Third-Party Risk Management Requirements, What Your Examiner Expects

Every community bank relies on third parties, core processors, IT providers, loan origination platforms, BSA/AML monitoring vendors, cloud services, payment processors, and dozens more. The 2023 interagency guidance on third-party relationships made clear that regulators view these relationships as extensions of the bank itself: the bank retains full responsibility for any activity conducted through a third party as if the bank performed it directly. Examiners evaluate whether your bank manages third-party risk with the same rigor it applies to in-house operations. This guide covers what the guidance requires, what examiners test, and where community banks most often fall short.

Key Takeaways:

• The 2023 interagency guidance (OCC 2023-17 / FDIC FIL-44-2023 / Federal Reserve SR 23-4) applies to all third-party relationships, with risk-based expectations
• Banks must perform due diligence before entering a relationship, include specific protective provisions in contracts, and conduct ongoing monitoring
• "Critical activities", functions that could cause significant harm if disrupted or performed poorly, receive the highest scrutiny
• The bank cannot transfer responsibility to the vendor; examiners hold the bank accountable for vendor performance

The 2023 Interagency Guidance Framework

In June 2023, the OCC, FDIC, and Federal Reserve jointly issued comprehensive guidance on managing risks from third-party relationships:

• OCC Bulletin 2023-17: Third-Party Relationships: Risk Management Guidance
• FDIC FIL-44-2023: Guidance for Third-Party Relationships
• Federal Reserve SR 23-4: Interagency Guidance on Third-Party Relationships: Risk Management

The three documents are substantively identical, the agencies coordinated to issue unified guidance. This replaced the OCC's prior standalone guidance (OCC 2013-29) and established a consistent interagency standard.

The guidance defines a third-party relationship broadly: any business arrangement between the bank and another entity, by contract or otherwise. This includes outsourcing arrangements, use of independent consultants, networking arrangements, merchant processing, and joint ventures. It explicitly includes fintech partnerships and bank-as-a-service (BaaS) arrangements.

The Third-Party Risk Management Lifecycle

The guidance organizes third-party risk management into a lifecycle with five stages. Examiners evaluate each stage independently.

1. Planning

Before engaging a third party, the bank should:

• Assess whether the activity is appropriate for outsourcing and whether a third party can perform it effectively
• Identify the risks the relationship will introduce (operational, compliance, strategic, credit, reputational)
• Determine whether the activity is a "critical activity", one that could cause significant risk to the bank if the third party fails, experiences a breach, or performs poorly

Critical activities receive the highest level of due diligence, contract protections, and ongoing monitoring. For most community banks, critical activities include core processing, IT infrastructure, BSA/AML monitoring, payment processing, and any function that involves customer data.

2. Due Diligence and Third-Party Selection

Due diligence must occur before entering the relationship, not after. The depth of diligence should match the risk and criticality of the activity. For critical activities, the guidance expects:

Financial condition: Review the third party's audited financial statements. Can they sustain operations and meet contractual obligations? For smaller vendors, review tax returns or unaudited financials if audited statements aren't available, but document the limitation.

Business experience and reputation: How long has the vendor operated? What is their track record with similar financial institutions? Check references from peer banks.

Information security: Review the vendor's information security program, including SOC 2 reports (Type II preferred), penetration testing results, and incident response procedures. For vendors handling customer data, this is non-negotiable.

Compliance management: Does the vendor have programs for the regulatory requirements relevant to the outsourced activity? For a BSA/AML monitoring vendor, this means compliance with FinCEN expectations. For a consumer lending platform, this means ECOA, TILA, and FCRA compliance.

Business continuity and disaster recovery: Review the vendor's BCP/DR plans and testing results. If the vendor goes down, what happens to the bank's operations?

Subcontracting practices: Who does the vendor rely on? Fourth-party (subcontractor) risk is the bank's risk. If the vendor outsources a critical function to a subcontractor, the bank needs to understand that chain.

Examination finding: The most common due diligence deficiency is conducting it after the contract is signed, or relying on the vendor's marketing materials instead of substantive documentation. Examiners will check the timeline, due diligence should predate contract execution.

