Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
As federal oversight decreases, mortgage companies must prepare for increased state scrutiny. Mortgage compliance has entered a “state-centric” era. State regulators are now driving oversight, enforcement, and guidance given the CFPB’s recent changes. State exams are becoming deeper, broader, and more frequent, with particular attention on third-party arrangements, including technology vendors and contractors. Many former CFPB regulators are now taking positions as state regulators in some areas. Mortgage companies must demonstrate robust due diligence, ongoing monitoring, and policies. Adopt state-by-state compliance strategies, maintain detailed documentation, and proactively engage regulators as compliance partners.
SEC Regulation S-P amendments take effect: What large firms needs to know. Amendments to SEC Regulation S-P took effect on December 3, significantly strengthening requirements around how financial organizations oversee third parties that access customer data. This includes investment advisors and companies. The updates require firms to tighten service provider contracts and monitoring, including mandating that vendors notify them of any unauthorized access to customer information within 72 hours. With strict customer notification and documentation expectations now in place for larger institutions — and smaller firms facing a June deadline — third-party risk management is no longer optional, but a regulatory expectation.
FINRA’s 2026 report emphasizes risks of Generative AI and AI vendors. FINRA’s 2026 Annual Regulatory Oversight Report highlights generative AI as a growing focus for wealth managers, emphasizing a risk-based approach that integrates oversight, documentation, and governance. Wealth management firms are urged to implement formal review and approval processes before deploying AI tools, ensure human oversight, and address issues like privacy, business records, and compliance. The report also underscores third-party considerations: vendors providing AI tools must be evaluated for security, risk management, and adherence to regulatory expectations. For wealth managers, responsible AI adoption requires robust policies, vendor oversight, and governance frameworks to protect clients and maintain fiduciary duties.
Third-party breach compromises information at crypto software provider. Crypto tax software provider Koinly is warning users that a third-party data breach may have exposed user data such as names, email addresses, general location, and device information. Koinly said sensitive information like wallet details, transaction history, and tax data was not shared or accessed. The company has stopped using the third party, launched a broader review of its other vendors, and cautioned users to watch for phishing attempts.
Stepping up third-party access management to avoid breaches. Many breaches don’t start with a company’s own systems but rather with trusted third parties that retain access long after it’s needed. Weak identity and access management practices, such as delayed access revocation, poor authentication, and excessive exceptions, quietly expand the attack surface. Organizations need to treat third-party identities with the same rigor as their internal workforce by tightening onboarding and offboarding, reducing standing access, and continuously reviewing permissions to prevent small gaps from turning into major incidents.
Third-party breach exposes email addresses at Celsius. Crypto lender Celsius is warning customers that a data breach at its email delivery vendor exposed email addresses — the same incident that previously impacted OpenSea. The breach stemmed from an employee at the vendor who abused legitimate access, and while no other customer data was compromised, Celsius is urging users to stay alert for phishing attempts. The incident underscores a familiar third-party risk lesson: even limited data exposure, like email addresses, can fuel downstream fraud and scams when vendor access controls and oversight fall short.
Third parties increasingly held responsible for losses. As cyberattacks grow more costly, insurers are increasingly trying to recover breach losses from the vendors that may have contributed to an incident. After paying a claim, insurers can pursue cybersecurity providers when weak controls, missed security obligations, or delayed incident response make the damage worse. It’s important to carefully vet vendors, clearly define security and insurance responsibilities in contracts, and document vendor oversight. Gaps in third-party management can now lead to real financial and legal consequences after a breach.
Third-party cybersecurity incident exposes Goldman Sachs client data. Some Goldman Sachs clients may have had data exposed following a cybersecurity incident at a third-party law firm, Fried Frank, highlighting ongoing third-party risk concerns. Goldman said its own systems weren’t impacted, and that the law firm secured its network, addressed the vulnerability, and believes the data is unlikely to be misused. Both organizations emphasized swift response efforts, but the incident reinforces a broader trend: attackers increasingly target vendors to reach their primary targets, with industry reports showing a growing share of breaches tied to third parties — a timely reminder that vendor security is just as critical as internal controls.
Third-party data breach exposes personal information at Ledger. A breach at a third-party payment processor exposed limited personal data at Ledger. No financial information, wallet details, or private seed phrases were accessed, though names and contact information may have been exposed.
Baltimore lawsuit against digital lender marks growing shift in regulatory landscape. Baltimore filed a lawsuit against digital lender Dave Inc., accusing the company of using misleading marketing and high fees to push residents into costly, short-term loans. The city claimed the lender traps users in debt cycles, with interest rates far exceeding legal limits and optional “tips” misrepresented as charitable contributions. This action is part of a broader crackdown on digital lenders, following similar lawsuits against MoneyLion, DraftKings, and FanDuel. It also marks a growing shift in regulatory scrutiny — where federal regulators have taken a step back, states and cities are taking action.
