Vendor Due Diligence for Financial Services

OCC Bulletin 2023-17, issued in June 2023, provides the current interagency guidance on third-party risk management for national banks and federal savings associations. It replaces OCC Bulletin 2013-29 and aligns with FDIC FIL-44-2008 and Federal Reserve SR 13-19.

The bulletin establishes a risk-based lifecycle approach with six phases: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, termination, and governance/oversight. Key requirements include:

Board oversight. The board of directors must approve risk management policies, review reports on third-party relationships, and ensure adequate resources for the program. For critical activities, the board should receive regular updates on risk assessments and performance metrics.

Risk assessment before engagement. Before entering a third-party relationship, the bank must assess the activity's risk level, considering factors including the vendor's access to customer data, role in bank operations, ease of replacement, and impact on the bank if the vendor fails.

Due diligence depth proportional to risk. The guidance explicitly states that due diligence should be commensurate with the risk level. Critical vendors require the deepest assessment — financial condition, operational resilience, information security, compliance record, and incident response capabilities.

Financial regulators distinguish between critical activities and other third-party relationships, with critical activities requiring enhanced oversight:

Critical activities include functions that could cause a bank to face significant risk if the vendor fails, have significant customer impact, require significant investment to implement or transition, or could have a significant impact on the bank's operations. Common examples: core banking platforms, payment processors, cloud infrastructure, cybersecurity monitoring, and data analytics providers.

Significant activities are third-party relationships that involve access to sensitive data or systems but are not critical to the bank's core operations. Examples: marketing platforms, collaboration tools, and professional services.

Routine activities include vendor relationships with limited data access and low operational impact. These require basic due diligence but not the enhanced oversight applied to critical activities.

For each critical vendor, regulators expect: independent risk assessment, financial condition review, operational resilience evaluation, information security assessment, compliance verification, and periodic reassessment. ThirdProof provides the independent evidence layer for these assessments — covering sanctions screening, security posture, compliance verification, and business legitimacy across all vendor categories.

Financial regulators have increasingly focused on fourth-party risk — the risk introduced by your vendor's vendors. If your payment processor relies on a single cloud provider, and that cloud provider experiences an outage, your payment processing stops regardless of your direct vendor's operational resilience.

Subprocessor identification. Banks should identify the critical subprocessors used by their key vendors. This is often challenging because vendors are reluctant to disclose their full supply chain. ThirdProof's subprocessor discovery automatically scans for vendor subprocessor pages and identifies downstream dependencies.

Concentration risk. If multiple critical vendors depend on the same subprocessor (e.g., AWS, Azure), a single fourth-party outage could disrupt multiple vendor relationships simultaneously. Regulators expect banks to identify and monitor concentration risk.

Contract provisions. Include provisions requiring vendors to notify you of material changes to their subprocessor relationships, maintain their own vendor management programs, and allow auditing of critical subprocessors.

FDIC enforcement. The FDIC has cited concentration risk and fourth-party oversight in multiple enforcement actions. Banks that cannot demonstrate awareness of their critical vendors' key subprocessors face examination criticism.

One-time due diligence is explicitly insufficient under OCC 2023-17. Financial institutions must maintain ongoing monitoring of third-party relationships, including:

Performance monitoring. Track SLA compliance, incident frequency, customer complaints, and service quality metrics. Document deviations and remediation actions.

Financial condition monitoring. Review vendor financial statements annually for critical vendors. Watch for signs of financial distress — late filings, auditor changes, material weaknesses, or going-concern opinions. ThirdProof checks SEC EDGAR filings and financial indicators as part of the standard assessment across 27 sources.

Information security monitoring. Monitor for vendor security incidents, breach disclosures, and changes to the vendor's security posture. Continuous monitoring tools supplement periodic assessments by providing real-time risk signals.

Regulatory and legal monitoring. Track vendor regulatory actions, enforcement orders, lawsuits, and compliance status changes. This includes sanctions list changes, FDIC enforcement actions, and state-level regulatory developments.

Reassessment cadence. Critical vendors: at minimum annually, with event-triggered reassessment. Significant vendors: every 18-24 months. Routine vendors: every 2-3 years. All vendors should be reassessed upon material changes — breaches, acquisitions, leadership changes, or regulatory actions.