3. Contract Negotiation

The contract is the bank's primary tool for managing third-party risk. The guidance identifies specific provisions that contracts should include, especially for critical activities:

Scope and nature of the activity: Clear description of what the vendor will do, to what standards, and within what timeframes.

Performance measures and benchmarks: Service level agreements (SLAs) with measurable standards, uptime, processing accuracy, response times. Vague SLAs like "reasonable performance" give the bank no enforcement mechanism.

Right to audit: The bank's right to audit the vendor's operations, compliance, and information security, either directly or through a qualified third party. This provision is essential and often missing from standard vendor contracts.

Data ownership and protection: Clear statement that the bank owns the data, the vendor will protect it according to specified standards, and the vendor will return or destroy data upon termination. Include specific breach notification requirements, what constitutes a breach, how quickly the vendor must notify the bank, and what information must be provided.

Compliance obligations: The vendor's obligation to comply with applicable laws and regulations, and to cooperate with the bank's regulators. Include the regulators' right to examine the vendor's activities as they relate to the bank.

Business continuity: The vendor's obligation to maintain and test business continuity and disaster recovery plans.

Subcontracting limitations: Restrictions on the vendor's ability to subcontract critical functions without the bank's consent, and the bank's right to approve subcontractors.

Termination provisions: The bank's right to terminate the relationship for cause (material breach, regulatory concern, financial deterioration) and for convenience, with reasonable transition periods and data return obligations. Include the bank's right to terminate if a regulator deems the relationship unsafe or unsound.

Indemnification and limits of liability: The vendor's obligation to indemnify the bank for losses resulting from the vendor's negligence or breach. Pay attention to liability caps, a vendor that caps liability at the annual contract value may leave the bank exposed for a data breach that costs multiples of that amount.

4. Ongoing Monitoring

Due diligence doesn't end at contract signing. The guidance requires ongoing monitoring throughout the life of the relationship, with the intensity proportional to the risk.

For critical activities, ongoing monitoring should include:

• Regular performance reviews against SLA benchmarks
• Annual review of the vendor's financial condition
• Annual review of SOC reports and information security assessments
• Review of the vendor's business continuity testing results
• Monitoring regulatory and legal developments affecting the vendor or the outsourced activity
• Review of complaint data related to the vendor's services
• Assessment of subcontractor changes
• Periodic on-site visits or virtual reviews for the most critical relationships

Common monitoring failure: Banks perform thorough initial due diligence but never revisit it. The vendor's SOC 2 report from three years ago doesn't reflect current security practices. The vendor's financial condition may have deteriorated. Examiners specifically check whether monitoring is ongoing, not just initial.

5. Termination

The guidance requires banks to plan for termination before it happens. Termination planning should address:

• Data transition: How will data be migrated to a new provider? What format? What timeline?
• Customer impact: Will customers experience service disruptions?
• Regulatory notifications: Are any regulatory notifications required?
• Contract wind-down: What are the contractual termination provisions, notice periods, and fees?
• Intellectual property and data return: Ensure the bank receives all its data and that the vendor destroys its copies

Banks that don't plan for termination discover the problem when they need to leave a vendor under pressure, a security breach, financial failure, or regulatory concern, and find they have no transition plan.

Concentration Risk

The 2023 guidance addresses concentration risk, the risk that a bank's dependence on a single vendor or a small number of vendors creates vulnerability. If one vendor provides your core processing, online banking, mobile banking, and payment processing, the failure of that vendor would be catastrophic.

Examiners evaluate whether the bank has:

• Identified relationships where a single vendor failure would significantly disrupt operations
• Assessed the feasibility of replacing critical vendors
• Considered whether contingency plans exist if a critical vendor fails
• Evaluated whether the bank's reliance on a single vendor gives that vendor disproportionate negotiating power

Concentration risk also extends to fourth parties. If multiple banks use the same vendor, and that vendor relies on a single cloud provider, a failure at the cloud provider level could affect the entire banking system. The guidance asks banks to understand these dependencies.

