Feature Third-Party Risk
Vendor Financial Health Monitoring: The Early Warning Program OCC 2023-17 Expects for Critical Third Parties
OCC 2023-17's ongoing monitoring phase requires active financial health surveillance for critical third-party vendors — but most institutions treat it as an annual renewal checkbox. Here's what a defensible early warning program looks like, what warning signs to track, and what the Synapse collapse demonstrated about gaps in current practice.
Table of Contents
TL;DR
- OCC 2023-17 (June 2023 interagency guidance) requires ongoing financial health monitoring for critical third-party vendors — but most TPRM programs treat it as a checkbox on an annual renewal form
- Six financial distress signals should trigger enhanced monitoring: going-concern qualifications, material weakness disclosures, auditor changes, credit rating downgrades, late filings, and covenant violations
- The Synapse collapse demonstrated what happens when private-vendor financial monitoring is reactive — sponsor banks had no early warning before Chapter 11
- Private company vendors require contractual information rights to financial statements — without them, ongoing monitoring is surveillance of nothing
Most third-party risk programs are built to handle vendor review. Contracts are assessed. SOC 2 reports are scored. Questionnaires come back and get filed. Business continuity plans are collected. The review gets documented and the vendor gets re-approved for another year.
What most programs are not built to handle: a vendor that was financially healthy at the last annual review and is approaching insolvency four months later.
OCC 2023-17 — the June 2023 interagency third-party risk management guidance — requires ongoing monitoring that’s closer to active surveillance than periodic review. For critical third parties, financial condition is one of the explicit monitoring categories. What the guidance doesn’t say is what a defensible financial health monitoring program actually looks like in practice.
Here’s the template.
What OCC 2023-17 Requires for Ongoing Monitoring
The 2023 interagency guidance restructures third-party risk management around a six-phase lifecycle: planning, due diligence, contract negotiation, ongoing monitoring, termination, and oversight. Financial condition monitoring falls squarely in the ongoing monitoring phase — and the guidance is explicit that depth should match the criticality of the relationship.
For critical third parties, the guidance expects monitoring that covers:
- Financial condition and performance
- Changes in the vendor’s operating environment
- Compliance with contractual obligations
- Business continuity and incident response readiness
- Subcontractor (fourth-party) risk
The FDIC’s companion Financial Institution Letter reinforced that “ongoing monitoring should be proportionate to the level of risk and complexity of the third-party relationship.” For critical vendors, that means genuine surveillance — not annual renewal paperwork.
What examiners test:
| Monitoring Element | What Examiners Look For |
|---|---|
| Financial condition | Documented periodic review of financial statements or available financial data |
| Frequency | Annual minimum for critical vendors; enhanced cadence for flagged vendors |
| Signal response | Evidence that distress indicators triggered documented escalation |
| Private vendor handling | Contractual provisions requiring financial disclosure |
| Documentation | Reviewer, date, findings, and any follow-up actions |
The TPRM examination deficiencies from 2024 show that ongoing monitoring — not initial due diligence — is where most programs have documented gaps. The deficiency is rarely in vendor selection; it’s in what happens between initial review and the end of the relationship.
Six Financial Distress Signals That Should Trigger Enhanced Monitoring
Effective financial health surveillance means knowing what to look for. These six signals are the ones that most consistently appear in post-event analyses as early warnings that were either missed or detected too late:
1. Going-concern qualification in audited financial statements
When an external auditor includes a going-concern paragraph in an audit opinion, they’re formally disclosing doubt about the entity’s ability to continue operating for the next twelve months. This is not an obscure accounting nuance — it’s a prominent disclosure in any audited financial statement. A critical vendor that receives a going-concern qualification should immediately trigger enhanced monitoring and contingency planning.
2. Material weakness in internal controls
A material weakness is an auditor’s finding that there’s a reasonable possibility of a material misstatement in financial statements that won’t be detected. For publicly traded vendors, this appears in annual 10-K filings. The presence of a material weakness means the vendor’s financial reporting may not be reliable — which directly undermines your ability to assess their financial condition at all.
