Critical Vendor Exit Planning: How to Build a Wind-Down Strategy Before You Need One

TL;DR

• The 2023 Interagency Guidance requires banking organizations to document exit strategies for critical vendors as part of contract negotiation — before onboarding, not after something goes wrong.
• The Synapse collapse ($265M in frozen customer funds, 100,000+ Americans locked out of accounts) is the examiner’s reference case for what inadequate exit planning looks like at scale.
• A complete exit strategy addresses six things: transition approach, realistic timeline, data handling rights, access revocation, customer communication, and regulatory notification — all negotiated in the contract.
• The gap most programs miss: the contractual right to receive your data in a usable format within a defined timeline with written confirmation of destruction — and having tested whether you could actually use it.

In April 2024, Synapse Financial Technologies filed Chapter 11 bankruptcy. The middleware company that handled ledger reconciliation between fintech clients and their sponsor banks had quietly accumulated discrepancies between what it told fintechs their customers held and what the underlying banks actually had on deposit. When the wind-down began, the estimated shortfall was $65–96 million. More than 100,000 Americans found their accounts frozen — money they believed was FDIC-insured, accessible, and safe.

Nobody had a tested plan for what to do if Synapse disappeared overnight.

That’s not a unique failure. It’s the most foreseeable failure mode in third-party risk management — and the one vendor exit planning is designed to address.

What Regulators Actually Require

The 2023 Interagency Guidance on Third-Party Relationships — issued jointly by the OCC, FDIC, and Federal Reserve — treats termination as one of the five phases of the third-party risk management lifecycle: planning, due diligence, contract negotiation, ongoing monitoring, and termination.

The FDIC’s guidance specifically calls for:

• Termination provisions in the contract: causes for termination, required notice periods, costs of exit, and what the vendor is contractually obligated to provide during transition
• Contingency plans for both planned exits (contract expiration, vendor replacement) and sudden exits (vendor failure, regulatory action, material breach)
• Transition planning: documented approach for migrating to an alternate provider, bringing the service in-house, or discontinuing it if no alternative exists
• Customer impact assessment: what termination means for customers and how it will be managed

For critical vendors — those whose failure would materially affect the institution’s operations or its ability to meet regulatory obligations — these aren’t aspirational expectations. They’re examination checkpoints.

The Federal Reserve’s June 2024 enforcement action against Evolve Bank & Trust, one of Synapse’s primary bank partners, cited the bank’s failure to maintain an “effective risk management framework” for its fintech partnerships. Exit planning — or its absence — sat at the center of what regulators found inadequate.

Why Exit Planning Fails in Practice

Most TPRM programs have vendor offboarding checklists. What they typically don’t have is a proactive exit strategy — a plan written and negotiated before anything goes wrong.

The distinction matters more than most practitioners realize.

An offboarding checklist tells you what to do when you’ve already decided to end a vendor relationship and the vendor is cooperating.

An exit strategy answers a different question: if this vendor failed tomorrow — became insolvent, was hit with a regulatory action, suffered an incident that took them offline indefinitely — what would happen to your operations? How long would it take to migrate? What customer impact would you face? And critically: do you have the contractual rights to make the transition possible?

Most programs have the first. Few have the second in a form that’s actually tested.

The Synapse case illustrated this precisely. Juno — one of the fintechs on Synapse’s platform — acknowledged it had very limited visibility into its own customer balances because Synapse held the canonical ledger. Any data migration would be slow and error-prone. That’s not just a contract failure. It’s a governance failure: the due diligence process never seriously asked “what would we do if this vendor failed, and do we have what we’d need to do it?”

The Six Components of a Defensible Exit Plan

A vendor exit strategy that holds up under examination covers six areas. All six need to be addressed in the contract before onboarding — not negotiated during a crisis, when the vendor has no incentive to cooperate and your leverage is gone.

1. Transition Approach

How will the service continue if this vendor exits? There are three paths: transition to an alternate provider, bring the service in-house, or discontinue it.

For each critical vendor, document which path is realistic, what an alternate-provider transition would require in terms of timeline and technical dependencies, and whether discontinuation is genuinely an option — or whether this is a service that customers depend on and that cannot be interrupted without significant harm.

Vendors providing services you cannot discontinue and cannot easily replace represent your highest exit risk. They deserve heightened scrutiny during initial due diligence, annual reviews, and any time the vendor’s financial condition or operational stability changes.

2. Transition Timeline

How long would it realistically take to migrate? For core banking platforms, BaaS middleware, and critical data services, realistic migration timelines are measured in months, not weeks. Your exit strategy should reflect that reality — not an optimistic estimate made during a low-stakes contract negotiation.

This matters because examiners now ask a specific question: if your most critical vendor had to exit in 30 days, what would happen? If the honest answer is “we couldn’t manage it,” your exit risk is higher than your risk tiering reflects. Fourth-party dependencies compound the problem — if your vendor’s sub-processors hold data critical to migration, their timelines become your constraints.

