Third-Party Risk Management: What It Is, What Regulators Expect, and What Gets You Cited

What is Third-Party Risk Management?

Third-Party Risk Management, or TPRM, is the process through which a regulated financial institution identifies, assesses, monitors, and controls the risks introduced by external parties: vendors, technology providers, outsourced service providers, sub-processors, and fourth-party suppliers further down the chain.

The scope is wide. A bank's TPRM program covers the cloud infrastructure provider storing transaction records, the payment processor handling customer funds, the KYC vendor running identity checks at onboarding, and the agent network distributing financial products in emerging markets. The risk doesn't originate in the third party's systems. It materializes on your institution's books when those systems fail or facilitate financial crime.

From a regulatory standpoint, TPRM sits in the operational resilience stack. Banks are responsible for risks their third parties introduce, even when the third party causes the failure. The OCC stated this plainly in its 2013-29 bulletin: banks must apply "the same level of risk management to third-party relationships as they would to activities conducted in-house."

The 2023 interagency guidance from the OCC, FDIC, and Federal Reserve extended this framework, adding explicit coverage for fintech partnerships, banking-as-a-service arrangements, and critical service providers. It introduced a "critical activity" threshold: functions that, if disrupted, would significantly affect the institution's operations, customers, or financial stability.

TPRM is distinct from vendor management. Vendor management handles procurement, pricing, and contract terms. TPRM manages the full risk lifecycle: pre-contract due diligence, contract risk provisions, ongoing monitoring, performance reviews, exit planning, and incident response. A mature program treats the relationship as a continuous exercise, not a one-time assessment at contract signing.

Why is Third-Party Risk Management required?

The regulatory case for TPRM is strong and growing. In the US, the OCC's original 2013-29 bulletin set the framework. The 2023 joint interagency guidance updated it, requiring heightened oversight for "critical activities" and addressing new arrangements such as banking-as-a-service that earlier guidance didn't anticipate.

In the EU, the EBA's guidelines on outsourcing (EBA/GL/2019/02) require a complete register of all outsourcing arrangements, classification by criticality, and evidence that governance doesn't stop at the contract boundary. DORA, the Digital Operational Resilience Act (Regulation EU 2022/2554), applicable from January 2025, goes further for ICT third-party risk: mandatory contractual provisions, concentration risk assessments, and direct supervisory oversight of Critical ICT Third-Party Providers.

From an AML and financial crime perspective, FATF Rec 1 (FATF) requires that institutions factor third-party exposure into their overall risk assessment under the risk-based approach. If a payment processor in your network routes funds through high-risk jurisdictions, that's your institution's risk to own. FATF Rec 13 (FATF) sets specific expectations for correspondent banking, which is structurally a form of third-party risk: the correspondent bank's customers become your indirect exposure.

In the UK, the FCA's Policy Statement PS21/3 on operational resilience requires firms to identify important business services and demonstrate continuity, including for third-party dependencies. The PRA's Supervisory Statement SS2/21 mirrors this for banks and insurers.

Non-compliance is expensive. Third-party oversight failures have driven some of the largest AML enforcement actions in the last decade, and regulators show no signs of softening their expectations here.

What do regulators expect to see?

Examiners arrive expecting documentation, not intent. The standard request list for TPRM typically covers:

A written TPRM policy. Board-approved, updated within the past 12 months, covering the full lifecycle from identification through termination. Sub-policies for critical vendors and material outsourcing arrangements are expected separately.

A complete third-party inventory. Every active third-party relationship in a classified register, including fourth-party sub-processors for critical functions. Each entry should carry a criticality classification, last review date, and scheduled next review. Gaps in the inventory are an immediate finding.

Pre-contract due diligence documentation. For each vendor in scope, examiners want evidence that due diligence was completed before the contract was signed. For critical vendors, this typically includes financial health assessments, SOC 2 Type II reports, cyber security assessments, AML program reviews, and Customer Due Diligence (CDD) checks on the vendor entity where the vendor performs financial services functions.

