Skip to content
Case studiesPricingSecurityCompareBlog

Europe

Americas

Oceania

Compliance11 min read

Third-Party Risk Management (TPRM): Complete US Guide 2026

Complete US guide to third-party risk management (TPRM): FinCEN, BSA, OCC guidance, vendor risk assessment, continuous monitoring and federal compliance requirements 2026.

Michael Torres, Compliance Director
Michael Torres, Compliance Directorยท
Illustration for Third-Party Risk Management (TPRM): Complete US Guide 2026 โ€” Compliance

Summarize this article with

ChatGPTChatGPTClaudeClaudePerplexityPerplexityGeminiGeminiGrokGrok

Third-party risk management (TPRM) in the United States operates within one of the most complex and multi-layered regulatory environments in the world. 77% of all security breaches in the last three years originated from a vendor or third party (Whistic, 2025), and federal banking regulators โ€” the OCC, Federal Reserve, and FDIC โ€” have made TPRM a top supervisory priority for 2026. The interagency guidance on third-party relationships, finalized in June 2023, established a consistent federal framework that now forms the baseline for all US banking institutions.

This guide explains the US-specific regulatory framework, how FinCEN, BSA, OFAC, and the OCC interagency guidance shape TPRM obligations, and the five-stage programme structure that satisfies federal and state examiners in 2026.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult qualified legal counsel for organization-specific questions.

The US regulatory framework for TPRM

Interagency Guidance on Third-Party Relationships (2023)

The OCC, Federal Reserve, FDIC, and NCUA finalized joint Interagency Guidance on Third-Party Relationships in June 2023, replacing the OCC's prior 2013 bulletin and harmonizing expectations across federally regulated financial institutions. This guidance is the primary regulatory reference for US bank TPRM programmes.

The guidance establishes a life cycle framework covering:

  1. Planning: Risk assessment before entering any third-party relationship.
  2. Due Diligence and Third-Party Selection: Risk-based assessment of the vendor.
  3. Contract Negotiation: Provisions to manage risk and ensure regulatory access.
  4. Ongoing Monitoring: Continuous oversight proportionate to risk.
  5. Termination: Orderly exit with continuity of service.

The guidance explicitly states that a bank's board of directors and senior management are ultimately responsible for managing third-party relationships. This responsibility cannot be delegated or contractually transferred โ€” even if the vendor is a regulated entity itself.

BSA/AML obligations and vendor risk

The Bank Secrecy Act (BSA) and its implementing regulations โ€” administered by FinCEN โ€” impose specific obligations on US financial institutions when using third-party service providers for BSA/AML functions such as transaction monitoring, suspicious activity report (SAR) filing support, or customer identification programme (CIP) processes.

Under FinCEN's long-standing guidance, a bank that uses a third party to perform BSA/AML functions remains fully responsible for BSA/AML compliance. The bank cannot contract away its regulatory obligations. This means:

  • Third-party BSA/AML service providers must be assessed for their own compliance posture.
  • Banks must conduct periodic testing of third-party-managed BSA/AML functions.
  • Any SAR filing errors caused by a vendor remain the bank's legal liability.

OFAC compliance and vendor screening

The Office of Foreign Assets Control (OFAC) administers US economic sanctions programmes. Financial institutions are responsible for ensuring their third-party vendors do not conduct transactions with OFAC-sanctioned parties โ€” regardless of whether the vendor is itself a regulated entity.

Third-party vendors that process payments, conduct customer screening, or manage transaction monitoring on behalf of a US financial institution must implement OFAC-compliant controls. This should be verified during due diligence and confirmed contractually.

US Regulator Primary TPRM Authority Key Requirement
OCC Interagency Guidance (June 2023) Lifecycle management for all third-party relationships
FinCEN BSA Examination Manual Bank retains BSA/AML responsibility regardless of vendor use
OFAC SDN List and sanction programmes Vendor must have OFAC-compliant controls
Federal Reserve SR 13-19 / SR 23-4 Board accountability, risk-based due diligence
FDIC FIL-29-2023 Consistent with interagency guidance
CFPB UDAP/UDAAP Vendor conduct creates bank liability
State regulators Varies by state NY DFS Part 500 (cybersecurity), CCPA (California)

OCC and CFPB: vendor conduct creates bank liability

The CFPB has made clear that under UDAP (Unfair, Deceptive, or Abusive Acts or Practices) standards, a bank can be held responsible for the actions of its vendors, even if the bank did not directly cause the harm. This is particularly relevant for customer-facing third parties โ€” debt collectors, mortgage servicers, credit card processors.

The OCC's examination framework for third-party relationships evaluates whether banks conduct appropriate due diligence, monitor vendor performance, and escalate issues to senior management and the board.