Subcontractor (Fourth-Party) Oversight

Fourth-party risk, the risk introduced by your vendor's vendors, received heightened attention in the 2023 guidance. Banks must understand:

• What functions the vendor subcontracts
• Who the significant subcontractors are
• What the vendor's oversight of its subcontractors includes
• Whether the bank has any visibility into subcontractor performance

This doesn't mean the bank must conduct full due diligence on every subcontractor. It means the bank must understand the vendor's subcontracting practices and ensure the vendor manages subcontractor risk appropriately. For critical activities, the bank should know who the key subcontractors are and what backup plans exist if a subcontractor fails.

What Examiners Actually Test

During a third-party risk management examination, examiners typically:

1. Request the bank's vendor inventory, a list of all third-party relationships, risk-ranked by criticality
2. Select a sample of critical and high-risk relationships for detailed review
3. Review due diligence documentation, was it performed before contract execution? Does it address financial condition, information security, compliance, and business continuity?
4. Review contracts for the required protective provisions, particularly audit rights, data protection, breach notification, and termination
5. Review ongoing monitoring evidence: SOC report reviews, performance assessments, financial condition updates
6. Evaluate board and management reporting, does the board receive information about third-party risks and monitoring results?
7. Assess concentration risk, is the bank overly dependent on a single vendor?

For a deeper look at how to prepare for third-party risk examination, see our third-party risk management exam preparation guide.

How Canarie Helps Banks Manage Third-Party Risk

Third-party risk management generates a recurring cycle of obligations, annual due diligence updates, SOC report reviews, contract renewal assessments, performance evaluations, and board reporting. Across dozens of vendor relationships, tracking these manually through spreadsheets and shared drives creates gaps that examiners find.

Canarie maps each vendor relationship to a set of recurring compliance tasks: due diligence review dates, SOC report collection deadlines, performance assessment schedules, and contract renewal milestones. Each completed task captures evidence, the reviewed SOC report, the documented performance assessment, the board presentation. When your examiner pulls a sample of critical vendor relationships, every obligation has a documented trail.

See how Canarie helps banks manage vendor compliance obligations →

Frequently Asked Questions

Does the 2023 interagency guidance apply to all vendor relationships, even small ones?

Yes, the guidance applies to all third-party relationships. However, it explicitly states that risk management practices should be commensurate with the level of risk and complexity of each relationship. A low-risk vendor (e.g., an office supply company) doesn't require the same due diligence, contract provisions, or monitoring as a core processor. Banks should risk-rank their vendor relationships and apply proportional oversight. Critical activities require the full range of due diligence, contract protections, and ongoing monitoring. Lower-risk relationships can be managed with less intensity.

What is the difference between OCC 2023-17 and the previous OCC 2013-29 guidance?

OCC 2023-17 replaced OCC 2013-29 and was issued jointly with the FDIC and Federal Reserve, creating a unified interagency standard for the first time. The 2023 guidance is generally consistent with 2013-29 but includes expanded discussion of fintech partnerships, BaaS arrangements, concentration risk, and subcontractor (fourth-party) oversight. It also provides more detailed guidance on the lifecycle approach, planning through termination, and emphasizes that the guidance applies to all business arrangements, not just traditional outsourcing.

How should a community bank handle a vendor that refuses to provide a SOC 2 report?

A vendor's refusal to provide a SOC 2 report (or equivalent security assessment) is a significant red flag, particularly for vendors handling customer data or performing critical activities. The bank should document the request and refusal, assess alternative sources of assurance (the vendor's own security questionnaire responses, independent penetration testing results, or regulatory examination reports), and evaluate whether the relationship presents acceptable risk without independent security assurance. For critical activities, the absence of a SOC 2 report should weigh heavily in the due diligence assessment and may warrant finding an alternative vendor.

Does the interagency guidance require banks to conduct on-site vendor visits?

The guidance does not mandate on-site visits but identifies them as one component of effective ongoing monitoring, particularly for critical activities. Whether an on-site visit is necessary depends on the risk and criticality of the relationship, the availability of other monitoring information (SOC reports, performance data, financial statements), and whether concerns have arisen that warrant direct observation. Community banks with limited resources may prioritize on-site visits for their most critical vendor relationships (typically core processing and IT infrastructure) and rely on documentation review for lower-risk relationships.