Contracts with risk provisions. Audit access rights, data protection clauses, security incident notification obligations, business continuity requirements, and termination rights triggered by regulatory action against the vendor. The 2023 interagency guidance includes an explicit checklist of expected contractual elements.

Ongoing monitoring records. Periodic performance reviews with documented evidence of completion. Critical vendors typically require quarterly or annual reviews; lower-risk vendors annually or biennially. Examiners look for evidence of issues raised, escalations, and management responses.

Concentration risk analysis. Particularly for cloud and technology providers. DORA requires explicit quantification and board-level reporting of ICT third-party concentration risk.

Tested exit plans. Documented contingency arrangements for vendor failure, with evidence of tabletop exercises or actual tests within the past 12 months.

Board and senior management engagement is a governance signal. TPRM programs that exist only in procurement teams, without executive visibility, draw supervisory concern during examinations.

What does good Third-Party Risk Management look like?

A mature TPRM program runs as a continuous cycle, not a periodic checkbox. Here's what best practice looks like in practice:

1. Risk-tier the vendor population before applying controls. Classify every third party by criticality and inherent risk. High-risk, critical vendors get full due diligence; lower-tier vendors receive proportionate oversight. The OCC's 2023 interagency guidance and the Wolfsberg Group's correspondent banking principles both endorse tiered approaches as the right starting point.

2. Conduct due diligence before contract signing, not after. For critical vendors, this means financial stability review, cyber security assessment, AML program review, and sanctions and PEP screening of the vendor entity itself. Running due diligence after signing is common. It's also indefensible under the OCC and EBA frameworks.

3. Build risk requirements into contracts. Audit rights, right to information, security incident notification timelines, and termination rights in the event of regulatory action against the vendor. The EBA's outsourcing guidelines include a mandatory checklist of contractual provisions that examiners check against.

4. Monitor continuously, not just at renewal. Set automated triggers: vendor credit ratings drop, adverse news surfaces, a regulatory action is announced against the vendor. Adverse Media Screening of your vendor population is now an examiner expectation. Ongoing monitoring must produce documented evidence, not just informal awareness.

5. Test exit and contingency plans annually. The question isn't whether a plan exists on paper. It's whether it's been tested. Examiners in the UK and EU explicitly require evidence of tests under operational resilience frameworks, and DORA reinforces this for ICT providers.

6. Report to the board. Quarterly TPRM management information should reach senior management. Annual board-level reporting should cover critical vendor exposure, concentration risk, and material issues from the year. If the board doesn't know who your critical third parties are, your program isn't mature.

The Basel Committee's Principles for the Sound Management of Operational Risk (BCBS 261) reinforces the continuous-cycle model for operational risk, including third-party exposure, and remains a key reference document for supervisors globally.

Common audit findings and exam citations

We've seen banks cited for third-party risk failures that cluster around predictable patterns.

Incomplete vendor inventories. Examiners find vendors actively processing customer data or executing critical functions that don't appear in the TPRM register. This happens when business lines onboard vendors without involving risk or compliance. FinCEN's 2023 AML national priorities call out deficiencies in identifying third-party exposure as a recurring supervisory concern.

No ongoing monitoring. Due diligence was done at onboarding, but there's no evidence of annual reviews, no adverse media process, and no mechanism for flagging security incidents at vendor sites. The OCC's Semiannual Risk Perspective has cited this pattern across multiple examination cycles.

Agent network failures. Banks using agent networks for remittances or cash services have faced enforcement when those agents facilitated financial crime without adequate oversight. The HSBC 2012 enforcement action included findings about inadequate oversight of correspondent relationships and the bank's Mexican affiliate. The resulting $1.9 billion settlement was, at the time, the largest AML-related penalty in US history.

Correspondent banking gaps. The Danske Bank 2018 enforcement action is the most documented case of third-party risk failure via correspondent accounts. Approximately €200 billion flowed through the Estonia branch's non-resident portfolio, largely through accounts whose beneficial ownership wasn't verified. Correspondent relationships are third-party relationships. They require the same controls.

