Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Third-Party Risk

Vendor Change Notification in TPRM: How to Catch Material Changes Before They Become Operational Surprises

CrowdStrike's Channel File 291 update crashed 8.5 million Windows systems across financial services — and most affected institutions had no contractual right to advance notice. OCC 2023-17 and DORA both require change notification rights in vendor contracts. Here's what to require and how to operationalize it.

Table of Contents

TL;DR

  • CrowdStrike’s July 2024 Channel File 291 update crashed 8.5 million Windows systems across financial services — and most affected institutions had no contractual right to advance notice or the ability to delay the update
  • The 2023 interagency guidance (OCC 2023-17) requires financial institutions to negotiate vendor change notification rights in contracts, but doesn’t specify timeframes — that obligation falls to contract negotiation
  • DORA goes further: Article 30(2)(b) and the subcontracting RTS require advance notice plus a right to approve or object before material changes are implemented
  • Enterprise change management is a standalone OCC supervisory priority in 2025 — examiners are looking at whether vendor contracts actually give institutions visibility and control

On July 19, 2024, at 04:09 UTC, CrowdStrike pushed a content configuration update called Channel File 291 to its Falcon sensor software. Within hours, approximately 8.5 million Windows machines running the Falcon agent had crashed. Airlines grounded flights. Hospitals diverted emergency patients. Banks froze ATM networks and halted trading operations. The financial services sector alone lost an estimated $1.15 billion in disruption costs.

The update wasn’t a software patch. It wasn’t a major version release. It was a routine content update — the kind CrowdStrike pushes regularly to update threat detection parameters — deployed automatically to customer endpoints with no advance notice and no option for customers to stage or delay the rollout.

From a cybersecurity standpoint, this was a software quality failure. From a TPRM standpoint, it was a vendor change management failure. Financial institutions had deployed a critical security vendor with automatic content updates and no contractual right to know what was coming before it arrived.

That gap is exactly what the 2023 interagency guidance and, for EU-facing operations, DORA are designed to close.

What “Material Change” Actually Means in TPRM

The 2023 interagency guidance on third-party relationships — OCC Bulletin 2023-17, FDIC FIL-23-029, and Federal Reserve SR 23-04 — requires banking organizations to maintain ongoing monitoring of vendor relationships and to have contractual rights sufficient to support that monitoring.

For vendor change notification specifically, the guidance identifies several categories that financial institutions should have contractual visibility into:

Ownership and corporate structure. Mergers, acquisitions, consolidations, or material ownership changes at the vendor level. When your critical data processor is acquired by a competitor or a private equity firm, that’s not a business-as-usual event — it affects the risk profile of the relationship.

Subcontracting changes. The vendor you contracted with may deliver the service through a chain of subcontractors. When that chain changes — new subprocessors, dropped subcontractors, changes to who actually handles customer data — your due diligence of the original vendor may no longer cover the actual service delivery. OCC 2023-17 explicitly addresses subcontractor oversight as an area requiring contractual visibility.

Key personnel changes. Leadership changes, departures of key technical staff, or changes to personnel with access to customer data and systems. Not every personnel change is material — but the Chief Information Security Officer of your payment processor departing is not the same as routine turnover.

Significant operational or strategic changes. This is the broadest category and the one that matters most for operational risk. CrowdStrike’s Channel File 291 fell into this bucket — a significant operational change to how the software processed threat detection parameters. The guidance doesn’t define “significant” precisely; the expectation is that contracts are negotiated to reflect what “significant” means for each specific vendor relationship and its criticality tier.

Financial condition changes. Material deterioration in the vendor’s financial condition — including credit downgrades, liquidity events, or formal distress signals — that could affect service continuity. The Synapse bankruptcy and its ripple effects on BaaS sponsor banks in 2024 made this category suddenly concrete for the industry.

The Contractual Gap Most TPRM Programs Have

The problem isn’t that financial institutions don’t know they should have change notification clauses. The problem is what those clauses typically contain.

Most vendor contracts include a “material change” notification provision. In practice, these clauses often have three gaps that make them functionally insufficient:

No defined notification timeline. The clause says “vendor will notify institution of material changes” but doesn’t specify when. Thirty days’ advance notice of a planned platform migration is meaningful. Notice the day the migration happens is not. The interagency guidance doesn’t mandate specific timeframes, which means contract negotiations determine whether the clause has operational value.

No right to object or approve. Notification alone is passive — it tells you something is happening. For changes that could materially affect operational risk, compliance posture, or data security, you need more than information. You need the ability to flag concerns, require a risk assessment, or delay implementation pending your review. Most boilerplate notification clauses don’t include this.

No termination right tied to change notification. If a notified change materially increases risk — a critical vendor acquired by a sanctioned entity, a subprocessor change moving customer data to a jurisdiction that creates compliance problems — you need a contractual right to exit the relationship without penalty. Without a change-triggered termination right, the notification tells you something unacceptable is happening and gives you no clean way out.

The vendor exit planning framework covers how to structure offboarding when you exercise that right. The contract provisions that make exit possible start at onboarding.

