Feature Third-Party Risk
35% of FDIC Banks Got a TPRM Finding in 2024: What Examiners Keep Flagging and How to Fix It
The FDIC's 2024 Risk Review found that 35% of supervised institutions had at least one third-party risk management finding. Incomplete due diligence and inadequate ongoing monitoring are the top deficiencies. Here's what examiners are actually testing under the 2023 interagency guidance.
Table of Contents
TL;DR
- The FDIC’s 2024 Risk Review found that 35% of supervised institutions had at least one TPRM finding — with incomplete due diligence and inadequate ongoing monitoring as the two most common deficiencies
- The 2023 interagency guidance (OCC 2023-17, FDIC FIL-29-2023, FR SR 23-4) applies a five-phase lifecycle framework to all third-party relationships, with heightened expectations for critical activities
- Blue Ridge Bank’s January 2024 OCC consent order shows what TPRM failure looks like at the enforcement level: fintech partnerships scaling faster than oversight, BSA/AML controls built on assumptions that vendors couldn’t support, and 90 days to document that risk was actually controlled
- The fix is less complicated than the finding suggests: documented risk assessments before onboarding, monitoring cadence tied to criticality, and evidence that the board exercises oversight of the program as a whole
One in three. That’s the rough takeaway from the FDIC’s 2024 Risk Review: 35% of FDIC-supervised institutions had at least one third-party risk management finding from their last examination cycle. This isn’t a fringe compliance problem affecting a handful of banks. It’s a systemic gap in how institutions are implementing — or not implementing — a framework that’s been clearly articulated for over three years.
The 2023 interagency guidance on third-party relationships (OCC Bulletin 2023-17, FDIC FIL-29-2023, Federal Reserve SR 23-4) was finalized June 6, 2023. It gave institutions a unified, comprehensive framework. The 35% finding rate says a large portion of the industry still hasn’t closed the gap between “we have a TPRM policy” and “our TPRM program passes examination.”
Here’s what examiners are actually testing, where programs consistently fall short, and what remediation looks like at both the operational and board level.
What the Interagency Guidance Actually Requires
The 2023 guidance applies to all banking organizations supervised by the OCC, FDIC, and Federal Reserve — and it consolidates what had previously been agency-specific frameworks into a single lifecycle model. The framework organizes third-party risk management into five phases:
- Planning — Before engaging a third party, assess the need and associated risks
- Due diligence — Evaluate the third party’s ability to perform and control for risk, scaled to the criticality of the relationship
- Contract negotiation — Establish terms that enable the institution to monitor, audit, and terminate the relationship as needed
- Ongoing monitoring — Continuous or periodic oversight proportional to the risk and criticality of the relationship
- Termination — Ensure the institution can exit the relationship without disrupting critical activities
The guidance explicitly differentiates between ordinary third-party relationships and those involving “critical activities” — services whose failure or disruption would significantly impair operations, financial stability, or compliance. Critical activity providers face heightened expectations at every phase, including board-level reporting.
The guidance also establishes that TPRM is a board-level governance obligation. The board is expected to approve risk appetite for third-party relationships, receive regular reporting on the overall program, and be informed when the institution enters relationships involving critical activities.
The Two Deficiencies Examiners Keep Finding
Deficiency 1: Incomplete Due Diligence
Incomplete due diligence doesn’t mean “you didn’t do any due diligence.” It usually means the due diligence that was completed wasn’t proportionate to the criticality of the relationship.
The pattern looks like this: an institution uses a vendor questionnaire developed for IT procurement and applies it uniformly across all third parties, regardless of whether the vendor handles customer data, supports a critical operational process, or has direct access to core systems. The questionnaire gets completed and filed. The relationship gets approved. When the examiner asks how due diligence was calibrated to the specific risks of this vendor and this activity, the answer is “we used the same process for everyone.”
That’s not what the guidance requires. Critical activity providers need due diligence that addresses their specific risk profile — financial condition, operational resilience, subcontracting practices, information security posture, regulatory standing, and business continuity capability. A cloud infrastructure vendor that hosts your core banking system needs a different review than the vendor who provides your marketing analytics platform.
The FDIC’s 2024 community bank TPRM guide, released in parallel with the Risk Review, specifically calls out tiered due diligence as a common gap — noting that many institutions have robust processes for high-criticality vendors and inadequate ones for everything else. The result is blind spots in the program that examiners find by pulling a sample of vendor relationships across criticality tiers.
Deficiency 2: Inadequate Ongoing Monitoring
This is where most TPRM programs fall apart in practice. The due diligence was done at onboarding. The contract was negotiated. The relationship was approved. Three years later, the vendor’s risk profile has changed materially — a security incident, a change in subcontractor, a shift in financial condition — and the institution has no record of having reviewed any of it.
