<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

TPRM 101: Top Third-Party Vendor Risks for Financial Institutions

25 min read
Oct 1, 2022

EXECUTIVE SUMMARY: Vendor risk management is an ongoing process. It begins with due diligence before a contract is signed and continues with monitoring throughout the length of the relationship. Based on the inherent risk with the vendor, the financial institution should assess the potential risks of third-party vendors in some or all of these 10 risk categories: operational, transaction, compliance, credit, strategic, reputation, cyber, cloud, concentration, and country.


Understanding Vendor Risk

When it comes to traditional lending risk, banks and credit unions have it down pat. They can look at customers and quickly determine whether they are a good risk. They carefully project interest rate risk. They can cite liquidity figures off the tops of their heads. But when it comes to vendor management, it gets trickier.

Third-party providers play a valuable role at financial institutions, allowing FIs to compete by offering a broader and more cost-effective mix of products and services, but they also pose risks. Every action (or inaction) a vendor takes has the potential to help or harm the FI. It is similar to hiring an employee, because the FI is responsible for the employee’s actions or inactions. This responsibility makes proper due diligence and oversight of vendors a necessary part of the outsourcing process. FIs must be able to assess the potential risks a vendor poses and then measure how effectively that company mitigates risk.

This is an important task, and not just because regulators require it. Careful risk assessment and monitoring lets FIs know which vendors pose which risks, and whether the products and services a vendor provides deliver enough value to make up for the additional risk. It also reveals how much oversight and monitoring a specific vendor requires. Some FIs utilize labels to identify the inherent risk posed by a vendor like high, important, critical. It is certainly not a good use of resources nor a requirement to perform extensive due diligence before ordering a delivery from a sandwich shop. However, there is a big difference between the coffee vendor and the core processor.

If the financial institution policy is not well crafted, then it can easily create an enormous amount of work, which is not required by regulatory guidance. By comparison, a well-crafted policy will align inherent risk groups with control processes that align efforts with the risks that need to be mitigated. While the guidance from federal regulators is targeting critical, significant, or high risk vendors like core processors, each FI wants an inherent risk system that protects them from third party risk.


FIs must be able to assess the potential risks a vendor poses and then measure how effectively that company mitigates risk.

These risks from critical vendors come in many forms, with new threats regularly emerging. It’s also a comprehensive process. Regulators expect FIs to address specific categories of risk for this type of vendor. Unfortunately, there is often overlap between the areas. FIs that choose to address risk in silos run the risk of duplicate efforts, contradictory results and missed connections that result in shortfalls. This is especially true since vendor risk management is an ongoing process, which begins with due diligence before a contract is signed and continues with monitoring throughout the length of the relationship.

Due diligence should cover all the major risks vendors pose. While different regulators use different names for different kinds of risk and some emphasize certain types more than others, these are the top ten risks:

  1. Operational risk
  2. Transaction risk
  3. Compliance risk
  4. Credit risk
  5. Strategic risk
  6. Reputation risk
  7. Cyber risk
  8. Cloud risk
  9. Concentration risk
  10. Country risk

Let’s take a closer look at each of these areas to understand what steps FIs should take to investigate the risk exposure a vendor presents.


Related: Exam Coming Up? 6 Reasons to Adopt Risk, Compliance & Vendor Management Software Now

1. Operational Risk

One of the broadest risks facing FIs that outsource is operational risk. Operational risk is the risk of financial loss when processes, people or systems fail. Sometimes it’s the result of external events like a power outage, fire or flood. Other times it’s the vendor’s own internal issues, such as fraud, a hardware or software failure or an accounting error.

While it’s impossible to guarantee that processes, people and systems are perfect, there are steps FIs can take to mitigate these risks. The key is ensuring that vendors carefully and consistently follow suitable and effective internal controls. Many vendors will provide the results of SOC 2 Type 2 audit tests to address non-financial business controls in areas such as security, availability, processing integrity, confidentiality and data privacy. This is a great starting point. Because operational risk is such a broad area, there are many areas to review. The good news is that many of these facets appear later when discussing other forms of risk. FIs that invest time in careful due diligence will see the benefit when that work can be applied to other areas.

Subjects to review include:

Data privacy. Governing access to electronic data and systems containing confidential client data is essential. Policies and controls should ensure the consistent security and confidentiality of customer information, including secure data disposal, data classification and confidentiality or nondisclosure agreements. There should be physical access restrictions at buildings, computer facilities and records storage facilities where customer data is stored. Customer information should be encrypted whether it’s in transit or storage.

