Third-Party Risk Assessment Questionnaire

What is the Third-Party Risk Assessment Questionnaire?

When a bank onboards a payment processor, a KYC data provider, or a cloud-hosted compliance platform, regulators expect documented evidence that someone assessed the risk before the contract was signed. The Third-Party Risk Assessment Questionnaire is that documentation: a structured spreadsheet that captures what a vendor does, what data it accesses, what controls it has, and how much residual risk the institution is accepting.

The regulatory obligation is explicit. The OCC/Fed/FDIC 2023 interagency guidance on third-party relationships requires banks to conduct risk assessments proportionate to the risk and complexity of each arrangement, both before contracting and throughout the relationship. The EBA Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) impose equivalent requirements across the EU, with specific attention to critical functions. Under DORA, effective January 2025, ICT third-party risk management is a statutory requirement with mandatory pre-contract assessments and ongoing oversight obligations.

What examiners actually look for: evidence of a documented, repeatable process. A blank questionnaire sitting in a shared folder doesn't satisfy that. Completed questionnaires, with scoring, sign-off, and a remediation note where gaps were found, do.

This template covers the full vendor risk surface: financial crime compliance, cybersecurity posture, data handling, business continuity, and fourth-party sub-contractor exposure. It supports Customer Due Diligence workflows and the risk-based approach that both FATF and domestic regulators require.

Who needs the Third-Party Risk Assessment Questionnaire?

The primary users are the people who own third-party risk formally: vendor risk managers, compliance analysts, and BSA/AML officers who sit on new-vendor review committees. But the questionnaire circulates well beyond that group.

MLROs and Chief Compliance Officers use completed questionnaires to make go/no-go decisions on vendors that handle customer data or payment flows. Procurement teams need it to satisfy internal policy before contracts are signed. Information security teams contribute the cybersecurity sections. Internal audit pulls completed questionnaires during annual reviews and regulatory exams.

For operational resilience specifically, the trigger moments are:

• New vendor onboarding where the vendor accesses customer data, handles payment instructions, or provides a function classified as critical or important to the business
• Contract renewal cycles where risk profiles are refreshed annually or after a material change to the service
• Post-incident reviews where a vendor's outage, breach, or regulatory action triggers an out-of-cycle assessment
• Regulator exam prep, when examiners request the third-party risk inventory and the evidence behind each risk rating
• M&A integration, where inherited vendor relationships need assessment against your own standards

Correspondent banking relationships also warrant this questionnaire, given the obligations under FATF Recommendation 13 on managing financial crime risk through third-party networks.

What's inside the Third-Party Risk Assessment Questionnaire

The spreadsheet is organized into seven domain tabs plus a scoring summary tab. Each tab targets a distinct risk category that regulators examine.

Tab 1: Vendor Profile

• Legal entity name, registration number, and jurisdiction
• Services and products provided, with contract reference
• Data classifications accessed (PII, payment data, transaction records, protected health information)
• Contract start date, renewal date, and classification tier (critical / important / routine)
• Assessment date and assessor name

Tab 2: Financial Crime Controls

• Does the vendor maintain a documented AML/CTF program? Name the regulator.
• Is the vendor subject to AML regulation in its home jurisdiction?
• Does the vendor screen employees, clients, and sub-contractors against sanctions lists? (Sanctions Screening standards apply here.)
• Has the vendor received a regulatory enforcement action, fine, or consent order in the last five years?
• Does the vendor conduct PEP Screening on its own customer base or relevant principals?

Tab 3: Cybersecurity and Data Protection

• ISO 27001 or SOC 2 Type II status, with evidence attachment
• Encryption standards for data in transit and at rest
• Incident response plan, with date of last tabletop exercise
• Penetration testing frequency and last test date

Tab 4: Operational Resilience

• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for the services provided
• Business continuity plan, with last test date and format
• Geographic redundancy and failover location
• Dependency on sub-contractors for critical service delivery

Tab 5: Sub-Contractor and Fourth-Party Risk

• List of material sub-contractors used in delivering services to your institution
• Notification obligations if sub-contractors change materially
• Does the vendor flow down your minimum contractual standards to its own sub-contractors?