3. Data Handling

The contractual right to your data — in a usable format, within a defined timeline, with written confirmation of destruction on the vendor’s systems after transfer — is the most frequently cited gap in bank examination findings on exit planning.

Three questions every critical vendor contract should answer before you sign:

• What format will data be returned in, and is it technically usable by your systems or successors?
• What is the timeline for data return after notice of termination?
• What written confirmation will the vendor provide that your data has been deleted from their systems after transfer?

If any of these are vague (“data will be returned in industry standard formats” is not sufficient), you have contract terms to negotiate. Vendors in financial distress — which is often when exits become involuntary — are rarely generous about data handoffs unless the contract compels them specifically and enforceably.

4. Access Revocation

Every critical vendor has credentials into your systems, networks, or data environments — API keys, VPN access, user accounts, shared credentials, third-party integrations. Exit planning requires an explicit process for revoking all vendor access on a defined timeline after notice of termination.

The offboarding checklist should require: written confirmation from the vendor that all access has been disabled on their side, a review of your identity access management logs to confirm no residual access, and a defined escalation path if the vendor fails to cooperate.

Most programs include this in their offboarding checklist. The exit strategy element is testing it: have you actually walked through a credential revocation drill for at least one critical vendor? Do you know where all the access lives?

5. Customer Communication

For vendors providing services directly visible to customers — payment processing, account access, customer-facing platforms — the exit strategy must address what customers need to know, when, and through what channels.

The regulatory expectation is that customer impact is assessed as part of exit planning, not improvised during a wind-down. The Synapse collapse produced exactly the outcome that proactive planning is designed to avoid: customers discovering their accounts were frozen because a middleware provider had failed, with no warning and no clear explanation of when access would be restored.

6. Regulatory Notification

If a critical vendor supports a specific regulatory obligation — BSA/AML transaction monitoring, cybersecurity infrastructure, consumer compliance systems — the exit strategy should assess whether regulatory notification is required during or after termination.

Your vendor breach response process should ask this same question when a vendor incident occurs. When vendor problems cross into regulatory impact, the question isn’t only “what do we do operationally?” It’s also “who do we need to tell, and on what timeline?”

When Exit Plans Get Activated

Exit plans are activated in three scenarios that look very different in practice:

Most programs are reasonably prepared for planned exits. Almost none have tested emergency scenarios.

The performance-based scenario is where most programs get caught. A vendor that’s underperforming or showing financial stress is also the vendor least likely to prioritize your transition. Initiating an exit conversation while continuing to depend on the vendor’s cooperation for data and access creates a tension that contract terms need to resolve — you can’t rely on goodwill when goodwill is depleted.

The Examination Question

Bank examiners reviewing TPRM programs have become direct about what they’re looking for post-Synapse. The core question isn’t whether you have an exit strategy document. It’s whether the document reflects how an exit would actually work.

What examiners probe:

• Does the strategy reflect realistic migration timelines, not aspirational ones?
• Are data return provisions contractually enforceable with specific format and timeline requirements?
• Has the exit strategy been tested — at minimum, reviewed against actual data volumes and system dependencies?
• Do critical staff know where the plan lives and what it requires of them?

The vendor risk management lifecycle and due diligence process are the front end of TPRM. Exit planning is the back end — and it’s increasingly the part that separates programs that satisfy examiners from programs that generate findings.

Building Exit Strategy Into Onboarding

The leverage to negotiate solid exit provisions exists exactly once: before you sign the contract. After onboarding, you’re negotiating from dependency.

A practical approach: add exit planning as a required section of your vendor due diligence questionnaire before any critical vendor is approved. The questions you need answered upfront:

• In what format can you return our customer data, and on what timeline?
• What transition assistance will you provide during an exit? For how long and at what cost?
• What access revocation process do you follow, and how do you confirm it?
• Do you have documented sub-processor dependencies that would affect a migration?

If a prospective vendor can’t answer these questions clearly, that’s due diligence information — not a barrier to the relationship, but a risk to document and manage.

So What?

The Synapse collapse wasn’t a black swan. It was a foreseeable failure mode — middleware dependency, inadequate ledger reconciliation, no tested wind-down plan — that played out at scale and froze $265 million in customer funds. The Federal Reserve’s enforcement response made clear what the regulatory standard is: if you can’t demonstrate how you’d manage a critical vendor exit, you weren’t managing third-party risk.

That standard now shows up in examinations. Not as a theoretical question, but as a request to walk through your exit strategy for your most critical vendor and explain how it would actually work.

The Third-Party Risk Management Kit includes a vendor offboarding checklist and exit planning framework aligned to OCC Bulletin 2023-17 — with contract review provisions for data return, access revocation, and transition assistance built in for critical and high-tier vendors. It’s the documentation your examiner will ask to see, ready to populate for your specific vendor relationships.