Threat assessment. There should be procedures to identify, assess and mitigate reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or systems.

Governance. Both the board and management should play a role in oversight. That includes defining roles and responsibilities, segregating duties and work environments and maintaining change management controls over software changes, application development and system maintenance.

While it’s impossible to guarantee that processes, people and systems are perfect, there are steps FIs can take to mitigate these risks.

User access. Policies and procedures should be in place to limit system access and eliminate non-active users or those who violate policies.

Employee evaluations and training. Background checks should be conducted before hiring. Personnel responsible for the design, development, implementation and operation of the system should be reviewed annually. There must be documented mandatory training and escalation procedures to address staff who fail to take training.

Monitoring. Systems should be monitored with controls to detect actual and attempted attacks and intrusions into customer information systems. They should also protect data systems from theft and corruption. Penetration tests and/or vulnerability scans should validate the integrity of system security, and findings should be promptly investigated and resolved.

Incident response. There should be a plan of action when unauthorized access to information systems or facilities is suspected. Protocols should define the customer breach notification process along with a process for addressing customer requests and complaints.

Data security. Measures should protect confidential customer information and systems from destruction, loss or damage due to environmental hazards, failures or disasters. There should be periodic evaluations and/or ongoing monitoring to validate the operational effectiveness of information security policies and internal controls, including management reviews, internal audits and external examinations.

Data processing and transactions. Policies and controls should ensure that processing and data transmissions are complete and accurate through reconciliations, edit checks, system entry configurations, dual controls, job monitoring and management review.


Processing and data transmissions transactions should be validated through authentication protocols with inputs authorized through implementation reviews and management approvals. Timely job scheduling and transactions based upon predetermined schedules is necessary along with procedures and protocols to ensure that exceptions and issues are identified, escalated, tracked and addressed.

Subcontractor oversight. Due diligence, monitoring and oversight of critical thirdparty vendors is necessary.

Read also: Brokered Deposits & Vendor Management

2. Transaction Risk

Sometimes networks go down. Yet no matter whether an outage or other business problem is caused by a natural disaster, cyberattack, equipment failure, fraud or other event, vendors must have plans and procedures in place to ensure service and product delivery is quickly restored.

While a vendor might not be able to fully disclose the details of its business continuity plan for security reasons, there are still plenty of ways to assess a vendor’s preparedness and potential risk.

It’s all a part of managing transaction risk, or the risk that a third party will fail to provide products and services as expected, adversely impacting the institution or its customers. Transaction risk differs from operational risk in that it focuses on contingency planning, but the two share many overlapping areas.

Mitigating transaction risk isn’t just good business. It’s a requirement of the FFIEC IT Examination Handbook Business Continuity Management Services and other regulatory guidance. That why an FI must evaluate a vendor’s business resilience controls to minimize financial loss and mitigate adverse effects of service interruptions. It must be certain that vendors will be able to meet service level agreements and recovery time and point objectives (RTOs). This is best accomplished by addressing the following areas with vendors:

Planning. While a vendor might not be able to fully disclose the details of its business continuity plan for security reasons, there are still plenty of ways to assess a vendor’s preparedness and potential risk. The vendor should review and test its business continuity planning/disaster response plan annually and share the results with clients. That includes the date of the last disaster recovery test of the production environment. Vendors should share the results, letting FIs know whether testing objectives were met and communicated to the board of directors.

Threat management. Vendors should conduct a periodic business impact analysis to identify and assess the likelihood and impact of threats that could interfere with their ability to meet service level Vendor Risk Countdown: The Top 10 Risks Posed by Third-Party Vendors to Your Financial Institution Ncontracts 4 agreements. They should have clearly defined recovery time and point objectives (RTOs) which may include mirrored backups and dual processing sites. Roles and responsibilities for disaster response (such as initial assessment, crisis management and communications) should be assigned. Pandemic planning is a must.

Recovery. Recovery capabilities should be assessed and monitored commensurate with the criticality of services provided. There should be redundant, backup or alternate power sources in place (such as generators). Alternate facilities for resuming critical services should be identified and critical data should be regularly backed up, mirrored and/ or replicated.

