SR 23-4: What It Requires and Who It Applies To

What is SR 23-4?

SR 23-4 is the Federal Reserve's designation for "Interagency Guidance on Third-Party Relationships: Risk Management," published jointly with the OCC and FDIC on June 6, 2023. It consolidates three predecessor documents: OCC Bulletin 2013-29, Federal Reserve SR 13-19, and FDIC FIL-44-2008, which had produced inconsistent examiner expectations across agencies over the prior decade.

The core requirement is straightforward. Banking organizations must manage all third-party relationships through a structured, risk-based program that covers the full relationship lifecycle: planning before entering an arrangement, due diligence before signing, contract negotiation, ongoing monitoring, and documented termination planning.

The word "all" matters. Prior guidance was sometimes read narrowly as covering technology outsourcing or core processing vendors only. SR 23-4 is explicit that the framework applies to any arrangement where a third party performs activities on the bank's behalf. That scope reaches fintech partners under Banking as a Service (BaaS) models, cloud providers, data aggregators, managed security service providers, and subcontractors engaged by the bank's primary vendors without the bank's direct knowledge.

Why 2023? Two dynamics converged. BaaS partnerships had grown rapidly after 2018, with community and mid-size banks sponsoring fintech front-ends that handled Know Your Customer (KYC) and deposit servicing, often without proportionate oversight infrastructure behind them. At the same time, the agencies recognized that three separate guidance documents were producing inconsistent examination results. Consolidation was overdue. The Federal Reserve published the final guidance at federalreserve.gov.

Who does SR 23-4 apply to?

SR 23-4 covers all banking organizations supervised by the three issuing agencies:

• Federal Reserve-supervised entities: State member banks, bank holding companies, savings and loan holding companies, and U.S. branches of foreign banking organizations
• OCC-supervised entities: National banks, federal savings associations, and federal branches of foreign banks (see OCC Bulletin 2023-17)
• FDIC-supervised entities: State non-member banks, state savings associations, and insured branches of foreign banks (see FDIC FIL-29-2023)

There's no asset-size floor. A $150 million community bank and a $2 trillion G-SIB are both in scope. The guidance applies proportionality: smaller institutions implement simpler programs, but they still need a complete vendor inventory, documented risk tiering, due diligence for critical relationships, and contracts with required provisions. Proportionality is not an exemption.

Third parties covered include:

• Core banking system providers
• Cloud infrastructure providers (AWS, Azure, Google Cloud)
• Fintech partners operating under BaaS sponsorship arrangements
• Subcontractors engaged by the bank's primary vendors
• Data aggregators and open banking intermediaries
• Credit bureau vendors and fraud detection tool providers
• Managed security service providers
• Affiliates performing material banking functions

The guidance uses "critical activities" to describe arrangements where failure or disruption would materially harm the bank's operations, finances, or customers. Critical third parties get the deepest scrutiny. The agencies declined to publish a definitive list of what qualifies as critical, leaving banks to document their own risk-tiering methodology and rationale.

What does SR 23-4 require?

The guidance structures obligations across five lifecycle phases:

1. Planning. Before entering a third-party relationship, the bank must assess whether the arrangement is consistent with its strategy, risk appetite, and applicable law. That includes identifying the specific risks introduced, confirming the bank has the capacity to oversee the third party effectively, and establishing contingency plans if the relationship fails. For arrangements where a vendor will perform SAR filing or transaction monitoring functions, the bank must confirm it retains independent review capability.

2. Due diligence. Depth scales with criticality. For high-risk and critical relationships, due diligence must cover the vendor's financial health, business continuity and disaster recovery plans, information security posture (SOC 2 Type II or equivalent), the vendor's own subcontractor dependencies, litigation and regulatory history, and concentration risk across the bank's entire vendor portfolio. This must happen before contract execution.

3. Contract negotiation. Contracts must include the right to audit the third party and its subcontractors, data security requirements, incident notification timelines, business continuity obligations, sub-contracting restrictions, dispute resolution mechanisms, termination rights, and data return procedures. Accepting standard vendor SaaS agreements wholesale, without negotiating required provisions, is a common examination finding.

4. Ongoing monitoring. Banks must run continuous monitoring of third-party financial condition, performance, compliance status, and incident history. For critical vendors, this means periodic re-due-diligence, not a single annual questionnaire. When a material incident occurs, the bank needs documented evidence of its response, not just the vendor's incident report.

5. Termination. Written exit plans are required for each critical vendor. These plans must address data retrieval, transition to alternative providers, and customer data protection during wind-down. Regulators cited multiple cases where banks couldn't exit vendor relationships cleanly because exit planning had never been done.

What evidence do regulators expect?

Examiners want documented evidence across every lifecycle phase. On examination day, you need:

Governance and oversight:

• A board-approved third-party risk management (TPRM) policy with a defined risk appetite for vendor concentration and criticality
• Board and senior management reporting on TPRM program performance, at minimum annually
• Named ownership of each critical vendor relationship

Inventory and risk tiering:

• A complete inventory of all third-party relationships, not just technology vendors
• Written risk-tiering methodology explaining how the bank classifies relationships as critical, high, moderate, or low
• Evidence the inventory is updated when new relationships begin or existing ones change materially

Due diligence records:

• Due diligence reports for critical and high-risk vendors, refreshed at contract renewal
• SOC 2 or equivalent reports reviewed, with the bank's documented responses to exceptions noted
• Subcontractor lists obtained from critical vendors, with evidence the bank assessed fourth-party exposure

Contracts:

• Executed contracts with all required provisions present
• Evidence of actual negotiation, not blanket acceptance of vendor standard terms

Ongoing monitoring:

• Performance scorecards and SLA tracking records
• Completed vendor assessments within required timeframes
• Documented responses to material incidents

Termination planning:

• Written exit plans for each critical vendor
• Evidence plans have been reviewed or tested, not simply filed and forgotten

Common failure modes

These are the gaps that actually generate citations:

• No complete inventory. Many mid-size banks discovered vendors during examinations that their compliance teams didn't know existed. Business units had engaged vendors without notifying the TPRM function. Regulators don't accept "we didn't know about that vendor" as a defense.

