Identifying a vendor risk is the easy part. The hard part, and the part examiners actually test, is proving you tracked each third-party issue to verified closure. A risk assessment that flags a control gap at a critical vendor, followed by no documented remediation, is worse than no assessment at all: it shows you knew about the problem and let it sit. Effective vendor remediation tracking turns identified issues into a documented lifecycle, from finding to assigned owner to corrective action to evidence that the fix worked.
Key Takeaways:
- Examiners hold the bank, not the vendor, responsible for resolving third-party risk findings
- Remediation must be tracked to verified closure, not just logged as "in progress" indefinitely
- Each vendor issue needs a named owner, a corrective action, a due date, and evidence the control now works
- "Closed" should mean independently verified, not self-reported by the vendor
- Open, aging vendor findings with no documented progress are a frequent examination criticism
Why Vendor Remediation Is the Bank's Problem
Under the interagency Guidance on Third-Party Relationships: Risk Management, a bank's use of a third party does not reduce its responsibility for the activity. When due diligence or ongoing monitoring surfaces a deficiency at a vendor, the bank owns the obligation to ensure it gets fixed. You cannot point at the vendor and call it their problem.
This is why remediation tracking sits at the center of third-party risk management. The risk assessment and the contract establish expectations; remediation tracking proves you enforced them when a control fell short. Examiners reviewing third-party risk management, as covered in our third-party risk management exam preparation guide, look for evidence that identified issues were driven to resolution, not just documented and forgotten.
The Vendor Remediation Lifecycle
A defensible remediation process moves every vendor issue through the same stages, with evidence at each one.
1. Identify and Rate
The issue is documented with enough specificity to act on: what control failed, at which vendor, affecting what activity, and how severe. Severity should reflect the vendor's criticality. A control gap at a vendor handling customer data or core processing carries more urgency than one at a low-risk supplier.
2. Assign Ownership
Every issue gets a named internal owner with authority to drive the fix, not a department. The owner is accountable for the corrective action and for obtaining evidence of closure. Ambiguous ownership is the most common reason remediation stalls.
3. Define the Corrective Action and Due Date
The remediation plan states specifically what the vendor (or the bank) will do, by when. Vague commitments like "vendor will improve controls" are not trackable. The action and the date are what you monitor against.
4. Track Progress Against the Date
Open issues are reviewed on a cadence proportionate to severity. Aging items get escalated. This is where many programs fail: issues are opened and then left in "in progress" with no movement, which is exactly what examiners flag.
5. Verify and Close
Closure requires evidence that the control now works, ideally independently verified rather than taken on the vendor's word. A vendor's email saying "fixed" is an assertion. A re-tested control, an updated SOC report, evidence of the corrected process, or confirmation through monitoring is proof. The principle is the same one that prevents repeat exam findings: self-reported closure that isn't verified tends to reopen.
6. Retain the Record
The full lifecycle, finding, owner, action, dates, and verification evidence, is retained so it can be produced for examiners and for ongoing oversight.
What "Closed" Should Actually Mean
The single most common weakness in vendor remediation is treating "closed" as a status someone sets rather than a conclusion someone proves. A finding marked closed without supporting evidence is, from an examiner's perspective, still open.
Closure should require:
- A documented corrective action that addresses the root cause, not just the symptom
- Evidence the action was completed, such as an updated report, a re-test result, or revised documentation
- Independent confirmation where the risk warrants it, rather than relying solely on the vendor's self-attestation
- A closure date and the person who verified it
When closure carries this weight, your remediation log becomes evidence of effective oversight. When it doesn't, the log is a list of unverified assertions that an examiner will probe. For how this connects to proving control effectiveness broadly, see examiner-ready evidence requirements.
Common Vendor Remediation Failures
Examination criticisms in this area are predictable:
- Aging open items. Findings sit in "in progress" for months with no documented activity.
- No owner. Issues are assigned to "vendor management" rather than a person, so no one drives them.
- Self-reported closure. Items are closed on the vendor's say-so without independent verification.
- Severity blind spots. A control gap at a critical vendor is tracked with the same urgency as a minor one.
- Disconnected records. Remediation lives in email threads and spreadsheets, so no one can produce a complete picture on demand.
- No link to monitoring. Once closed, nothing watches for the issue to recur at the vendor.
Each of these is a tracking and evidence problem more than a risk-assessment problem. The risk was identified; the failure was in driving it to verified resolution. Managing this across a portfolio of vendors, or fintech partners for a sponsor bank, multiplies the challenge, as discussed in managing fintech partner compliance at scale.
Vendor remediation is judged on closure, not identification: can you prove every issue was resolved? See how Canarie tracks third-party findings to verified closure with evidence →
Building Remediation That Survives an Exam
The institutions that handle vendor remediation well share a common discipline. Every third-party issue enters a single system the moment it's identified. It gets a named owner, a specific corrective action, and a due date tied to severity. Progress is reviewed on a cadence, and aging items escalate automatically. Closure requires evidence, and that evidence is retained against the original finding.
The payoff comes at exam time. When an examiner asks about your third-party risk findings and their resolution, you produce a complete record: what was found, who owned it, what was done, when it closed, and how closure was verified, across the entire vendor portfolio. That record is the difference between demonstrating effective oversight and explaining why a known issue went unaddressed.
Frequently Asked Questions
Who is responsible for vendor remediation, the bank or the vendor?
The bank. Interagency guidance is clear that using a third party does not reduce the bank's responsibility for the activity. When a deficiency is identified at a vendor, the bank owns the obligation to ensure it is remediated and to verify the fix, even though the vendor may perform the actual corrective work.
What does it mean to track a vendor issue to closure?
It means moving each identified issue through a documented lifecycle: assigning a named owner, defining a specific corrective action and due date, monitoring progress, and closing only when there is evidence the control now works. Closure should be verified, not self-reported by the vendor.
How should vendor remediation closure be verified?
Through evidence rather than assertion. Acceptable proof includes a re-tested control, an updated SOC or audit report, revised documentation, or confirmation through ongoing monitoring. Independent verification is especially important for critical vendors, where relying on the vendor's self-attestation alone is a frequent examination criticism.
What do examiners look for in vendor remediation?
Examiners look for evidence that identified third-party issues were driven to verified closure: a named owner, a specific corrective action, due dates proportionate to severity, documented progress, and proof the control works. Aging open items with no activity and closures with no supporting evidence are common findings.
How is vendor remediation different from internal remediation?
The lifecycle is similar, but the bank often depends on the vendor to perform the actual fix while remaining accountable for the outcome. This makes ownership clarity, contractual leverage, and independent verification of the vendor's work especially important, since you cannot directly control the third party's process.
Close the Loop on Every Vendor Issue
Vendor risk management is judged on resolution, not discovery. Identifying a control gap and failing to drive it to verified closure is the pattern examiners criticize most, because it shows oversight without follow-through.
Canarie tracks every third-party issue from identification through assigned ownership, corrective action, and verified closure, with the evidence assembled and exportable for examiners across your entire vendor portfolio.