Feature Third-Party Risk
Vendor Change Notification in TPRM: How to Catch Material Changes Before They Become Operational Surprises
CrowdStrike's Channel File 291 update crashed 8.5 million Windows systems across financial services — and most affected institutions had no contractual right to advance notice. OCC 2023-17 and DORA both require change notification rights in vendor contracts. Here's what to require and how to operationalize it.
Table of Contents
TL;DR
- CrowdStrike’s July 2024 Channel File 291 update crashed 8.5 million Windows systems across financial services — and most affected institutions had no contractual right to advance notice or the ability to delay the update
- The 2023 interagency guidance (OCC 2023-17) requires financial institutions to negotiate vendor change notification rights in contracts, but doesn’t specify timeframes — that obligation falls to contract negotiation
- DORA goes further: Article 30(2)(b) and the subcontracting RTS require advance notice plus a right to approve or object before material changes are implemented
- Enterprise change management is a standalone OCC supervisory priority in 2025 — examiners are looking at whether vendor contracts actually give institutions visibility and control
On July 19, 2024, at 04:09 UTC, CrowdStrike pushed a content configuration update called Channel File 291 to its Falcon sensor software. Within hours, approximately 8.5 million Windows machines running the Falcon agent had crashed. Airlines grounded flights. Hospitals diverted emergency patients. Banks froze ATM networks and halted trading operations. The financial services sector alone lost an estimated $1.15 billion in disruption costs.
The update wasn’t a software patch. It wasn’t a major version release. It was a routine content update — the kind CrowdStrike pushes regularly to update threat detection parameters — deployed automatically to customer endpoints with no advance notice and no option for customers to stage or delay the rollout.
From a cybersecurity standpoint, this was a software quality failure. From a TPRM standpoint, it was a vendor change management failure. Financial institutions had deployed a critical security vendor with automatic content updates and no contractual right to know what was coming before it arrived.
That gap is exactly what the 2023 interagency guidance and, for EU-facing operations, DORA are designed to close.
What “Material Change” Actually Means in TPRM
The 2023 interagency guidance on third-party relationships — OCC Bulletin 2023-17, FDIC FIL-23-029, and Federal Reserve SR 23-04 — requires banking organizations to maintain ongoing monitoring of vendor relationships and to have contractual rights sufficient to support that monitoring.
For vendor change notification specifically, the guidance identifies several categories that financial institutions should have contractual visibility into:
Ownership and corporate structure. Mergers, acquisitions, consolidations, or material ownership changes at the vendor level. When your critical data processor is acquired by a competitor or a private equity firm, that’s not a business-as-usual event — it affects the risk profile of the relationship.
Subcontracting changes. The vendor you contracted with may deliver the service through a chain of subcontractors. When that chain changes — new subprocessors, dropped subcontractors, changes to who actually handles customer data — your due diligence of the original vendor may no longer cover the actual service delivery. OCC 2023-17 explicitly addresses subcontractor oversight as an area requiring contractual visibility.
Key personnel changes. Leadership changes, departures of key technical staff, or changes to personnel with access to customer data and systems. Not every personnel change is material — but the Chief Information Security Officer of your payment processor departing is not the same as routine turnover.
Significant operational or strategic changes. This is the broadest category and the one that matters most for operational risk. CrowdStrike’s Channel File 291 fell into this bucket — a significant operational change to how the software processed threat detection parameters. The guidance doesn’t define “significant” precisely; the expectation is that contracts are negotiated to reflect what “significant” means for each specific vendor relationship and its criticality tier.
Financial condition changes. Material deterioration in the vendor’s financial condition — including credit downgrades, liquidity events, or formal distress signals — that could affect service continuity. The Synapse bankruptcy and its ripple effects on BaaS sponsor banks in 2024 made this category suddenly concrete for the industry.
The Contractual Gap Most TPRM Programs Have
The problem isn’t that financial institutions don’t know they should have change notification clauses. The problem is what those clauses typically contain.
Most vendor contracts include a “material change” notification provision. In practice, these clauses often have three gaps that make them functionally insufficient:
No defined notification timeline. The clause says “vendor will notify institution of material changes” but doesn’t specify when. Thirty days’ advance notice of a planned platform migration is meaningful. Notice the day the migration happens is not. The interagency guidance doesn’t mandate specific timeframes, which means contract negotiations determine whether the clause has operational value.
No right to object or approve. Notification alone is passive — it tells you something is happening. For changes that could materially affect operational risk, compliance posture, or data security, you need more than information. You need the ability to flag concerns, require a risk assessment, or delay implementation pending your review. Most boilerplate notification clauses don’t include this.
