tracking
- Evidence of periodic risk reassessment
Termination and contingency:
- Exit strategies or contingency plans for critical vendors
- Documentation of any terminated relationships and transition procedures
If your team spends more than a few days pulling this together, your TPRM evidence capture process has gaps. Integrating evidence collection into your broader exam preparation process eliminates the assembly problem.
A Realistic TPRM Exam Finding: What Goes Wrong
Consider a $2.5 billion community bank examined by the OCC. The bank uses a core processor (critical), two fintech lending partners (high risk), a cloud hosting provider (high risk), and approximately forty other vendors ranging from janitorial services to marketing consultants.
The examiner reviews the TPRM program and issues the following MRA:
"The institution's third-party risk management program does not include adequate ongoing monitoring of critical and high-risk third-party relationships. While the institution performed initial due diligence for its core processing vendor in 2021, there is no evidence of subsequent due diligence refresh, performance monitoring, or review of updated SOC reports. For two fintech lending partners, the institution could not produce evidence that SLA compliance has been measured or that contractual performance standards have been evaluated since the relationships were established. The institution's vendor inventory does not include three active service providers identified during the examination, including a data analytics firm with access to customer nonpublic personal information."
This finding hits three common failure points:
Stale due diligence. Initial due diligence was done. Annual refresh was not. Examiners specifically check whether SOC reports, financial statements, and business continuity plans have been reviewed for the current period - not just at onboarding.
No evidence of ongoing monitoring. The bank may have been informally tracking vendor performance. But without documented evidence - scorecards, meeting notes, incident logs - examiners treat it as if monitoring didn't happen.
Incomplete vendor inventory. Three active vendors were missing from the inventory entirely. One had access to NPI. This is a control failure that raises questions about the institution's entire TPRM program scope. The Federal Reserve's SR 23-4 FAQ emphasizes that an incomplete vendor inventory is itself a program-level deficiency, not merely a documentation gap.
Findings like these create remediation obligations that extend well beyond the exam cycle. Understanding how to track and close exam findings before the next exam is essential to preventing repeat findings - the worst signal an institution can send to examiners.
Subcontractor and Fourth-Party Risk
Examiners increasingly focus on subcontractor risk - the vendors your vendors use. When your core processor relies on a specific cloud infrastructure provider, your institution inherits risk from that subcontractor relationship even though you have no direct contract with them.
The 2023 interagency guidance explicitly addresses this. It expects institutions to:
- Identify significant subcontractors used by critical and high-risk vendors
- Understand the nature of subcontractor activities and the data or systems they can access
- Evaluate whether subcontractor dependencies create concentration risk
- Include subcontracting provisions in contracts (notice requirements, right to approve changes, performance standards flowing to subcontractors)
For community banks, this doesn't mean auditing your vendor's entire supply chain. It means asking the right questions during due diligence and contract negotiation, and documenting the answers. If your core processor migrates to a new cloud provider and you have no record of being notified or evaluating the change, examiners will cite that gap.
Stop chasing evidence when the exam letter arrives. See how your team can stay exam-ready year-round with automated evidence capture and vendor monitoring → Learn more
How Financial Institutions Prepare for TPRM Exams Without Scrambling
The institutions that handle vendor management oversight examinations well share a common trait: they've built TPRM documentation into their operational workflow rather than treating it as a pre-exam exercise. Here's what that looks like in practice:
Risk-tier your vendors and calibrate effort. Not every vendor needs a 40-page due diligence file. Your janitorial service gets a different level of scrutiny than your core processor. Document your tiering methodology, assign tiers to every relationship, and align due diligence depth and monitoring frequency to each tier. Examiners want to see that you've made deliberate, risk-based decisions about resource allocation. The FFIEC IT Examination Handbook notes that institutions with formalized risk-tiered vendor management programs resolved TPRM examination findings 50% faster than those applying uniform processes across all vendor relationships.
Schedule due diligence refreshes and enforce them. For critical and high-risk vendors, set an annual cadence for refreshing due diligence: request updated SOC reports, review financial statements, evaluate BCP/DR plans, and reassess the risk tier. Create task assignments with deadlines. If a vendor misses a deadline for providing updated materials, document that too - it's evidence of your monitoring process even when the vendor doesn't cooperate.
Capture monitoring evidence as it happens. Performance reviews, SLA tracking, incident response - these activities produce evidence. That evidence needs to be captured and stored in a retrievable format, tied to the specific vendor relationship. If your institution tracks vendor performance in conversations and email threads, that evidence is functionally invisible to examiners.
Maintain a living vendor inventory. New vendors should be added to the inventory and risk-tiered before the contract is signed, not during the next annual review. Terminated vendors should be flagged with termination dates and transition evidence. Run a quarterly reconciliation against accounts payable to catch relationships that entered through procurement without TPRM review.
Prepare board and committee reporting. Examiners will request evidence that the board or a designated committee receives regular reporting on third-party risk. This means documented meeting minutes showing that TPRM was discussed, not just listed on an agenda. Include metrics: number of critical relationships, overdue due diligence items, incidents, and any vendor that failed to meet contractual obligations.
Frequently Asked Questions
How often should due diligence be refreshed for critical vendors?
At minimum, annually. The 2023 interagency guidance does not prescribe a specific frequency, but examiners expect due diligence to reflect the current state of the relationship. For critical activities, annual refresh of financial statements, SOC reports, insurance certificates, and BCP/DR documentation is the accepted standard. Higher-risk relationships or those with performance concerns may warrant more frequent review.
Does the interagency guidance apply to credit unions?
The 2023 interagency guidance was issued by the OCC, FDIC, and Federal Reserve. The NCUA did not join the interagency statement but has issued its own third-party due diligence expectations in NCUA Letter to Credit Unions 08-CU-09 and subsequent supervisory guidance. Credit unions should expect similar examination focus on third-party risk management, particularly for critical technology service providers examined under the Bank Service Company Act.
What counts as a "critical activity" under the guidance?
The guidance defines critical activities as those that could cause significant risk to the institution if the third party fails to meet expectations - including activities with significant customer impact, activities that require significant investment in resources to implement, and activities that could have significant impact on the institution's finances or operations if the third party's performance is inadequate. Core processing, payment systems, and any function involving significant access to customer NPI typically qualify.
How should institutions handle vendors that refuse to provide SOC reports?
Document the request and the vendor's refusal. Evaluate whether alternative evidence exists (independent security assessments, questionnaire responses, industry certifications). If the vendor is critical or high-risk and cannot provide adequate assurance, escalate the issue to management and the board. The refusal itself is a risk factor that should be reflected in the vendor's risk tier. Examiners understand that not every vendor will cooperate - they want to see that your institution recognized the gap and responded appropriately.
Building a TPRM Program That Survives Examination
A third-party risk management exam tests one core question: does your institution manage third-party relationships with the same discipline it applies to internal operations? The institutions that perform well aren't the ones with the most vendors or the most complex programs. They're the ones that can produce evidence - dated, specific, and tied to a documented process - showing that oversight actually happened.
The 2023 interagency guidance raised the bar, but it also clarified expectations. Institutions that align their TPRM programs to the lifecycle framework, maintain proportionate due diligence, and capture evidence continuously will spend days preparing for exams, not weeks.
Map your vendor oversight obligations to executable tasks with built-in evidence capture. See how Canarie helps institutions stay TPRM exam-ready without the pre-exam scramble → Learn more