Tab 6: Governance and Regulatory Standing

• Named compliance contact at the vendor
• Date of most recent independent compliance audit, with type (internal vs. external)
• Ongoing litigation, regulatory investigation, or material adverse event in the last 24 months

Tab 7: Risk Score Summary

• Weighted scoring by domain (High / Medium / Low)
• Inherent risk rating and residual risk rating after controls
• Reviewer sign-off with date and seniority level
• Remediation action log with owner, due date, and status

The scoring model follows the proportionality principle in the OCC/Fed/FDIC 2023 guidance: vendors supporting critical functions get all seven tabs; lower-risk commodity vendors get an abbreviated assessment covering Tabs 1, 3, and 7 only.

How to use the Third-Party Risk Assessment Questionnaire

Step 1: Classify the vendor before opening the spreadsheet. Decide whether the relationship is critical, important, or routine. A vendor hosting your transaction monitoring system is critical. A courier delivering printed statements is not. Classification determines which tabs you send and how much documentary evidence you require.

Step 2: Send Tabs 1 through 6 to the vendor. Most sections are answered by the vendor's compliance or information security team. Give them 10 business days and a named contact at your institution for questions. Critical vendors get all tabs; routine vendors get the abbreviated version.

Step 3: Verify responses, don't just accept them. Checkbox answers alone aren't enough for examiners. For Tabs 3 and 4 especially, require evidence: SOC 2 reports, policy documents, test records, and certifications. "We maintain a BCP" without a test date and outcomes is insufficient documentation.

Step 4: Run your own independent screening. Before scoring, run the vendor's legal entity and principals through Adverse Media Screening and sanctions databases independently. Don't rely solely on the vendor's self-attestation for this step.

Step 5: Score the residual risk and document it. Complete Tab 7. If any domain scores High, document the mitigating controls or the escalation decision. An approved High-risk vendor with documented rationale and an oversight plan is acceptable to most examiners. An undocumented High is not.

Step 6: File the completed questionnaire as an audit artifact. Store it alongside the contract, version-controlled and retrievable within minutes when an examiner requests it. See staying continuously exam-ready for how to structure that retrieval process at scale.

Step 7: Schedule the next review. Set a calendar trigger for annual refresh, or for an immediate out-of-cycle review if the vendor reports a breach, acquisition, or regulatory action. The FCA's PS21/3 operational resilience framework and DORA both treat ongoing monitoring as a statutory requirement, not a discretionary one.

Common mistakes to avoid

1. Treating completion as the goal. Teams fill every cell, file the spreadsheet, and move on. If the scoring doesn't affect the go/no-go decision or trigger a remediation item, it's a paperwork exercise. The first question examiners ask is: "What did you do with the results?"

2. Accepting self-attestations without evidence. A vendor claiming ISO 27001 certification without attaching the certificate is a red flag. "We maintain a business continuity plan" without a test date and outcomes is equally thin. Require evidence for every high-stakes claim in Tabs 3 and 4.

3. Skipping fourth-party exposure. A vendor with strong controls can still fail you if its own critical suppliers fail. Tab 5 exists for this reason. Banks have been caught in outages caused by a vendor's cloud provider going down, with no visibility or contractual recourse because fourth-party risk was never assessed.

4. Static risk ratings. Assigning a Medium rating at onboarding and never updating it is a common exam finding. Vendors get acquired, change data practices, and receive regulatory censures. Build refresh triggers into your vendor management calendar: annual at minimum, and immediately after any material event.

5. Applying the same depth to every vendor. Running the full seven-tab questionnaire on every vendor is unsustainable. Running a lightweight version on critical vendors is a control gap. The risk-based approach your regulators expect requires calibrated depth, proportionate to what the vendor touches.

6. No escalation path when red flags appear. What happens when a vendor discloses a recent enforcement action in Tab 6? If the questionnaire doesn't connect to a defined escalation workflow and a documented decision, it's not functioning as a control.

How FluxForce automates this

FluxForce's AI agents run continuous screening on your vendor roster. Sanctions checks and PEP Screening on vendor principals run in real time. Adverse Media Screening fires automatically when relevant news breaks. When a vendor's regulatory status changes, FluxForce alerts your team before the next scheduled review cycle. That replaces the manual refresh this questionnaire otherwise requires annually. Every check generates an audit-ready evidence trail, so exam prep becomes documentation retrieval rather than a last-minute scramble. Request a demo to see how it works.