Question 1

What is third-party risk management (TPRM)?

Accepted Answer

TPRM is the structured process of identifying, assessing, and managing risks introduced by vendors, suppliers, and service providers. It covers operational, cyber, compliance, reputational, concentration, and geopolitical risks across the entire third-party lifecycle.

Question 2

What is third-party risk management in banking?

Accepted Answer

In banking, TPRM is a regulatory requirement enforced by the FCA, PRA, and European supervisors under DORA. Banks must maintain registers of all ICT arrangements, conduct due diligence before engaging critical vendors, include mandatory contractual protections, and demonstrate continuous monitoring. Board-level accountability is non-negotiable under SM&#x26;CR.

Question 3

What is a third-party risk management framework?

Accepted Answer

A TPRM framework is the governance structure — policy, process, tools, and responsibilities — within which the organisation identifies and manages third-party risks. A mature framework covers all five lifecycle stages: inventory and tiering, pre-engagement due diligence, contractual protections, ongoing monitoring, and exit strategy.

Question 4

How often should vendor risk assessments be conducted?

Accepted Answer

Assessment frequency should be proportionate to vendor criticality. Critical vendors supporting important business services typically require quarterly reviews and continuous external monitoring. Standard vendors may be assessed annually. Trigger events — major incidents, financial distress, regulatory changes — should prompt immediate reassessment regardless of tier.

Question 5

What are the penalties for failing to manage third-party risk under DORA?

Accepted Answer

For financial entities, DORA non-compliance is enforced by national supervisors (e.g., the FCA for UK-regulated EU entities, or the relevant EU national competent authority). For designated critical ICT third-party providers, the ESAs can impose periodic penalties of up to 1% of average daily global turnover until compliance is restored.

Question 6

What is the difference between a compliance risk assessment and a business-wide risk assessment?

Accepted Answer

A compliance risk assessment is the general term for any structured evaluation of an organisation's exposure to regulatory breach and its consequences. A Business-Wide Risk Assessment (BWRA) is the specific type of compliance risk assessment required by the FCA and the Money Laundering Regulations 2017 for firms in scope of those regulations. The BWRA must cover all material compliance risks at the firm level — including money laundering, terrorist financing, sanctions, bribery, and conduct risks — and must be documented, kept current, and made available to the FCA on request. The BWRA sits above the Customer Risk Assessment (CRA), which applies the firm's risk methodology to individual customer relationships.

Question 7

How often should a compliance risk assessment be reviewed?

Accepted Answer

The FCA expects the BWRA to be reviewed formally at least once per year, with the review documented and approved by the responsible senior manager. In practice, a review should also be triggered by any of the following: launch of a new product or service, entry into a new geography or customer segment, a significant internal incident (fraud, regulatory breach, SAR filing trend), a material change in the regulatory framework, or new typology guidance from the NCA, JMLSG, or FATF. Annual review is a minimum, not a target — mature compliance functions embed continuous monitoring so that the formal annual review confirms a position already well understood by management.

Question 8

What happens if the board treats compliance risk assessment as a checkbox exercise?

Accepted Answer

The consequences of board-level disengagement from compliance risk assessment are both regulatory and personal. Under the Senior Managers and Certification Regime (SM&#x26;CR), the senior manager allocated responsibility for financial crime prevention is personally accountable for the adequacy of the firm's systems and controls. If the FCA investigates a breach and finds evidence that the risk assessment was not reviewed, not updated, or not presented to senior management in a meaningful way, the responsible senior manager cannot rely on ignorance as a defence. The FCA has the power to fine, suspend, or prohibit individual senior managers from performing regulated functions. Beyond SM&#x26;CR, a firm whose board treats compliance as a checkbox is also more likely to have under-resourced compliance functions, delayed remediation, and a culture of non-escalation — all of which compound regulatory exposure over time. The practical remedy is to translate risk register entries into financial metrics — estimated fine exposure, revenue at risk, remediation cost — so that board members engage with compliance data on the same terms they use for every other business risk.

Question 9

What are the consequences of an inadequate compliance risk assessment in the UK?

Accepted Answer

The consequences operate at three levels. First, regulatory: the FCA can impose unlimited financial penalties for breaches of the Money Laundering Regulations 2017 and FCA Handbook rules. Between 2020 and 2025, the FCA issued penalties totalling over £500 million against firms whose AML controls — including their risk assessments — were found to be inadequate. Second, criminal: under POCA 2002, individuals and firms can face prosecution for money laundering offences if inadequate controls allowed the firm to be used to facilitate financial crime. Third, reputational: regulatory censure, enforcement notices, and public statements cause direct harm to customer trust, correspondent banking relationships, and the firm's ability to operate in certain markets.

Question 10

Does a small firm need a formal compliance risk assessment?

Accepted Answer

Yes. The Money Laundering Regulations 2017 apply to all relevant persons — which includes banks, building societies, payment institutions, e-money institutions, credit brokers, accountants, solicitors, estate agents, and many other categories — regardless of size. The proportionality principle means that a small firm's BWRA will be less complex than that of a global bank, but it must still be documented, risk-based, and up to date. The FCA has taken enforcement action against small firms as well as large ones. Regulators have made clear that size reduces the complexity of the required framework, not the obligation to have one.

Compliance

Third-Party Risk Management (TPRM): Complete Guide 2026

Compliance Risk Assessment: A Practical Guide for UK Firms

Governance Risk Management Compliance (GRC): Complete Guide 2026

How to Build a Document Compliance Program from Scratch

Document Compliance Guide for Businesses in 2026

Vendor Compliance Certificate Verification: Practical Guide 2026

KYC: The Complete Guide for Businesses in 2026

Right to Work Check: Employer Compliance Guide 2026

Due diligence explained: complete checklist for businesses

Anti-Money Laundering: Complete AML Compliance Guide

AMLD6 Beneficial Ownership Verification Requirements

eIDAS 2.0: The EU Digital Identity Wallet

GDPR and Document Management: Practical Compliance Guide

MiCA 2026: Crypto KYC and Identity Rules

France E-Invoicing 2026: Compliance Guide

KYB: Business Document Verification Guide

AMLD6 Compliance: What Changes in 2026-2027

DORA 2026: Document Verification for Finance

Equipment Leasing: Document Compliance in 2026

GDPR and Identity Documents: Compliance Guide

KYC 2026: New Document Verification Requirements in Europe