Data protection. Data should be meticulously protected. There should be physical security controls and protocols to prevent unauthorized access to facilities or areas housing confidential customer information systems and data. These preventative controls include secure coding, firewalls, a demilitarized zone, secure network configurations, network segmentation, secure VPN’s and logging. There must also be detective controls such as monitoring, intrusion detection systems and anti-malware software. Corrective measures such as patch management and risk and vulnerability remediation protocols should be defined and implemented. Vulnerability and/or penetration scans must be performed periodically.

Incident response. Another key element is an incident response and management policy or plan, which outlines how the vendor would manage and address a confidential data security breach or cyber-security incident. That includes a protocol to notify affected clients.

Subcontractors. Reliance on third-party providers, key suppliers, or business partners may expose FIs to points of failure that may prevent resumption of operations in a timely manner. Vendors should conduct their own risk assessments of all major risks, including credit, liquidity, transaction and reputation risk, among others.

Related: Credit Union Fair Lending: The Most Common Mistakes & Violations

3. Compliance Risk

Financial institutions must follow laws, regulations and rules, and should require their vendors to comply as well. Compliance risk is the risk that a third-party vendor will violate one of these orders or fail to follow the institution’s own internal policies. This can have reputational, financial and regulatory consequences for the financial institution.

According to the OCC’s Third-Party Relationships Risk Management Guidance, compliance risk commonly occurs when:

  • Products, services, or systems associated with third-party relationships are not properly reviewed for compliance;
  • The third party’s operations are not consistent with laws, regulations, ethical standards, or the bank’s policies and procedures;
  • A third party implements or manages a product or service in a manner that is unfair, deceptive, or abusive to the recipient of the product or service;
  • A bank licenses or uses technology from a third party that violates a third party’s intellectual property rights;
  • The third party does not adequately monitor and report transactions for suspicious activities to the bank under the Bank Secrecy Act or Office of Foreign Asset Control;
  • A bank’s oversight program does not include appropriate audit and control features, particularly when the third party is implementing new bank activities or expanding existing ones;
  • When activities are further subcontracted;
  • When activities are conducted in foreign countries;
  • When customer and employee data is transmitted to foreign countries;
  • Conflicts of interest between a bank and a third party are not appropriately managed;
  • Transactions are not adequately monitored for compliance with all necessary laws and regulations; and
  • A bank or its third parties have not implemented appropriate controls to protect consumer privacy and customer and bank records.

It’s not enough for a company to say it doesn’t disclose breaches to third parties unless they are affected— agreements must spell out that clients will be notified.

Once again, compliance risk abuts several other types of risk including operational, reputation, country, transaction and cyber risk. To assess compliance risk FIs should determine whether vendors are aware of both new and existing regulations and have policies and procedures in place to implement them. Audit and control features should demonstrate their compliance. This include logs and best practices for monitoring transactions for suspicious activity and compliance with others laws and regulations.


Data privacy is of particular interest to regulators making it important to ensure compliance with laws, regulations and best practices from OFAC, the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act, the Fair Credit Reporting Act and the Health Insurance Portability and Accountability Act. Vendor controls should be designed with these specifically in mind.

FIs can find information about these controls in vendor documents such as annual due diligence questionnaires, SSAE 16 reports and independent third-party reviews during annual SOC 2 audits.

Important areas to review include:

Privacy policy. Vendors need an information privacy policy and an information security program that’s reviewed and/or updated periodically. It should include a risk assessment process to identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of information and assets. These threats must be evaluated, managed and monitored. There should also be secure disposal measures to properly dispose of unneeded consumer information.

Information security controls/practices. Vendors should encrypt all highly confidential information and authentication credentials, use VPN, appropriately segregate duties and require acknowledgement and acceptance of confidentiality/non-disclosure agreements before permitting access to confidential data or systems.

Security for personnel who will have access to confidential consumer information. This includes pre-employment background investigations and initial and ongoing information security training.

Physical security protocols and controls to safeguard facilities containing confidential data. All desktop-computing devices should be physically secured with locking devices. There should be a visitor access policy with 24/7 security personnel on site, closed-circuit surveillance throughout the facility and card-key access control with permissions assigned based upon job responsibility.

Security protocols and controls to safeguard electronic data. All desktop computers should require an individual identification and authentication at log on with formal policies to define password parameters. Access should be restricted based on job responsibilities and access rights should be reviewed periodically. There should also be termination protocols and checklists.

