How should banks manage third-party risk, and what are the regulatory expectations for outsourcing critical functions?

Third-party risk management (TPRM) has become one of the most scrutinized areas of operational risk, as banks increasingly depend on external vendors for critical functions. Regulators view outsourcing as transferring the activity but NOT the responsibility — the bank remains fully accountable.

Why Third-Party Risk Is Intensifying:

• Cloud computing adoption (AWS, Azure, GCP hosting critical banking systems)
• FinTech partnerships (payment processing, KYC/AML, lending platforms)
• Concentration risk (multiple banks relying on the same few vendors)
• Fourth-party risk (your vendor outsourcing to their vendor)

The TPRM Lifecycle:

1. Risk Assessment & Due Diligence:

• Classify vendors by criticality (critical, significant, routine)
• Assess financial stability, operational capability, security posture, regulatory standing
• Review SOC 2 Type II reports, penetration testing results, BCP documentation
• Evaluate concentration risk — is this vendor a single point of failure for multiple critical functions?

2. Contract Negotiation:

• Right to audit clauses — the bank and its regulators must be able to inspect the vendor
• Service Level Agreements (SLAs) with measurable performance metrics
• Data protection and privacy requirements (GDPR, CCPA compliance)
• Subcontracting restrictions — control over fourth-party risk
• Termination provisions and transition assistance
• Business continuity requirements specific to the services provided

3. Ongoing Monitoring:

• Regular performance reviews against SLAs
• Annual (or more frequent) risk reassessments for critical vendors
• Continuous monitoring of vendor financial health and security posture
• Tracking of incidents, near-misses, and control failures
• Participation in vendor-specific business continuity tests

4. Issue Management:

• Escalation procedures for SLA breaches
• Remediation tracking and verification
• Regulatory notification requirements for material vendor failures

5. Exit Strategy:

• Every critical vendor arrangement must have a documented exit plan
• Data migration procedures
• Transition timeline (typically 6-18 months for critical functions)
• Alternative vendor or in-house capability readiness

Regulatory Expectations:

• Board-level oversight of critical third-party arrangements
• Comprehensive third-party risk policy approved by senior management
• Centralized inventory of all third-party relationships
• Regular reporting to the board on third-party risk exposure
• Regulators can examine critical service providers directly

Exam Tip: FRM II often tests the concept that outsourcing transfers the activity but not the accountability, and the specific elements of due diligence and ongoing monitoring.

Build your TPRM expertise in our FRM Part II question bank.