The guidance expects ongoing monitoring proportional to criticality and risk. For critical activity providers, that means tracking adverse events (incidents, regulatory actions, ownership changes), reviewing performance against contractual SLAs, collecting updated due diligence materials at defined intervals, and documenting that the review happened.
What examiners look for in ongoing monitoring: a tracking log or system of record that shows when each vendor was last reviewed, what triggered the review, what was found, and what action was taken. Not a spreadsheet with “last reviewed 2022” entries across 80% of the vendor inventory.
The 2023 guidance introduced the concept of “event-driven” monitoring alongside periodic monitoring — meaning your monitoring program can’t just be annual reviews on a calendar. If your vendor has a significant breach, regulatory action, or material operational event, your program should have a mechanism to capture that, evaluate its implications for your relationship, and document the assessment.
What Consent Orders Teach You About the Threshold
The most instructive data point in the TPRM enforcement landscape isn’t a guidance document — it’s Blue Ridge Bank.
In January 2024, the OCC issued a consent order against Blue Ridge Bank, finding that the bank had failed to establish and maintain a reasonably designed BSA/AML compliance program. The proximate cause: a fintech partnership model that scaled faster than Blue Ridge’s ability to oversee it. BSA/AML risks that should have been caught through vendor oversight weren’t caught, because the bank’s monitoring processes hadn’t kept pace with the growth and complexity of its fintech relationships.
The consent order requirements are worth studying:
- Blue Ridge was required to obtain written OCC non-objection before onboarding any new fintech relationship or launching new products through existing fintech partners
- Within 90 days of the order, the bank had to document that BSA/AML risk was effectively controlled for each of its existing fintech relationships and subpartners
- The bank had to adopt a revised and expanded BSA audit program covering fintech-related transaction flows
- A compliance committee was required to submit written plans addressing both TPRM and BSA/AML deficiencies
That 90-day documentation sprint is instructive. The bank had to do in three months what a functioning TPRM program should have been doing on an ongoing basis. Blue Ridge was released from the consent order in November 2025 — nearly two years later.
Cross River Bank, Lineage Bank, and Piermont Bank all faced similar enforcement attention over fintech partnership oversight failures in the 2023-2025 period. The common thread: fintech partnerships that generated significant revenue and customer exposure, with oversight programs that didn’t scale alongside them.
The Five Lifecycle Phases: Where Programs Break
| Phase | Common Gap | What Examiners Look For |
|---|---|---|
| Planning | Risk isn’t assessed before the relationship starts — legal or compliance comes in after the business decision | Pre-engagement risk assessment documenting the nature of the relationship and key risk categories |
| Due diligence | Questionnaire is generic, not scaled to criticality; financial condition and business continuity not evaluated | Tiered due diligence materials proportionate to the vendor’s criticality; financial statements for critical vendors |
| Contract negotiation | Standard IT agreement without audit rights, incident notification, or termination provisions | Written agreements including right to audit, incident notification SLAs, performance standards, and subcontracting restrictions |
| Ongoing monitoring | No cadence; no tracking system; monitoring happens only when something goes wrong | Monitoring log with documented review dates, findings, and actions; evidence of event-driven updates |
| Termination | No exit strategy; no documentation of data return/destruction; no business continuity testing | Written transition plan for critical vendors; evidence that exit capabilities are tested |
Most programs have something at each phase. The deficiency is usually in the calibration: the process exists but isn’t proportionate to the risk, or evidence wasn’t retained in a way an examiner can verify.
For Fintechs: When Your Sponsor Bank’s TPRM Becomes Yours
If you’re a fintech operating through a sponsor bank or BaaS relationship, you’re the third party in your bank partner’s TPRM program. That matters in two directions.
First, your bank partner’s TPRM findings become your compliance posture problem. When the OCC examined Blue Ridge Bank and found TPRM deficiencies related to fintech oversight, the consequence wasn’t abstract — it meant Blue Ridge had to restrict its fintech onboarding, which meant existing fintechs faced increased scrutiny and new fintechs couldn’t be onboarded without OCC approval. If your bank partner has TPRM program gaps, you’re at risk even if your own controls are solid.
Second, your bank partner’s ongoing monitoring of your relationship is a real-time audit of your program. The RFI volumes, due diligence requests, and monitoring touchpoints your bank partner sends are their TPRM program in action. Rising RFI volume is a signal worth tracking in your own KRI framework — it often indicates your bank partner’s risk assessment of you has shifted, which can precede debanking decisions.