• Prospective-only implementation. Banks applied SR 23-4 standards to new vendors while leaving legacy relationships unreviewed. Examiners in 2024 and 2025 expected existing relationships to be assessed against the new framework within a reasonable period, typically 12-18 months of the guidance's issuance.

• Missing audit rights. Banks accepted standard SaaS agreements that excluded the right to audit the vendor or its subcontractors. When examiners asked for audit evidence, the bank had none because the contract didn't allow it. This is the single most cited contract gap.

• BaaS concentration. Some community bank BaaS sponsors had 60-80% of their consumer deposit base concentrated with one or two fintech partners. When a fintech encountered regulatory trouble, the bank had no clean exit plan.

• Subcontractor blind spots. Banks approved primary vendors without reviewing those vendors' own infrastructure dependencies. When shared cloud services failed, banks claimed ignorance. Regulators were not persuaded.

The OCC's Formal Agreement with Blue Ridge Bank, N.A. (2022) cited deficiencies in third-party risk management tied to its fintech partnerships as a specific focus area. OCC enforcement actions are publicly searchable. The bankruptcy of Synapse Financial Technologies in April 2024, which left more than 100,000 end customers unable to access their funds for months, demonstrated what inadequate TPRM oversight looks like at scale. All four partner banks faced FDIC inquiries and public scrutiny over their oversight records.

Penalties for non-compliance

The agencies don't publish a fixed penalty schedule for SR 23-4 alone. Enforcement runs through the standard supervisory toolkit, escalating with severity.

Informal actions: Matters Requiring Attention (MRAs) and Matters Requiring Immediate Attention (MRIAs) are the first-line response. They don't become public, but they require written remediation plans within 30-60 days for MRIAs and 90-180 days for MRAs. Repeated or unaddressed MRAs escalate to formal action.

Formal actions: Formal Agreements and Consent Orders are public documents. The OCC's Formal Agreement with Blue Ridge Bank (2022) required a corrective TPRM action plan and restricted the bank's BaaS expansion until deficiencies were remediated.

Civil money penalties: Under 12 U.S.C. § 1818, agencies can impose civil money penalties up to $1 million per day for violations of supervisory agreements or cease-and-desist orders. TPRM failures are typically packaged with broader BSA/AML or operational risk enforcement actions, which compounds the total penalty exposure.

Operational consequences: The Synapse collapse made clear that TPRM failures carry costs far beyond regulatory fines. Partner banks faced months of reputational damage, customer complaints, and the cost of untangling account records without a functioning intermediary.

For international context, BCBS 323 establishes the Basel Committee's operational risk management standards that the Fed, OCC, and FDIC align with when setting U.S. expectations for banking organizations.

Related regulations and frameworks

SR 23-4 doesn't stand alone. Banks must reconcile it with several parallel requirements:

DORA (EU): For banks with EU operations, DORA Art 28 creates parallel ICT third-party risk obligations. DORA is more prescriptive: it requires a formal ICT vendor register, specific mandatory contractual clauses, incident reporting to supervisors within 4 hours for major events, and concentration risk reporting at the EU system level. The frameworks are compatible but require active reconciliation. Where SR 23-4 leaves notification timelines to bank discretion, DORA specifies them.

BSA/AML compliance: The Bank Secrecy Act doesn't allow banks to transfer their AML program obligations to a vendor. When a third party operates transaction monitoring or generates alerts, the bank remains fully responsible for the quality of those outputs. Examiners will assess whether the bank has adequate oversight records for vendor-operated compliance functions, not just the vendor's reports.

SR 11-7 (Model Risk Management): Where a third party provides AI or algorithmic models, SR 11-7 applies alongside SR 23-4. Banks can't accept vendor models without validation, even when a vendor claims its model is proprietary and unavailable for external review. Regulators have rejected that argument.

PRA SS5/21 (UK): For UK-regulated entities, SS5/21 is the UK's equivalent operational resilience standard, requiring mapping of important business services and their third-party dependencies with demonstrated disruption tolerance.

FATF Rec 15: When banks use fintech or regtech vendors for AML and KYC functions, FATF Rec 15 guidance requires those vendors' technology to meet FATF standards. This applies regardless of SR 23-4, but the requirements converge for any bank using a third-party AML tool.

How FluxForce supports SR 23-4 compliance

FluxForce agents monitor third-party risk signals continuously, including vendor financial health indicators, regulatory enforcement actions, and security incident disclosures, surfacing issues before they become examination findings. For compliance functions performed by vendors, FluxForce maintains full audit trails of every decision. Compliance teams get the documented oversight evidence regulators expect under SR 23-4. The platform's configurable autonomy settings let teams define escalation thresholds without losing visibility into vendor-operated processes. Request a demo to see how this maps to your existing TPRM program.