3. Auditor change without disclosed rationale
Unexplained changes in external auditors — particularly when a larger, nationally recognized firm is replaced by a smaller regional firm — are a documented precursor to financial distress. Auditor independence disputes often precede material weakness disclosures and, in some cases, restatements. If a critical vendor changes auditors without a disclosed rationale, flag it for inquiry.
4. Credit rating downgrade or watchlist placement
For vendors with rated debt, credit agency actions are leading indicators of financial stress. A downgrade into non-investment-grade territory or placement on negative watch signals material deterioration in creditworthiness. This information is publicly available for rated vendors — but requires systematic tracking rather than ad-hoc awareness.
5. Late or missed financial statement filings
For SEC-reporting vendors, late filings of annual or quarterly reports require disclosure via Form NT. Late filings are consistently associated with internal control failures, accounting irregularities, and financial stress. A critical vendor that misses a SEC filing deadline is telling you something — whether intentionally or not.
6. Covenant violations or debt restructuring
Covenant violations disclosed in debt agreements, requests for waivers, or debt restructuring events are direct evidence of financial constraint. For vendors with publicly available debt agreements, covenant monitoring requires reading the actual agreement and tracking the relevant financial metrics — not just waiting for press releases.
The Synapse Case Study: What Late Detection Looks Like
In April 2024, Synapse Financial Technologies — a middleware provider connecting fintech apps with sponsor banks — filed for Chapter 11 bankruptcy. The collapse affected multiple fintech companies and their end customers, with millions of dollars in customer funds subject to reconciliation disputes between custodian banks.
From a TPRM perspective, the Synapse failure demonstrated two critical failures in vendor financial health monitoring:
The private-company blind spot. Synapse was a private company. It had no SEC filing obligations, no public credit rating, and no requirement to publish audited financial statements. Sponsor banks relying on Synapse as critical infrastructure had limited access to financial data — unless they had contractual provisions requiring disclosure. Most didn’t.
The lag between deterioration and detection. By the time Chapter 11 was filed, the financial stress that led to the collapse had been building for months. Institutions that monitored only publicly available signals — or waited for annual reviews — had no meaningful advance warning. The ones with better outcomes had either diversified their middleware relationships or had enough early warning to begin contingency planning.
The BaaS vendor exit planning lessons from Synapse and similar collapses have reshaped what examiners expect from sponsor banks. Financial health monitoring for infrastructure-critical vendors is now an examination priority, not a theoretical concern.
The Private Vendor Problem — and How Contracts Solve It
The most common gap in vendor financial health monitoring is the private vendor. Most financial technology vendors, community bank processors, and fintech infrastructure providers are private companies with no public disclosure obligations.
Without contractual provisions, your ongoing monitoring options for a private vendor are limited to: press coverage, LinkedIn for leadership changes, Dun & Bradstreet commercial credit reports, and conversations with your vendor relationship manager. None of those are reliable early warning systems.
The contract is the fix. TPRM programs that address private vendor financial risk include provisions that require:
- Annual delivery of audited financial statements (or reviewed statements for smaller vendors) within a specified number of days after fiscal year end
- Going-concern notification — an obligation to notify the bank within a defined period if the vendor receives a going-concern qualification or becomes aware of material financial distress
- Material change notification for ownership changes, significant credit events, and key personnel departures
- Step-in rights or exit assistance in the event of vendor insolvency — the right to receive customer data, documentation, and support even if the vendor is winding down
The vendor change notification framework covers how these provisions interact with ongoing monitoring requirements and what contract language examiners look for when reviewing your critical vendor agreements.
For existing contracts without these provisions, the next renewal cycle is the window. For critical vendors on long-term contracts with no near-term renewal, a contract amendment is worth pursuing — the cost of negotiating it is lower than the cost of a vendor failure without an early warning system.
Escalation and Documentation: What Makes Monitoring Real
The difference between genuine ongoing monitoring and a checkbox exercise is escalation and documentation.