No termination right tied to change notification. If a notified change materially increases risk — a critical vendor acquired by a sanctioned entity, a subprocessor change moving customer data to a jurisdiction that creates compliance problems — you need a contractual right to exit the relationship without penalty. Without a change-triggered termination right, the notification tells you something unacceptable is happening and gives you no clean way out.
The vendor exit planning framework covers how to structure offboarding when you exercise that right. The contract provisions that make exit possible start at onboarding.
DORA: The Right to Object Before Implementation
For U.S. banks with EU operations, EU branches, or services provided to EU customers, DORA (Regulation 2022/2554) adds requirements that go beyond the interagency guidance.
DORA Article 30(2)(b) requires that ICT third-party service provider contracts include provisions for advance notice before changes to ICT services, particularly data processing locations. This is a baseline obligation for any in-scope ICT vendor contract.
The DORA RTS on subcontracting — Delegated Regulation 2025/532, which entered into force November 2025 — adds specificity. Article 5 requires financial entities to include provisions for:
- “Well in time” advance notice before material subcontracting changes are implemented
- The financial entity’s right to approve or object to material changes before they take effect
- The right to terminate the contract if subcontracting arrangements change in ways that create unacceptable risk
The phrase “well in time” is deliberately flexible — the RTS doesn’t prescribe 30 or 60 days. But the right to approve or object before implementation is unambiguous. Under DORA, notice after the fact doesn’t satisfy the requirement for material subcontracting changes.
For US banks navigating DORA compliance, the practical implication is that vendor contracts covering EU-facing services need change notification provisions that are substantively more protective than what most US TPRM programs currently negotiate. The right to object — and the operational process to exercise that right within the contract’s window — has to exist before the notification arrives.
Building the Change Monitoring Workflow
Contractual rights to notification are necessary but not sufficient. The notification has to arrive somewhere in your institution that can act on it.
The breakdown at most institutions isn’t that change notifications go uncontracted — it’s that they arrive in a procurement inbox, a vendor management system nobody monitors daily, or a contract database that business lines don’t access. When a notification about a data processing location change arrives and nothing happens for two weeks, the contractual right was exercised and the operational benefit was lost.
A functional change monitoring workflow has four components:
Centralized receipt. Change notifications from critical vendors should arrive in a monitored channel with designated owners and defined response SLAs — not a shared inbox treated as an archive.
Triage and risk assessment. Not every change notification requires escalation. The workflow needs a triage step: what’s the category of change, which processes does it affect, what’s the risk impact, and who needs to be involved? For operational changes to critical vendors, this typically involves the TPRM function, the relevant business line, and IT or security depending on the change type.
Escalation for material changes. Changes that cross defined risk thresholds — ownership changes, subprocessor changes involving customer data, security architecture changes, data location changes — should automatically trigger escalation to senior management or the risk committee. The escalation path should be defined in advance, not decided case-by-case when a notification arrives.
Documentation and closure. The change notification, the risk assessment, the escalation if any, and the outcome should be documented in the vendor file. If the change was accepted, document why. If conditions were imposed, document what they were and how they’ll be tracked. If a termination was initiated, document the trigger. This documentation is what examiners ask for.
The vendor due diligence process establishes the baseline risk profile that makes change triage meaningful — you need the original risk assessment to evaluate whether a reported change materially shifts it.
What the OCC Is Examining in 2025 and Beyond
Enterprise change management became a standalone supervisory priority in the OCC’s FY2025 Bank Supervision Operating Plan — elevated from a subcategory to its own examination focus area. The OCC’s Spring 2026 Semiannual Risk Perspective identified change implementation as an area of heightened supervisory attention, particularly for institutions managing rapid technology changes, core system migrations, and vendor-dependent operational transformations.
The FFIEC updated its Development, Acquisition, and Maintenance (DA&M) Booklet in August 2024. The updated booklet expanded coverage of third-party change management, adding expectations around how institutions should evaluate and manage changes to vendor-provided systems and services — not just internally developed technology.
Examiners evaluating vendor change management are looking for:
| Examination Area | What They Ask For |
|---|---|
| Contractual provisions | Notification clause with defined categories, timeframes, and right to object |
| Notification receipt log | Record of vendor change notifications received, with dispositions |
| Risk assessments | Documentation showing the institution evaluated significant changes before accepting them |
| Escalation records | Evidence of management review for changes that crossed risk thresholds |
| Testing records | Evidence that changes to critical systems were staged before production deployment |
The CrowdStrike question is directly relevant here. If an examiner asks how your institution manages automatic content updates from critical security vendors, “we deploy them automatically with no review mechanism” generates findings.