Building a TPRM programme that satisfies US federal examiners

Stage 1: Inventory and risk-tiering

Every effective TPRM programme begins with a complete inventory of all third parties. Industry research shows US financial institutions manage an average of 286 vendors, yet examiners frequently find that institutions cannot produce a current, accurate list of their vendors and associated risk tiers.

The OCC interagency guidance recommends tiering vendors based on:

  • High risk (Critical): Vendors supporting critical activities โ€” core banking, payment processing, BSA/AML systems, OFAC screening โ€” with significant data access or customer impact.
  • Moderate risk: Vendors with some data access or moderate operational dependency.
  • Low risk: Peripheral vendors with limited data access and minimal operational impact.

Tier determines the depth of due diligence, contractual requirements, and monitoring frequency. Examiners expect banks to demonstrate a documented, defensible rationale for each vendor's tier assignment.

Stage 2: Due diligence proportionate to risk

OCC examiners expect due diligence to be proportionate to the risk and complexity of the third-party relationship. For high-risk vendors, due diligence should cover:

  • Financial condition (audited financial statements, liquidity ratios, insurance coverage).
  • Business experience and reputation (regulatory enforcement history, litigation).
  • Information security (SOC 2 Type II, penetration testing results, incident history).
  • Regulatory compliance track record (BSA/AML examination results, OFAC compliance, state licensing).
  • Business continuity and disaster recovery capabilities.
  • Subcontracting practices โ€” the vendor's own vendor risk management programme.

CheckFile automates the collection and verification of vendor-supplied documentation during this stage โ€” SOC 2 reports, audited financials, insurance certificates, regulatory licences โ€” flagging missing or expired documents and creating an audit-ready record.

Stage 3: Contract provisions required by US regulators

The OCC interagency guidance specifies minimum contractual provisions for high-risk vendor relationships. These include:

  • Nature and scope of services with measurable SLAs.
  • Regulatory agency access: the right of the OCC, Federal Reserve, FDIC, or state regulators to examine the vendor's books and records related to the bank's activities.
  • Audit rights for the bank and its internal audit function.
  • Confidentiality and data security obligations.
  • Incident notification requirements: the GLBA Safeguards Rule (16 CFR Part 314) requires covered institutions to notify their primary federal regulator within 30 days of a security event; vendor contracts should require equivalent notification timelines.
  • Termination provisions allowing the bank to exit promptly if the vendor fails to comply with regulatory requirements.
  • Business continuity and disaster recovery obligations.
  • Sub-outsourcing controls โ€” the vendor must obtain bank approval before delegating critical functions.

Stage 4: Ongoing monitoring

US banking examiners in 2026 are focused on whether banks conduct genuine continuous monitoring, not whether they have annual vendor questionnaire programmes. The OCC's examination procedures ask banks to demonstrate that monitoring catches emerging risks โ€” not just confirms the absence of known issues.

Effective ongoing monitoring includes:

  • Quarterly performance reviews for high-risk vendors based on SLA metrics.
  • Annual on-site or virtual reviews of critical vendors.
  • Continuous external security monitoring for vendors with significant IT access.
  • Financial health monitoring for vendors where insolvency would create operational disruption.
  • Tracking regulatory enforcement actions against vendors (OCC, FinCEN, OFAC).
  • Automated alerts for contract expiry, insurance lapse, and certification renewal.

62% of risk leaders report their TPRM programmes are inadequately staffed, with teams managing an average of 33.6 vendors per risk professional (Whistic, 2025). Automated document monitoring is not an efficiency upgrade โ€” at these ratios, it is the only way to maintain programme integrity.

CheckFile centralises vendor compliance documentation and sends automated alerts when a SOC 2 report, insurance certificate, or regulatory licence approaches expiry, creating the audit trail examiners expect.

Stage 5: Termination and offboarding

US examiners have identified vendor offboarding as a consistent gap in TPRM programmes. Banks frequently maintain vendor access and data-sharing arrangements long after relationships have ended, creating unmanaged risk exposure.

Effective termination procedures include:

  • Revocation of all system access within 24-48 hours of contract termination.
  • Data retrieval and certified destruction confirmation.
  • Transition support obligations in the contract (notice period, data handoff).
  • Post-termination monitoring to confirm access revocation.
  • Documentation of the termination process for the regulatory examination record.

For guidance on how TPRM integrates with broader governance frameworks, see our GRC guide and document compliance guide.

US-specific TPRM challenges: what practitioners say

Compliance professionals in the US โ€” including active discussions on r/compliance and professional forums โ€” consistently identify these practical challenges:

Challenge 1: Regulatory fragmentation. Unlike the EU's DORA, which provides a single harmonised framework, US TPRM obligations are spread across interagency guidance, FinCEN rules, OFAC requirements, state-level regulations (NY DFS Part 500, CCPA), and sector-specific rules. Building a programme that satisfies all regulators simultaneously requires careful mapping of overlapping requirements.

