Vendor Onboarding Process: The Compliance Steps Most Companies Skip

The OCC’s consent order against Blue Ridge Bank in 2022 had nothing to do with credit quality or capital ratios. It was about fintech. The bank had let fintech partners operate payment account programs and embedded banking products without an adequate third-party risk management framework. The OCC required the bank to stop entering new fintech agreements and obtain OCC non-objection for any future technology relationships.

The pattern appeared again in the OCC’s $60 million fine against Morgan Stanley. The bank had hired a vendor to decommission data center equipment without properly assessing the vendor’s internal controls or subcontractor use. Customer data ended up exposed on improperly wiped devices. The OCC specifically cited failure to assess third-party vendors and their subcontractors before granting access.

Neither case involved a rogue actor. Both were onboarding failures. The vendors were brought in before adequate due diligence was complete — and the gaps didn’t surface until something went wrong.

TL;DR

• Most vendor onboarding programs are document-collection exercises dressed up as risk management. They gather evidence but don’t evaluate it.
• The 2023 OCC/FDIC/Fed interagency guidance specifies what onboarding actually requires: risk assessment, contract controls, and documented approval — before access is granted.
• Eight compliance steps get skipped most often: risk tiering upfront, OFAC screening, SOC 2 exception review, subcontractor mapping, contractual audit rights, incident notification SLAs, BCP verification, and board sign-off for critical vendors.
• Examiners ask to see your risk assessment and approval documentation — not your checklist.

What “Vendor Onboarding” Is Supposed to Mean

Most vendor onboarding programs trace their lineage to procurement: collect documents, route approvals, sign the contract. But the 2023 Interagency Guidance on Third-Party Relationships: Risk Management — issued jointly by the OCC, FDIC, and Federal Reserve on June 6, 2023 — describes something considerably more involved.

Under the guidance, onboarding sits between planning and contract execution. It encompasses:

• Due diligence: Assessing the vendor’s financial condition, business reputation, risk management practices, information security controls, and use of subcontractors
• Contract negotiation: Establishing the specific rights and obligations that protect the institution
• Risk-based approval: Documenting the risk assessment, residual risk, and obtaining appropriate approval based on vendor criticality

The guidance is explicit: due diligence and contract terms should be completed before finalizing the relationship. In practice, many programs sign first and do due diligence second. That’s not an onboarding process — it’s a retroactive paperwork exercise.

The Federal Reserve’s May 2024 third-party risk management publication reinforced the same message, highlighting ongoing gaps between written TPRM policies and actual due diligence execution. The OCC’s 2025 supervisory priorities specifically call out “risk management throughout all stages of the third-party risk management lifecycle” — not just contracting.

The Eight Steps That Actually Get Skipped

1. Risk Tiering Before Due Diligence Begins

Most programs assign vendor risk tiers after they’ve already committed to using the vendor. Due diligence scope — how deep you go — should be determined by the tier, not retrofitted to it. If you don’t know whether a vendor is Tier 1 (critical) or Tier 3 (standard) before you start, you don’t know how much due diligence is warranted.

The vendor tiering framework should be applied as the first step: What data does this vendor access? What business processes does it support? What’s the criticality of those processes? A Tier 1 critical vendor warrants full financial analysis and potentially on-site visits. A Tier 3 commodity vendor needs basic security hygiene verification. Applying the tier after the fact means you often under-diligence critical vendors and over-document low-risk ones.

2. Reading the SOC 2 Report — Not Just Collecting It

Nearly every TPRM program requires a SOC 2 report from vendors. Almost none of them read it.

A SOC 2 is not a security certification. It is an auditor’s opinion about whether specific controls were suitably designed and operating effectively during a defined testing period — often covering 12 months that ended six to eighteen months ago by the time you receive it. The critical sections:

• Section 4 (the auditor’s opinion): A qualified opinion means material exceptions. An unqualified opinion doesn’t mean perfect controls — it means the controls that were tested operated.
• Section 5 (control description): Read for gaps. What’s not in scope? What was excluded from testing?
• Exceptions and deviations: These are the lines most readers skip. A vendor with repeated exceptions in user access reviews has an access management problem — and that’s your problem too.
• Testing period and report date: A SOC 2 Type 2 from 18 months ago doesn’t tell you about current controls. Know when the testing period ended.

The vendor risk assessment template covers what questions to ask when a vendor’s SOC 2 shows exceptions or when a vendor only has a Type 1 (design-only) report.

3. OFAC Sanctions Screening of the Vendor and Its Principals

Banks screen customers for OFAC compliance. Many don’t screen vendors with the same rigor — or at all.

OFAC’s 50% Rule automatically sanctions any entity owned 50% or more by a specially designated national (SDN), even if that entity doesn’t itself appear on the SDN list. This means a vendor that looks clean in a direct list check could be controlled by a sanctioned party without appearing in any standard screening result.

Effective vendor OFAC screening requires:

• Screening the vendor legal entity against OFAC’s SDN list and all applicable sanctions programs
• Screening key principals and beneficial owners
• Documenting screening results and the date performed
• Re-screening upon material changes: ownership transfer, management change, geographic expansion

The FFIEC BSA/AML examination manual explicitly addresses OFAC compliance in the context of third-party relationships. Financial institutions that fail to screen vendor principals can find themselves with sanctions exposure tied to vendor onboarding decisions made years earlier.

4. Subcontractor and Fourth-Party Mapping

Your vendor uses vendors. The 2023 interagency guidance specifically addresses subcontractor use and requires institutions to understand how vendors use subcontractors when performing critical activities.

This is the step almost universally skipped at onboarding. Most programs ask vendors “do you use subcontractors?” in a security questionnaire but don’t require a named list, don’t evaluate subcontractor controls, and don’t establish contractual rights to approve material changes in subcontractor use.