The Negotiation Problem
For large financial institutions with significant vendor relationships, negotiating substantive change notification provisions is achievable — the vendor values the relationship and has operational reasons to accommodate reasonable compliance requirements.
For community banks and fintechs dealing with enterprise software vendors, core processors, and major technology providers, the negotiation dynamic is often reversed. The vendor has a standard contract and leverage to enforce it.
Three practical approaches when you’re not the dominant party:
Negotiate what you can in the master agreement, use the SOW for the rest. Core notification provisions — categories, timeframes, escalation rights — belong in the master services agreement where they apply to the full relationship. Change staging rights and specific approval procedures can sometimes be negotiated in statements of work where there’s more flexibility.
Use regulatory requirements as negotiating cover. “Our regulators require advance notification of material subcontractor changes” is a different conversation than “we want a notification clause.” For vendors that serve regulated financial institutions, the interagency guidance and DORA requirements are not surprising — they’re known compliance obligations that experienced vendors have addressed in other contracts.
Compensating controls when contract terms aren’t achievable. When a vendor won’t negotiate meaningful notification provisions — for some cloud and SaaS vendors this is simply the product they sell at scale — document the decision and the compensating controls. What’s your detection capability if the vendor makes a change that affects your environment? What’s your response plan if a change causes disruption? What’s your fallback if the service is materially degraded? The absence of a contractual right isn’t automatically an examination finding if you have documented risk acceptance and alternative controls — but it has to be documented.
So What?
The CrowdStrike outage in July 2024 was a visible, dramatic demonstration of what happens when financial institutions deploy critical vendors without change visibility. The regulatory response is already reflected in the interagency guidance and DORA — and examiners are evaluating whether vendor contracts actually give financial institutions the rights those frameworks require.
The fix isn’t complex. It’s contract provisions that specify notification categories, advance notice periods, and the right to object before implementation — combined with an operational workflow that routes notifications to someone who can act on them. Neither piece works without the other.
Before the next vendor contract renewal cycle: pull the change notification clause from your five highest-criticality vendor contracts and evaluate it against those three gaps — specific categories, defined timeframes, right to object. For the gaps you find, determine whether they’re addressable in the current contract term or need to wait for renewal. Either way, document where you are and build the triage workflow now, so when the next Channel File 291 is announced, you have a process to run.
For a complete TPRM contract provision checklist, vendor change notification workflow template, and full vendor lifecycle documentation — including the due diligence questionnaire, risk tiering methodology, and ongoing monitoring templates — see the Third-Party Risk Management (TPRM) Kit.
Further reading:
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What types of vendor changes trigger notification requirements under OCC 2023-17?
Does the interagency guidance specify how quickly vendors must notify institutions of changes?
How does DORA handle vendor change notification for EU operations?
What contract terms capture vendor change notification rights?
How did the CrowdStrike outage relate to vendor change management?
What is the OCC's current supervisory focus on change management?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
◆ Keep reading
Related posts.
Third-Party Risk
The Marquis Software Breach: What 80 Banks and Credit Unions Need to Learn About Vendor Concentration Risk
In August 2025, Akira ransomware hit Marquis Software Solutions through an unpatched SonicWall firewall. By the time breach notifications went out—over two months later—80 banks and credit unions had been exposed, 824,000 consumers' data was compromised, and a ransom had reportedly been paid. Here's what your third-party risk program should take from it.
Jul 7, 2026
Third-Party Risk
AI Foundation Model Concentration Risk: When Your Entire AI Stack Depends on Three Vendors
The Cambridge Centre for Alternative Finance's 2026 report found 76% of financial institutions rely on OpenAI, 57% on Google, and 35% on Anthropic — while 63% build on external models rather than their own. Under OCC 2023-17 and DORA, that's not just an AI strategy question. It's a third-party concentration risk your TPRM program probably isn't mapped to address.
Jul 5, 2026
Third-Party Risk
Vendor Financial Health Monitoring: The Early Warning Program OCC 2023-17 Expects for Critical Third Parties
OCC 2023-17's ongoing monitoring phase requires active financial health surveillance for critical third-party vendors — but most institutions treat it as an annual renewal checkbox. Here's what a defensible early warning program looks like, what warning signs to track, and what the Synapse collapse demonstrated about gaps in current practice.
Jul 3, 2026