When your review identifies a financial distress signal, three things should happen:
- The signal is documented — what was identified, from what source, by whom, and on what date
- The risk rating is reassessed — if the signal is material, the vendor’s overall risk tier needs to be revisited and potentially elevated
- Escalation is triggered — who receives the finding and what the follow-up action is (enhanced monitoring, exit contingency planning, contract review, or direct vendor notification)
This chain — signal to documentation to assessment to escalation — is the audit trail that examiners review. A program that identifies going-concern language in a vendor’s financial statements but has no documentation of the discovery and no documented escalation looks identical to a program that never reviewed the financial statements at all.
For institutions that receive MRAs or examination findings on TPRM, the weakness is almost always in the monitoring and escalation chain, not in the initial due diligence. The issues management tracker is where those escalation actions need to be captured — not just in email threads that don’t survive a personnel change.
So What? A 5-Step Action Plan for TPRM Teams
Step 1: Segment your critical vendor list by financial monitoring coverage. For each critical vendor: what financial data source do you have? Publicly available SEC filings? Contractual right to audited statements? Commercial credit report? Or nothing? The vendors in the “nothing” bucket are your first priority.
Step 2: Build the six-signal monitoring checklist into your annual review. Add explicit review steps for: going-concern language in most recent audited financials, material weakness disclosures, auditor changes, credit rating changes (for rated vendors), SEC filing timeliness, and disclosed covenant issues. These are all reviewable in under an hour per vendor for public companies.
Step 3: Assess your critical private vendor contracts for information rights. For each private critical vendor: does the contract require annual financial statement delivery? Going-concern notification? Flag any that don’t. Prioritize them for renewal amendment or supplemental agreement.
Step 4: Define your escalation triggers and document them. What financial indicators automatically trigger enhanced monitoring? What triggers escalation to executive risk committee? What triggers exit contingency planning? Write it into your TPRM policy so there’s no ambiguity when a signal appears.
Step 5: Document every monitoring review as if it will be an exhibit in an examination. Date, reviewer, source, findings, risk rating impact, and follow-up actions. The documentation is the monitoring, from an examiner’s perspective.
The Third-Party Risk Management Kit includes a vendor financial health monitoring checklist, contract provision templates for financial disclosure rights, escalation workflow documentation, and the TPRM ongoing monitoring tracker that covers all six signal categories across your critical vendor portfolio.
Financial distress rarely announces itself with advance notice. What separates institutions that catch it early from the ones that find out when the vendor files Chapter 11 is a monitoring program designed to catch signals — not just confirm status at renewal time. OCC 2023-17’s ongoing monitoring requirement is the mandate. A structured financial health surveillance program is how you meet it.
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What does OCC 2023-17 require for ongoing financial health monitoring of vendors?
How often should we review a critical vendor's financial condition?
What financial distress signals should trigger enhanced monitoring for a vendor?
How do we monitor financial health for private company vendors?
What happened in the Synapse bankruptcy that's relevant to vendor financial health monitoring?
What documentation should exist for vendor financial health monitoring?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
◆ Keep reading
Related posts.
Third-Party Risk
The Marquis Software Breach: What 80 Banks and Credit Unions Need to Learn About Vendor Concentration Risk
In August 2025, Akira ransomware hit Marquis Software Solutions through an unpatched SonicWall firewall. By the time breach notifications went out—over two months later—80 banks and credit unions had been exposed, 824,000 consumers' data was compromised, and a ransom had reportedly been paid. Here's what your third-party risk program should take from it.
Jul 7, 2026
Third-Party Risk
AI Foundation Model Concentration Risk: When Your Entire AI Stack Depends on Three Vendors
The Cambridge Centre for Alternative Finance's 2026 report found 76% of financial institutions rely on OpenAI, 57% on Google, and 35% on Anthropic — while 63% build on external models rather than their own. Under OCC 2023-17 and DORA, that's not just an AI strategy question. It's a third-party concentration risk your TPRM program probably isn't mapped to address.
Jul 5, 2026
Third-Party Risk
GENIUS Act Stablecoin Custody: The Due Diligence Framework Your TPRM Program Doesn't Cover Yet
The GENIUS Act's July 18, 2026 rulemaking deadline is 16 days away. When final rules land, every bank acting as a stablecoin custodian — or relying on one — will face vendor oversight obligations your standard TPRM template wasn't built to address. Here's the framework.
Jul 1, 2026