DORA: The Right to Object Before Implementation

For U.S. banks with EU operations, EU branches, or services provided to EU customers, DORA (Regulation 2022/2554) adds requirements that go beyond the interagency guidance.

DORA Article 30(2)(b) requires that ICT third-party service provider contracts include provisions for advance notice before changes to ICT services, particularly data processing locations. This is a baseline obligation for any in-scope ICT vendor contract.

The DORA RTS on subcontracting — Delegated Regulation 2025/532, which entered into force November 2025 — adds specificity. Article 5 requires financial entities to include provisions for:

  • “Well in time” advance notice before material subcontracting changes are implemented
  • The financial entity’s right to approve or object to material changes before they take effect
  • The right to terminate the contract if subcontracting arrangements change in ways that create unacceptable risk

The phrase “well in time” is deliberately flexible — the RTS doesn’t prescribe 30 or 60 days. But the right to approve or object before implementation is unambiguous. Under DORA, notice after the fact doesn’t satisfy the requirement for material subcontracting changes.

For US banks navigating DORA compliance, the practical implication is that vendor contracts covering EU-facing services need change notification provisions that are substantively more protective than what most US TPRM programs currently negotiate. The right to object — and the operational process to exercise that right within the contract’s window — has to exist before the notification arrives.

Building the Change Monitoring Workflow

Contractual rights to notification are necessary but not sufficient. The notification has to arrive somewhere in your institution that can act on it.

The breakdown at most institutions isn’t that change notifications go uncontracted — it’s that they arrive in a procurement inbox, a vendor management system nobody monitors daily, or a contract database that business lines don’t access. When a notification about a data processing location change arrives and nothing happens for two weeks, the contractual right was exercised and the operational benefit was lost.

A functional change monitoring workflow has four components:

Centralized receipt. Change notifications from critical vendors should arrive in a monitored channel with designated owners and defined response SLAs — not a shared inbox treated as an archive.

Triage and risk assessment. Not every change notification requires escalation. The workflow needs a triage step: what’s the category of change, which processes does it affect, what’s the risk impact, and who needs to be involved? For operational changes to critical vendors, this typically involves the TPRM function, the relevant business line, and IT or security depending on the change type.

Escalation for material changes. Changes that cross defined risk thresholds — ownership changes, subprocessor changes involving customer data, security architecture changes, data location changes — should automatically trigger escalation to senior management or the risk committee. The escalation path should be defined in advance, not decided case-by-case when a notification arrives.

Documentation and closure. The change notification, the risk assessment, the escalation if any, and the outcome should be documented in the vendor file. If the change was accepted, document why. If conditions were imposed, document what they were and how they’ll be tracked. If a termination was initiated, document the trigger. This documentation is what examiners ask for.

The vendor due diligence process establishes the baseline risk profile that makes change triage meaningful — you need the original risk assessment to evaluate whether a reported change materially shifts it.

What the OCC Is Examining in 2025 and Beyond

Enterprise change management became a standalone supervisory priority in the OCC’s FY2025 Bank Supervision Operating Plan — elevated from a subcategory to its own examination focus area. The OCC’s Spring 2026 Semiannual Risk Perspective identified change implementation as an area of heightened supervisory attention, particularly for institutions managing rapid technology changes, core system migrations, and vendor-dependent operational transformations.

The FFIEC updated its Development, Acquisition, and Maintenance (DA&M) Booklet in August 2024. The updated booklet expanded coverage of third-party change management, adding expectations around how institutions should evaluate and manage changes to vendor-provided systems and services — not just internally developed technology.

Examiners evaluating vendor change management are looking for:

Examination AreaWhat They Ask For
Contractual provisionsNotification clause with defined categories, timeframes, and right to object
Notification receipt logRecord of vendor change notifications received, with dispositions
Risk assessmentsDocumentation showing the institution evaluated significant changes before accepting them
Escalation recordsEvidence of management review for changes that crossed risk thresholds
Testing recordsEvidence that changes to critical systems were staged before production deployment

The CrowdStrike question is directly relevant here. If an examiner asks how your institution manages automatic content updates from critical security vendors, “we deploy them automatically with no review mechanism” generates findings.

The Negotiation Problem

For large financial institutions with significant vendor relationships, negotiating substantive change notification provisions is achievable — the vendor values the relationship and has operational reasons to accommodate reasonable compliance requirements.

For community banks and fintechs dealing with enterprise software vendors, core processors, and major technology providers, the negotiation dynamic is often reversed. The vendor has a standard contract and leverage to enforce it.

Three practical approaches when you’re not the dominant party:

Negotiate what you can in the master agreement, use the SOW for the rest. Core notification provisions — categories, timeframes, escalation rights — belong in the master services agreement where they apply to the full relationship. Change staging rights and specific approval procedures can sometimes be negotiated in statements of work where there’s more flexibility.

Use regulatory requirements as negotiating cover. “Our regulators require advance notification of material subcontractor changes” is a different conversation than “we want a notification clause.” For vendors that serve regulated financial institutions, the interagency guidance and DORA requirements are not surprising — they’re known compliance obligations that experienced vendors have addressed in other contracts.

