Third-Party Risk Management – Exam Expectations for Vendor Oversight
Third-Party Risk Management – Exam Expectations for Vendor Oversight In June 2023, the federal banking agencies issued final Interagency Guidance on Third-Party Relationships, consolidating and replacing prior guidance from the OCC, Federal Reserve, and FDIC. This update, reflected in OCC Bulletin 2023-17, sets clear expectations for how banks should manage risk across the lifecycle of third-party relationships. Examiners now expect institutions to demonstrate strong governance, risk-based due diligence, and ongoing monitoring of all vendors, including fintechs, cloud providers, and affiliates. Whether a relationship is critical or not, banks must show they understand and control the risks introduced by third parties. Key Areas of Examiner Focus Risk-Based Due Diligence: Examiners expect banks to tailor their due diligence based on the risk and complexity of the third-party relationship. This includes evaluating financial condition, legal and regulatory c...