Challenge 2: Fourth-party risk. OCC examiners increasingly ask banks to assess not just their direct vendors, but also their vendors' significant subcontractors. This is particularly relevant for core banking processors and cloud providers where concentration risk can be systemic.

Challenge 3: Smaller institutions and limited resources. Community banks and credit unions face the same interagency guidance expectations as large institutions but with a fraction of the compliance staff. Automated tools that scale to lower resource levels are not a luxury for these institutions.

Challenge 4: Getting vendor documentation. 48% of TPRM teams cite this as their top obstacle. Vendors, particularly smaller fintechs, often lack mature compliance programmes and struggle to produce SOC 2 reports, penetration testing summaries, or business continuity plans on the bank's timeline.

The average cost of a data breach reached USD 4.88 million in 2024 (IBM Cost of a Data Breach Report 2024), and regulatory enforcement costs for TPRM failures โ€” including OCC civil money penalties and FinCEN enforcement actions โ€” can significantly exceed the cost of a compliant programme.

TPRM programme checklist for US financial institutions

  • Board-approved TPRM policy aligned with OCC interagency guidance (June 2023).
  • Complete, current vendor inventory with documented risk-tier assignments.
  • Risk-tiered due diligence questionnaires and documentation requirements.
  • Contract provisions meeting OCC minimum requirements, including regulatory access rights.
  • BSA/AML vendor oversight procedures confirming bank retains full BSA responsibility.
  • OFAC compliance verification for all vendors processing payments or screening transactions.
  • Documented ongoing monitoring process with frequency calibrated to vendor tier.
  • Tested business continuity and exit plans for high-risk vendors.
  • Annual TPRM report presented to the board and/or audit committee.
  • Vendor offboarding procedure with access revocation and data destruction confirmation.

Explore CheckFile for automating vendor document collection, monitoring certificate renewals, and building the audit-ready record that OCC and FinCEN examiners expect.

FAQ

What is third-party risk management (TPRM) under US banking regulations?

TPRM under US banking regulations is the structured process of managing risks from vendors, service providers, and partners as defined by the OCC/FDIC/Federal Reserve Interagency Guidance on Third-Party Relationships (June 2023). It covers the full vendor lifecycle from planning and due diligence through ongoing monitoring and termination. Banks retain full regulatory responsibility for all activities performed by third parties on their behalf.

Does BSA/AML responsibility transfer to a vendor under US law?

No. Under FinCEN's BSA framework, a bank that engages a vendor to perform BSA/AML functions โ€” such as transaction monitoring, SAR filing support, or CIP processing โ€” remains fully responsible for BSA/AML compliance. Any violation by the vendor is treated as a violation by the bank. Banks must assess vendor BSA/AML controls during due diligence and conduct periodic testing.

What does the OCC interagency guidance require for high-risk vendor contracts?

For high-risk vendors, contracts must include: SLAs with measurable performance standards, regulatory examination access rights, bank audit rights, data security and confidentiality obligations, GLBA-compliant incident notification timelines (30 days to primary regulator), termination provisions allowing exit for regulatory non-compliance, and sub-outsourcing controls.

How does NY DFS Part 500 affect vendor risk management?

NY DFS Part 500 (Cybersecurity Requirements for Financial Services Companies) requires covered entities to ensure third-party service providers that access their systems or non-public information maintain minimum cybersecurity standards. This includes annual due diligence, contractual protections, and third-party policy monitoring. Violations can result in NY DFS enforcement actions and civil money penalties.

What are the consequences of TPRM programme failures for US banks?

Consequences include OCC Matters Requiring Attention (MRAs) and Matters Requiring Immediate Attention (MRIAs), formal agreements or consent orders, civil money penalties (which can reach millions of dollars), FinCEN enforcement actions for BSA-related TPRM failures, reputational damage, and in serious cases, restrictions on new business activities until remediation is complete.

Ready to automate your checks?

Free pilot with your own documents. Results in 48h.

Related articles

Compliance18 min

Compliance Risk Assessment: A Practical Guide for US Financial Institutions

How to identify, evaluate, and mitigate regulatory risks under BSA, FinCEN, and OFAC requirements. Step-by-step compliance risk management guide for US firms in 2026.

Read
Compliance10 min

Governance Risk Management Compliance (GRC): US Guide 2026

What is GRC in the US? FinCEN, BSA, OFAC requirements explained. Learn how to build a governance risk management compliance framework that meets federal and state standards.

Read
Compliance10 min

How to Build a Document Compliance Program from Scratch

Step-by-step guide to building a document compliance program: 5-level maturity model, MLR 2017 requirements, GDPR, KYC and automated verification.

Read