The consequences of this gap are well-documented. When the SolarWinds supply chain compromise was disclosed in December 2020 and when MOVEit’s zero-day was exploited across thousands of organizations in 2023, the hardest-hit companies were those with no visibility into their vendors’ software and infrastructure dependencies. Fourth-party risk requires active management — not just a question on a questionnaire.

At minimum, contracts should require vendor notification of material subcontractor changes and give you the right to object. Tier 1 vendors should provide a named subcontractor inventory covering critical activities as part of the onboarding package.

5. Contractual Audit Rights — Before Signing

Audit rights are effectively worthless if you try to negotiate them after the MSA is signed and you’ve already built operational dependencies on the vendor. The time to get audit rights in the contract is before you grant any access.

The 2023 interagency guidance specifies that contracts should include the right to audit vendor controls, receive annual SOC 2 reports, and for critical relationships, conduct on-site visits. The guidance also requires the right of regulatory examination access — meaning your prudential regulator can examine the vendor’s operations relevant to your institution.

In practice, most enterprise software vendors won’t agree to unannounced on-site audits. But they will agree to alternatives: annual SOC 2 Type 2 delivery, penetration test summaries, attestation letters for specific control areas. Document what you negotiated and why it’s adequate. If a vendor refuses all audit rights, that’s a significant red flag that warrants escalation before proceeding.

6. Incident Notification SLAs With Defined Timeframes

Most vendor contracts have boilerplate incident notification language: “Vendor will notify Client of any security incidents in a timely manner.” That clause is not enforceable in any practical sense.

Your contracts need specific timelines negotiated before signing:

This matters at onboarding because by the time you’re in the middle of a vendor breach, you’ve lost all negotiating leverage. The OCC’s 36-hour notification requirement for computer security incidents at banks depends on your vendors telling you quickly enough for you to assess materiality and escalate. If your contract gives the vendor 30 days to notify you in writing, you will miss that regulatory deadline — and you will not be able to defend the gap.

7. Business Continuity and DR Verification for Critical Vendors

For critical vendors — those whose failure could cause significant customer harm or operational disruption — the 2023 interagency guidance requires assessing BCP/DR capabilities. This means:

• Reviewing the vendor’s BCP/DR documentation or summary (not just the SOC 2 availability control section)
• Confirming that the vendor’s RTOs and RPOs are compatible with your own recovery objectives
• Verifying that backup and recovery environments are geographically separated and tested on a defined schedule
• Confirming that your specific use case is covered by their BCP, not just their enterprise-level continuity plan

A vendor’s SOC 2 will sometimes include information about availability controls, but rarely at the operational detail your BCP team needs. For Tier 1 vendors, a direct BCP questionnaire is appropriate. For vendors supporting mission-critical operations, ask whether your contract size entitles you to dedicated recovery capacity or whether you’re treated as general population in their DR runbook.

8. Board or Senior Management Approval for Critical Activity Vendors

This step is frequently reduced to a checkbox email chain without substance. The 2023 interagency guidance requires appropriate board or senior management approval for critical third-party relationships — those involving critical activities — and the approval needs to be documented with an actual decision package.

A proper critical vendor approval package includes:

• The business case for the relationship and why this vendor was selected
• A summary of due diligence findings, including any exceptions or elevated risks identified
• Residual risk rating after existing controls are considered
• Proposed mitigating actions for open risks with owners and target dates
• Approval from the governance authority defined in your TPRM policy

During examination, OCC and FDIC examiners specifically look for this documentation. If the approval process is an email saying “looks good, proceed” with no supporting materials, that’s the finding — regardless of how good the vendor actually is.

What Examiners Look For in a TPRM Examination

Based on the 2023 interagency guidance, the OCC’s 2025 supervisory priorities, and the FINRA 2025 Annual Regulatory Oversight Report’s third-party risk section, examiners test the following:

Examiners are not checking whether your onboarding checklist has all the boxes marked. They’re checking whether your process produces evidence that risk was evaluated — and whether the contract terms protect the institution in the ways the guidance requires.

The Process You Actually Need

Vendor onboarding as a compliance process works like this:

1. Receive business request for a new vendor
2. Complete initial risk tiering — before any due diligence work begins
3. Scope due diligence based on tier and criticality
4. Conduct due diligence — financial review, security assessment, SOC 2 evaluation, OFAC screening, subcontractor mapping, BCP review
5. Negotiate contract — audit rights, incident notification SLAs, regulatory access, data handling, BCP commitments, subcontractor controls
6. Document risk assessment with residual risk and any exceptions or open items
7. Obtain approval — appropriate to vendor tier (executive or board approval for critical vendors, delegated approval for lower tiers)
8. Grant access — after all of the above are complete, not before

The complete vendor risk management lifecycle covers all five stages from planning through termination. Onboarding is the single heaviest lift in that lifecycle — and the stage where most programs cut corners because the business is already committed to the vendor before compliance gets involved.

So What?

If your last vendor onboarding resulted in system access being provisioned the same week you received the vendor’s certificate of insurance, you don’t have a TPRM onboarding process. You have a procurement process with compliance labels.

What examiners document in consent orders and MRAs is exactly the gap between what organizations say their process does and what the evidence shows. The evidence is the risk assessment. The evidence is the signed contract with actual audit rights. The evidence is the approval package that a senior decision-maker signed.

The eight steps above are where that evidence is most often missing. Reviewing your last ten onboardings against this list will show you where your process ends and where the compliance gap begins — before an examiner does it for you.

The RiskTemplates TPRM Kit includes a complete vendor onboarding checklist, due diligence questionnaire, risk assessment template, contract provisions reference guide, and critical vendor approval package — built to the 2023 interagency guidance standard.