Compensating controls when contract terms aren’t achievable. When a vendor won’t negotiate meaningful notification provisions — for some cloud and SaaS vendors this is simply the product they sell at scale — document the decision and the compensating controls. What’s your detection capability if the vendor makes a change that affects your environment? What’s your response plan if a change causes disruption? What’s your fallback if the service is materially degraded? The absence of a contractual right isn’t automatically an examination finding if you have documented risk acceptance and alternative controls — but it has to be documented.

So What?

The CrowdStrike outage in July 2024 was a visible, dramatic demonstration of what happens when financial institutions deploy critical vendors without change visibility. The regulatory response is already reflected in the interagency guidance and DORA — and examiners are evaluating whether vendor contracts actually give financial institutions the rights those frameworks require.

The fix isn’t complex. It’s contract provisions that specify notification categories, advance notice periods, and the right to object before implementation — combined with an operational workflow that routes notifications to someone who can act on them. Neither piece works without the other.

Before the next vendor contract renewal cycle: pull the change notification clause from your five highest-criticality vendor contracts and evaluate it against those three gaps — specific categories, defined timeframes, right to object. For the gaps you find, determine whether they’re addressable in the current contract term or need to wait for renewal. Either way, document where you are and build the triage workflow now, so when the next Channel File 291 is announced, you have a process to run.

For a complete TPRM contract provision checklist, vendor change notification workflow template, and full vendor lifecycle documentation — including the due diligence questionnaire, risk tiering methodology, and ongoing monitoring templates — see the Third-Party Risk Management (TPRM) Kit.


Further reading:

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What types of vendor changes trigger notification requirements under OCC 2023-17?
OCC Bulletin 2023-17 (the June 2023 interagency TPRM guidance) requires banking organizations to establish contractual rights to receive notice of significant vendor changes, including: mergers, acquisitions, or consolidations; material changes to subcontractor relationships; key personnel changes affecting service delivery; significant strategic or operational changes that could affect service delivery; and changes to the vendor's financial condition. The guidance doesn't prescribe exact categories — it expects financial institutions to negotiate notification provisions based on the vendor's criticality and the nature of the services provided.
Does the interagency guidance specify how quickly vendors must notify institutions of changes?
No. The 2023 interagency guidance does not mandate specific notification timeframes. It expects financial institutions to negotiate timelines in contracts based on the criticality of the relationship. For critical vendors — those providing core banking services, processing customer data, or supporting regulatory compliance functions — best practice is 30-90 days advance notice for planned changes, with immediate or 24-hour notice for unplanned changes that affect service delivery. DORA is more specific: its RTS on subcontracting (Delegated Regulation 2025/532) requires 'well in time' advance notice for material changes, with the right to approve or object before implementation.
How does DORA handle vendor change notification for EU operations?
DORA Article 30(2)(b) requires contractual provisions for advance notification before data processing locations change. The DORA RTS on subcontracting (Delegated Regulation 2025/532, effective November 2025) adds specificity: Article 5 requires 'well in time' advance notice plus a right to approve or object before material subcontracting changes are implemented. For US banks with EU operations or EU-facing services, these requirements apply to contracts with ICT third-party service providers. The right to object — not just receive notice — is the key distinction from most US TPRM notification requirements.
What contract terms capture vendor change notification rights?
A complete change notification clause should cover: (1) the categories of changes that trigger notice — personnel, subcontractors, ownership, operational or strategic changes, data location; (2) minimum advance notice periods by change type; (3) the right to object to or approve certain changes before implementation; (4) the right to terminate without penalty if a notified change materially increases risk; and (5) escalation procedures for emergency changes. Many vendor contracts include a boilerplate 'material change' notification clause but omit the right to object and the termination trigger. Those two provisions are what give the clause teeth.
How did the CrowdStrike outage relate to vendor change management?
On July 19, 2024, CrowdStrike pushed a content configuration update — Channel File 291 — to its Falcon sensor software that caused approximately 8.5 million Windows systems to crash. The update was not a software patch; it was a routine content update that CrowdStrike's software deployed automatically with no advance customer notification. The financial services sector alone lost an estimated $1.15 billion in disruption costs. From a TPRM perspective, the failure was a change management gap: CrowdStrike had no contractual obligation to notify financial institution clients before pushing configuration changes, and institutions had no right to stage or delay the update.
What is the OCC's current supervisory focus on change management?
Enterprise change management became a standalone supervisory priority in the OCC's FY2025 Bank Supervision Operating Plan — elevated from a sub-topic to its own examination focus area. The OCC's Spring 2026 Semiannual Risk Perspective identified change implementation as an area of heightened attention, particularly for institutions managing rapid technology changes, core system migrations, and vendor-dependent operational transformations. The FFIEC updated its Development, Acquisition, and Maintenance (DA&M) Booklet in August 2024 to expand coverage of third-party change management requirements.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Third-Party Risk Management (TPRM) Kit

Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.

◆ Keep reading

Related posts.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.