Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Third-Party Risk

Vendor Financial Health Monitoring: The Early Warning Program OCC 2023-17 Expects for Critical Third Parties

OCC 2023-17's ongoing monitoring phase requires active financial health surveillance for critical third-party vendors — but most institutions treat it as an annual renewal checkbox. Here's what a defensible early warning program looks like, what warning signs to track, and what the Synapse collapse demonstrated about gaps in current practice.

Table of Contents

TL;DR

  • OCC 2023-17 (June 2023 interagency guidance) requires ongoing financial health monitoring for critical third-party vendors — but most TPRM programs treat it as a checkbox on an annual renewal form
  • Six financial distress signals should trigger enhanced monitoring: going-concern qualifications, material weakness disclosures, auditor changes, credit rating downgrades, late filings, and covenant violations
  • The Synapse collapse demonstrated what happens when private-vendor financial monitoring is reactive — sponsor banks had no early warning before Chapter 11
  • Private company vendors require contractual information rights to financial statements — without them, ongoing monitoring is surveillance of nothing

Most third-party risk programs are built to handle vendor review. Contracts are assessed. SOC 2 reports are scored. Questionnaires come back and get filed. Business continuity plans are collected. The review gets documented and the vendor gets re-approved for another year.

What most programs are not built to handle: a vendor that was financially healthy at the last annual review and is approaching insolvency four months later.

OCC 2023-17 — the June 2023 interagency third-party risk management guidance — requires ongoing monitoring that’s closer to active surveillance than periodic review. For critical third parties, financial condition is one of the explicit monitoring categories. What the guidance doesn’t say is what a defensible financial health monitoring program actually looks like in practice.

Here’s the template.


What OCC 2023-17 Requires for Ongoing Monitoring

The 2023 interagency guidance restructures third-party risk management around a six-phase lifecycle: planning, due diligence, contract negotiation, ongoing monitoring, termination, and oversight. Financial condition monitoring falls squarely in the ongoing monitoring phase — and the guidance is explicit that depth should match the criticality of the relationship.

For critical third parties, the guidance expects monitoring that covers:

  • Financial condition and performance
  • Changes in the vendor’s operating environment
  • Compliance with contractual obligations
  • Business continuity and incident response readiness
  • Subcontractor (fourth-party) risk

The FDIC’s companion Financial Institution Letter reinforced that “ongoing monitoring should be proportionate to the level of risk and complexity of the third-party relationship.” For critical vendors, that means genuine surveillance — not annual renewal paperwork.

What examiners test:

Monitoring ElementWhat Examiners Look For
Financial conditionDocumented periodic review of financial statements or available financial data
FrequencyAnnual minimum for critical vendors; enhanced cadence for flagged vendors
Signal responseEvidence that distress indicators triggered documented escalation
Private vendor handlingContractual provisions requiring financial disclosure
DocumentationReviewer, date, findings, and any follow-up actions

The TPRM examination deficiencies from 2024 show that ongoing monitoring — not initial due diligence — is where most programs have documented gaps. The deficiency is rarely in vendor selection; it’s in what happens between initial review and the end of the relationship.


Six Financial Distress Signals That Should Trigger Enhanced Monitoring

Effective financial health surveillance means knowing what to look for. These six signals are the ones that most consistently appear in post-event analyses as early warnings that were either missed or detected too late:

1. Going-concern qualification in audited financial statements

When an external auditor includes a going-concern paragraph in an audit opinion, they’re formally disclosing doubt about the entity’s ability to continue operating for the next twelve months. This is not an obscure accounting nuance — it’s a prominent disclosure in any audited financial statement. A critical vendor that receives a going-concern qualification should immediately trigger enhanced monitoring and contingency planning.

2. Material weakness in internal controls

A material weakness is an auditor’s finding that there’s a reasonable possibility of a material misstatement in financial statements that won’t be detected. For publicly traded vendors, this appears in annual 10-K filings. The presence of a material weakness means the vendor’s financial reporting may not be reliable — which directly undermines your ability to assess their financial condition at all.

3. Auditor change without disclosed rationale

Unexplained changes in external auditors — particularly when a larger, nationally recognized firm is replaced by a smaller regional firm — are a documented precursor to financial distress. Auditor independence disputes often precede material weakness disclosures and, in some cases, restatements. If a critical vendor changes auditors without a disclosed rationale, flag it for inquiry.