Weak exit planning. Several European institutions received findings after operational resilience assessments revealed that critical vendor contracts lacked workable termination rights or data portability provisions.

Cloud concentration risk is emerging as the next examination focus. DORA's supervisory provisions put ICT third-party concentration squarely on examiners' agendas, and the first supervisory reviews of Critical ICT Third-Party Providers are expected to begin in 2025.

Metrics and KPIs

Measuring TPRM health requires tracking across the entire vendor lifecycle.

Coverage rate. The percentage of active third parties with a completed, current risk assessment on file. Target: 100% of critical and high-risk vendors. Gaps in coverage are examiner red flags, particularly for vendors processing personal data or executing financial functions.

Overdue review rate. The percentage of vendors past their scheduled review date, segmented by criticality tier. For critical vendors, even 5% overdue represents meaningful exam risk. Track this monthly.

Due diligence cycle time. How long it takes from vendor identification to completed risk assessment and contract execution. Cycle times longer than target often reveal that business lines are bypassing TPRM, onboarding vendors informally rather than waiting for the assessment to complete. A reasonable target for critical vendors is 30 to 45 days.

Issue rate and resolution time. The number of material issues identified during ongoing monitoring (contract breaches, failed SLAs, security incidents, regulatory actions against the vendor) and average days to resolution. High volumes with slow resolution indicate governance problems.

Concentration exposure. Measured as the percentage of revenue, critical business services, or customer accounts dependent on a single third party or a group of related parties. DORA requires explicit quantification and board-level reporting of ICT concentration risk.

Adverse media alert volume and disposition. Total alerts generated against the vendor population per quarter, percentage investigated, and percentage leading to escalated reviews or contract actions.

Exit plan test completion rate. Percentage of critical vendor exit plans formally tested in the past 12 months. Untested exit plans don't meet the FCA's operational resilience standard or DORA's requirements.

Present these metrics quarterly to senior management. Board-level reporting should cover coverage rates, critical vendor issues, concentration exposure, and any material incidents from the period.

How Third-Party Risk Management connects to other controls

TPRM doesn't run in isolation. It feeds into several controls and draws from enterprise risk assessment.

The most direct dependency is on customer due diligence and KYC. When a third party performs identity verification or customer onboarding on your behalf, their KYC standards become your KYC standards. Delegation doesn't transfer liability. FATF Recommendation 17 is explicit: institutions relying on third parties for CDD must satisfy themselves that those third parties apply equivalent standards and can provide records on demand.

Transaction Monitoring connects directly to agent and correspondent networks. If an agent is generating unusual transaction patterns, those patterns must surface in your monitoring system, not just the agent's. Visibility gaps in third-party transaction data are a primary channel through which typologies like Money Mule Networks exploit the boundaries between an institution and its partners. The mule account sits at the agent or correspondent; the originating bank sees only the inbound transfer.

Sanctions screening of the vendor entity itself is an often-missed TPRM control. You need to screen vendor entities, their beneficial owners, and key personnel against OFAC, UN, and EU consolidated lists before onboarding and on an ongoing basis. Engaging a sanctioned entity as a technology or service provider creates direct regulatory exposure, separate from any AML risk.

At the typology level, third-party arrangements are frequently used to add distance between an institution and the underlying scheme, whether through layering across correspondent chains or through agent networks used to aggregate and transfer illicit funds.

Strong TPRM programs share assessment outputs with the AML function, so third-party risk profiles inform alert calibration and support detection of cross-channel patterns that would be invisible from either side alone.

How FluxForce supports Third-Party Risk Management

FluxForce's AI agents monitor third-party activity in real time, detecting behavioral anomalies across agent networks, correspondent accounts, and vendor-routed transactions. Nova Sentinel applies continuous adverse media monitoring to your vendor population, surfacing regulatory actions and ownership changes as they happen. Aiden Flux generates audit-ready evidence packages for every third-party alert, with full decision trails that satisfy examiner requests without manual work. The platform's configurable autonomy settings let compliance teams define escalation thresholds and intervention points. Request a demo to see how FluxForce maps to your TPRM controls.