Financial organizations are under pressure. Vendor portfolios are growing, budgets are flat, and AI is introducing risk they aren’t yet equipped to manage. In fact, not a single financial institution (FI) surveyed in the 2026 State of Third-Party Risk Management Survey feels extremely confident managing AI-related vendor risk.
Ncontracts' annual look at how banks, credit unions, mortgage companies, and other financial services organizations manage vendor oversight draws on responses from financial services professionals across organizations ranging from under $250 million to over $10 billion in assets. Whether you work in risk, compliance, or vendor management, the data offers insights into how your peers are approaching third-party risk management and where gaps remain.
Here are the highlights.
Want more survey data? Want to go deeper? Watch Rafael DeLeon walk through the full 2026 survey findings in our on-demand webinar.
When I was an examiner, there was a simple way to test if a program was stretched too thin: subtract what you have from what you're being asked to do. If that gap never closes, something eventually breaks. That’s where many TPRM programs are today.
Nearly two-thirds of programs are staffed by just one or two dedicated full-time employees, and 13% have no dedicated staff. Often, a single person is responsible for the entire vendor lifecycle, from onboarding to board reporting, across 100+ vendor relationships.
What makes this more than just a staffing complaint is what's being added to those already full plates. AI has created new oversight obligations that didn't exist three years ago, and fourth-party risk is demanding attention that most programs aren't structured to give. With 64% of FIs expecting their TPRM budget to stay flat in the year ahead, this gap isn't going to close on its own.
What This Means for Your Program: When resources don't keep pace with obligations, oversight often suffers, and examiners notice. Use this data and cite your organization’s specific gaps in conversations with the leadership team.
Related: TPRM 101: What is Ongoing Vendor Monitoring for Financial Organizations?
For the first time in the survey's history, two concerns tied at the top: AI and cybersecurity.
The difference is that with cybersecurity, which has been the top concern for years, institutions know what they're dealing with. AI is a different story. Seventy-two percent of financial institutions are only partially aware of which vendors use AI, and 9% haven't assessed it at all. Your core processor, CRM, or fraud detection platform could be running AI capabilities today without triggering a single oversight workflow.
Fifty-four percent of respondents flag the black box problem — when an AI system produces an output with no explanation for its answer — as a top concern. For FIs subject to fair lending laws, black box risk is not hypothetical; it’s direct legal exposure.
Meanwhile, 52% of organizations reported a third-party cyber incident in the past year, up from 46%, further signaling that the underlying risk environment isn't getting easier.
Related: What is AI Auditing and Why Does It Matter?
One of the more surprising insights from the survey is that larger FIs are less confident about AI oversight. Among organizations with 5,000 or more employees, 66% feel only slightly confident or not at all confident managing AI vendor risk, compared to 46% of institutions with 101-250 employees.
The data suggests that understanding the problem and being equipped to solve it are two very different things.
What This Means for Your Program: Vendor disclosure is a starting point, not a finish line. The FIs that stand out during exams supplement vendor documentation with independent assessments.
Related: How to Manage Third-Party AI Risk: 10 Tips for Financial Institutions
Ten percent of FIs are still using Excel or Google Sheets as their primary TPRM tool, and more than half of them have less than $1 billion in assets. The spreadsheet can seem like the cost-effective choice, until you look at the exam data: manual process users are 71% more likely to receive exam findings and report 50% lower satisfaction with their tools.
What This Means for Your Program: Manual process users are also twice as likely to view TPRM as nothing more than a compliance checkbox. Manual processes don't create operational risk — they create regulatory risk.
Related: A Guide to Operational Resilience for Financial Institutions
Sixty percent of institutions now operate on a hybrid model, up 15 percentage points from last year — and the data suggests why. As vendor inventories grow, fully centralized teams struggle to provide meaningful oversight across every relationship. Fully decentralized models offer flexibility but tend to produce inconsistent results, since business line managers are focused on making vendor relationships work, not on identifying and documenting risk.
The hybrid approach threads that needle: a central TPRM team owns the framework, standards, and final risk ratings, while vendor owners handle day-to-day relationship management. It's working. Eighty-four percent of hybrid users report established programs — the highest of any operating model.
What This Means for Your Program: Hybrid scales, but only with the right infrastructure behind it. Without investment in training, tooling, and governance, you get the complexity of decentralization without the consistency of centralized oversight. If your program is still fully centralized, it's worth asking whether your team can realistically keep pace as your vendor inventory expands.
Nearly three-quarters of institutions (73%) feel pressure to improve their TPRM programs. But the biggest source isn't regulators; internal management and boards account for 38% of that pressure, compared to 31% from regulators. The data suggests that board members are acknowledging that third-party failures carry consequences well beyond regulatory fines, including operational and regulatory risks and customer impact.
What's harder to secure is support. While the share of FIs saying support "isn't difficult at all" rose from 17% to 20%, 79% still find it challenging or very difficult to get what they need. When TPRM teams are seen as compliance gatekeepers rather than risk partners, making the case for investment is an uphill climb.
What This Means for Your Program: Board reporting that focuses on risk exposure, incident trends, and program gaps tends to attract more resources than activity metrics alone. The better you are at surfacing vendor concerns to leadership, the stronger the case for investing in your program.
Related: Creating a Vendor Board Package
There's a pattern in how FIs perceive TPRM as their programs mature. At the ad hoc stage, 67% view it purely as a compliance exercise. At the optimizing stage, that drops to just 5%, with 26% seeing it as genuinely high value across the organization — not just in risk or compliance but throughout the business.
That shift doesn't happen by accident. Mature programs invest in the governance infrastructure, metrics, and visibility that let them demonstrate real value. It’s no surprise when those programs get funded and supported in the next budget cycle.
What This Means for Your Program: Most programs sit somewhere between ad hoc and optimizing. The ones moving forward aren't waiting for a perfect program. They're making deliberate choices about structure, tooling, and how they communicate value to leadership.
The data tells a consistent story: the gap between programs that are surviving comes down to intention. The FIs that have moved from ad hoc to optimizing didn't wait for a perfect program. They made deliberate choices about structure, tooling, and how they communicated value to leadership. They made improvements when they could. And when exam time came, it showed.
AI risk is the new test of that intention. Every institution in this survey knows it's a problem. Not one feels fully equipped to manage it. That gap is where examiners will be looking next — and where the strongest programs will separate themselves.
Your vendor portfolio isn't getting smaller. The regulatory expectation isn't going down. The only variable you control is how prepared you are when it matters.
For a deeper dive into the findings, watch the on-demand webinar and download the 2026 State of TPRM Survey Report.