4. Credit rating downgrade or watchlist placement

For vendors with rated debt, credit agency actions are leading indicators of financial stress. A downgrade into non-investment-grade territory or placement on negative watch signals material deterioration in creditworthiness. This information is publicly available for rated vendors — but requires systematic tracking rather than ad-hoc awareness.

5. Late or missed financial statement filings

For SEC-reporting vendors, late filings of annual or quarterly reports require disclosure via Form NT. Late filings are consistently associated with internal control failures, accounting irregularities, and financial stress. A critical vendor that misses a SEC filing deadline is telling you something — whether intentionally or not.

6. Covenant violations or debt restructuring

Covenant violations disclosed in debt agreements, requests for waivers, or debt restructuring events are direct evidence of financial constraint. For vendors with publicly available debt agreements, covenant monitoring requires reading the actual agreement and tracking the relevant financial metrics — not just waiting for press releases.


The Synapse Case Study: What Late Detection Looks Like

In April 2024, Synapse Financial Technologies — a middleware provider connecting fintech apps with sponsor banks — filed for Chapter 11 bankruptcy. The collapse affected multiple fintech companies and their end customers, with millions of dollars in customer funds subject to reconciliation disputes between custodian banks.

From a TPRM perspective, the Synapse failure demonstrated two critical failures in vendor financial health monitoring:

The private-company blind spot. Synapse was a private company. It had no SEC filing obligations, no public credit rating, and no requirement to publish audited financial statements. Sponsor banks relying on Synapse as critical infrastructure had limited access to financial data — unless they had contractual provisions requiring disclosure. Most didn’t.

The lag between deterioration and detection. By the time Chapter 11 was filed, the financial stress that led to the collapse had been building for months. Institutions that monitored only publicly available signals — or waited for annual reviews — had no meaningful advance warning. The ones with better outcomes had either diversified their middleware relationships or had enough early warning to begin contingency planning.

The BaaS vendor exit planning lessons from Synapse and similar collapses have reshaped what examiners expect from sponsor banks. Financial health monitoring for infrastructure-critical vendors is now an examination priority, not a theoretical concern.


The Private Vendor Problem — and How Contracts Solve It

The most common gap in vendor financial health monitoring is the private vendor. Most financial technology vendors, community bank processors, and fintech infrastructure providers are private companies with no public disclosure obligations.

Without contractual provisions, your ongoing monitoring options for a private vendor are limited to: press coverage, LinkedIn for leadership changes, Dun & Bradstreet commercial credit reports, and conversations with your vendor relationship manager. None of those are reliable early warning systems.

The contract is the fix. TPRM programs that address private vendor financial risk include provisions that require:

  • Annual delivery of audited financial statements (or reviewed statements for smaller vendors) within a specified number of days after fiscal year end
  • Going-concern notification — an obligation to notify the bank within a defined period if the vendor receives a going-concern qualification or becomes aware of material financial distress
  • Material change notification for ownership changes, significant credit events, and key personnel departures
  • Step-in rights or exit assistance in the event of vendor insolvency — the right to receive customer data, documentation, and support even if the vendor is winding down

The vendor change notification framework covers how these provisions interact with ongoing monitoring requirements and what contract language examiners look for when reviewing your critical vendor agreements.

For existing contracts without these provisions, the next renewal cycle is the window. For critical vendors on long-term contracts with no near-term renewal, a contract amendment is worth pursuing — the cost of negotiating it is lower than the cost of a vendor failure without an early warning system.


Escalation and Documentation: What Makes Monitoring Real

The difference between genuine ongoing monitoring and a checkbox exercise is escalation and documentation.

When your review identifies a financial distress signal, three things should happen:

  1. The signal is documented — what was identified, from what source, by whom, and on what date
  2. The risk rating is reassessed — if the signal is material, the vendor’s overall risk tier needs to be revisited and potentially elevated
  3. Escalation is triggered — who receives the finding and what the follow-up action is (enhanced monitoring, exit contingency planning, contract review, or direct vendor notification)

This chain — signal to documentation to assessment to escalation — is the audit trail that examiners review. A program that identifies going-concern language in a vendor’s financial statements but has no documentation of the discovery and no documented escalation looks identical to a program that never reviewed the financial statements at all.