The OCC’s 2026 supervisory reset toward risk-based examination has reinforced that third-party risk is a focal point across exam types, not just in formal TPRM reviews.
What to Fix Before Your Next Exam
If the 35% finding rate means there’s a reasonable chance your program has gaps, the fix is more achievable than most institutions assume. The interagency guidance is comprehensive, but the minimum viable program it describes isn’t complicated:
Vendor inventory with criticality tiering. Every third-party relationship documented, with a criticality assessment that distinguishes critical activity providers from supporting vendors. This is the foundation — you can’t calibrate anything else without it.
Tiered due diligence. Different questionnaire depth for different criticality levels. Critical vendors get financial condition review, business continuity assessment, and information security evaluation. Lower-tier vendors get a lighter-touch review. Document the rationale for the tiering.
Written contracts with the right provisions. Audit rights, incident notification SLAs, performance standards, and subcontracting restrictions aren’t optional for critical activity providers. Pull a sample of your critical vendor contracts and verify they have all four.
Monitoring cadence in writing. A document that specifies how often each criticality tier is reviewed, what triggers an event-driven review, and who owns the review process. Not a policy — a calendar and a tracking log.
Board reporting. An annual summary of the TPRM program — vendor inventory, criticality distribution, findings from the year, high-risk relationships, and any relationships terminated — presented to and approved by the board or risk committee. This is what the guidance means by “board oversight.”
If your vendor offboarding and exit process isn’t documented, that’s also worth addressing — termination is consistently the most underdeveloped phase in most programs.
The Third-Party Risk Management (TPRM) Kit is built around this lifecycle — vendor inventory, tiered questionnaires, contract provisions checklist, monitoring log templates, and board reporting templates. For teams building or rebuilding a program, it covers the documentation artifacts examiners are looking for at each phase.
Also worth building now: a process for handling vendor change notifications — one of the more common ongoing monitoring gaps, where material changes to vendor ownership, subcontractors, or capabilities don’t get flagged and assessed because there’s no intake process for them.
So What?
A 35% finding rate means TPRM gaps are the norm, not the exception. The question isn’t whether your program has gaps — it’s which gaps, and how large.
The most useful thing you can do before your next exam cycle is work backward from the two most cited deficiency categories: pull a sample of recent vendor onboardings and ask whether the due diligence was scaled to the criticality of the relationship. Then pull the same sample and ask whether ongoing monitoring has been documented since onboarding. If you get uncomfortable answers on either question, you’ve identified the work.
The 2023 interagency guidance is clear. The examination expectations are consistent. The enforcement record is public. What’s left is execution.
Sources: FDIC 2024 Risk Review · OCC Bulletin 2023-17 — Interagency Guidance on Third-Party Relationships · FDIC FIL-29-2023 · OCC Consent Order — Blue Ridge Bank, January 2024 · Banking Dive — OCC Orders Blue Ridge Bank to Bolster Fintech Partnership Oversight
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What are the most common TPRM examination deficiencies under the 2023 interagency guidance?
What does the 2023 interagency TPRM guidance require that prior guidance didn't?
What did the Blue Ridge Bank OCC consent order require for fintech partnerships?
How should fintechs think about their sponsor bank's TPRM requirements?
What's the minimum viable TPRM program for a community bank or small fintech?
How often should third-party risk assessments be updated?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
◆ Keep reading
Related posts.
Third-Party Risk
The Marquis Software Breach: What 80 Banks and Credit Unions Need to Learn About Vendor Concentration Risk
In August 2025, Akira ransomware hit Marquis Software Solutions through an unpatched SonicWall firewall. By the time breach notifications went out—over two months later—80 banks and credit unions had been exposed, 824,000 consumers' data was compromised, and a ransom had reportedly been paid. Here's what your third-party risk program should take from it.
Jul 7, 2026
Third-Party Risk
AI Foundation Model Concentration Risk: When Your Entire AI Stack Depends on Three Vendors
The Cambridge Centre for Alternative Finance's 2026 report found 76% of financial institutions rely on OpenAI, 57% on Google, and 35% on Anthropic — while 63% build on external models rather than their own. Under OCC 2023-17 and DORA, that's not just an AI strategy question. It's a third-party concentration risk your TPRM program probably isn't mapped to address.
Jul 5, 2026
Third-Party Risk
Vendor Financial Health Monitoring: The Early Warning Program OCC 2023-17 Expects for Critical Third Parties
OCC 2023-17's ongoing monitoring phase requires active financial health surveillance for critical third-party vendors — but most institutions treat it as an annual renewal checkbox. Here's what a defensible early warning program looks like, what warning signs to track, and what the Synapse collapse demonstrated about gaps in current practice.
Jul 3, 2026