For institutions that receive MRAs or examination findings on TPRM, the weakness is almost always in the monitoring and escalation chain, not in the initial due diligence. The issues management tracker is where those escalation actions need to be captured — not just in email threads that don’t survive a personnel change.


So What? A 5-Step Action Plan for TPRM Teams

Step 1: Segment your critical vendor list by financial monitoring coverage. For each critical vendor: what financial data source do you have? Publicly available SEC filings? Contractual right to audited statements? Commercial credit report? Or nothing? The vendors in the “nothing” bucket are your first priority.

Step 2: Build the six-signal monitoring checklist into your annual review. Add explicit review steps for: going-concern language in most recent audited financials, material weakness disclosures, auditor changes, credit rating changes (for rated vendors), SEC filing timeliness, and disclosed covenant issues. These are all reviewable in under an hour per vendor for public companies.

Step 3: Assess your critical private vendor contracts for information rights. For each private critical vendor: does the contract require annual financial statement delivery? Going-concern notification? Flag any that don’t. Prioritize them for renewal amendment or supplemental agreement.

Step 4: Define your escalation triggers and document them. What financial indicators automatically trigger enhanced monitoring? What triggers escalation to executive risk committee? What triggers exit contingency planning? Write it into your TPRM policy so there’s no ambiguity when a signal appears.

Step 5: Document every monitoring review as if it will be an exhibit in an examination. Date, reviewer, source, findings, risk rating impact, and follow-up actions. The documentation is the monitoring, from an examiner’s perspective.

The Third-Party Risk Management Kit includes a vendor financial health monitoring checklist, contract provision templates for financial disclosure rights, escalation workflow documentation, and the TPRM ongoing monitoring tracker that covers all six signal categories across your critical vendor portfolio.

Financial distress rarely announces itself with advance notice. What separates institutions that catch it early from the ones that find out when the vendor files Chapter 11 is a monitoring program designed to catch signals — not just confirm status at renewal time. OCC 2023-17’s ongoing monitoring requirement is the mandate. A structured financial health surveillance program is how you meet it.

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What does OCC 2023-17 require for ongoing financial health monitoring of vendors?
OCC 2023-17 (June 2023 interagency guidance) requires that ongoing monitoring for critical third parties include periodic review of their financial condition. The guidance doesn't prescribe a fixed frequency, but examination findings consistently treat annual financial review as a minimum for critical vendors, with more frequent monitoring expected for vendors showing early warning signs.
How often should we review a critical vendor's financial condition?
Annual financial review is the baseline expectation for critical vendors under OCC 2023-17. For vendors flagged with financial risk indicators — going-concern language, credit rating downgrade, material weakness disclosure, or auditor change — quarterly monitoring is the defensible standard. Some institutions trigger semi-annual review for all critical vendors regardless of status.
What financial distress signals should trigger enhanced monitoring for a vendor?
Six signals consistently appear in examination findings as triggers for enhanced monitoring: (1) going-concern qualification in audited financial statements, (2) material weakness or significant deficiency in internal controls, (3) auditor change without disclosed rationale, (4) credit rating downgrade or watch-list placement, (5) late or missed financial statement filings, (6) covenant violations or debt restructuring disclosed in SEC filings or financial statements.
How do we monitor financial health for private company vendors?
Private vendors don't have public filings, so financial health monitoring requires contract provisions that require disclosure. Your TPRM program should include contractual rights to audited annual financial statements, going-concern notification obligations, and material change notification requirements covering ownership changes, credit events, and key personnel departures. Without these provisions in the contract, you're monitoring blindly.
What happened in the Synapse bankruptcy that's relevant to vendor financial health monitoring?
Synapse Financial Technologies filed for Chapter 11 in April 2024. Sponsor banks that relied on Synapse as middleware had limited advance warning — Synapse was a private company not required to publish financial statements. The collapse left customer funds in reconciliation disputes across multiple custodian banks. The case demonstrated that private middleware vendors require aggressive contractual information rights, not just periodic review of publicly available data.
What documentation should exist for vendor financial health monitoring?
Documentation for each critical vendor should include: (1) the financial data reviewed and its source, (2) the review date and reviewer, (3) findings and risk rating impact, (4) any enhanced monitoring triggered and the rationale, and (5) escalation actions taken if warning signs were identified. This documentation trail is what examiners review when evaluating whether ongoing monitoring was genuine surveillance or a checkbox exercise.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Third-Party Risk Management (TPRM) Kit

Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.