Network security protocols and controls to prevent and/or detect unauthorized access and cyber-security incidents. Look for antivirus software on desktops, servers and host, with patches obtained from secure sites. Anti-malware software should be installed on critical servers and on end-point devices, with signatures updated nightly. There should be a defense in-depth program, including intrusion detection/intrusion prevention systems and semi-annual threat and vulnerability testing and attack and penetration tests. Centralized monitoring via security incident and event management (SIEM) and perimeter firewall systems is necessary. So is an incident reporting and response program to address and manage confidential data security breaches and/or cybersecurity incidents. That includes client notification. It’s not enough for a company to say it doesn’t disclose breaches to third parties unless they are affected— agreements must spell out that clients will be notified.

4. Credit Risk

It doesn’t matter how compliant, effective or technologically sound a vendor’s product or service is if the company won’t be in business very long. An FI that partners with a financially unsound vendor may find itself suddenly cut off from a critical product or service if that firm goes under

That’s why it’s important to focus on credit risk, or the strength and ability of a company to manage debt and stay in business to ensure continued operations. The FDIC says that FIs should evaluate third-party vendor’s financial condition at least annually2 and that the review “should be as comprehensive as the credit risk analysis performed on the institution’s borrowing relationships.”

The good news for bankers and credit union professionals is that the board and management should be very experienced in evaluating businesses, audited financial statements and publicly available documents.

It doesn’t matter how compliant, effective or technologically sound a vendor’s product or service is if the company won’t be in business very long.

Areas to look at include:

Financial condition. A company’s liquidity and leverage figures reveal the strength of its condition. Assess the viability of an operation by noting cash, debt, debt to equity, interest coverage ratio and auditor’s opinions of ongoing concerns.

Financial performance. Reviewing profitability and cash flow are essential. That includes revenue, gross margin, operating income or loss, operating margin percent, net income or loss, net margin percent, EBITDA, EBITDA margin percent, operating cash flow and free cash flow.

Litigation. Claims for punitive or exemplary damages from pending or threatened litigation can wreak havoc on the bottom line. Be aware of any legal action on the horizon, the potential fallout and what, if any, plans the company has to cover the damages.

Acquisitions. Acquisitions can expand a company’s offerings, spread its resources too thin or rapidly increase the debt load. Look into pending acquisitions or sales and how that may impact the company’s financial condition as well as other unfunded liabilities.



5. Strategic Risk

Strategic risk is the possibility that a company doesn’t make decisions that support its long-term goals. This can happen when risks aren’t properly assessed; not enough thought and due diligence are put into new products, business lines or activities; or when the company undertakes an action that’s not consistent with the company’s goals or doesn’t provide the expected return on investment, according to the OCC.

Strategic risk impacts the viability of a business in the same way credit risk does. But instead of focusing simply on numbers, it involves reviewing how decisions are made and implemented and how a company responds to changing market conditions. A company that isn’t managed well may not stay in business long or provide quality products and services.

Strategic risk is the possibility that a company doesn’t make decisions that support its long-term goals.

The key areas to look at when assessing strategic risk include:

Background. It begins with basic background that includes the age of a company and the size of its market. Large nationwide providers tend to be stronger than smaller competitors. And the larger the client base, the more likely the company is to be stable.

Leadership. Determine who is responsible for achieving corporate objectives, oversight of operating functions and compliance with applicable regulatory requirements. You want to see that senior management and the board of directors are meeting to ensure business strategies are aligned with operations across the organization. At larger companies, executive management committees may provide oversight.

Operational controls and audits. It’s not enough to have operational controls. They must be monitored through management reviews and internal and external audits. Annual independent audits should demonstrate the suitability and effectiveness of internal controls. Lines of authority and responsibility should be established. Managers should monitor reports and controls to provide reasonable assurances that activities are performed in a secure, complete, accurate and timely manner, and exceptions are identified, tracked, recorded and resolved.

Vendor management. FIs need vendor management programs and so do vendors. The risk assessment process/program should identify and mitigate risks that might affect a vendor’s continued ability to provide reliable services to its users. This includes third-party oversight and monitoring, and identification and resolution of information security-related risks.

Business continuity. There should be protocols to mitigate or prevent business interruptions, and to respond, recover and resume critical business functions after an unplanned business disruption.

Outsourcing and offshoring. The vendor should know whether or not all operations and personnel are all located within the U.S. and whether or not it outsources to foreign/ offshore service providers or subcontractors.

Notice that transaction, operational, country and cyber risks are all included when assessing strategic risk. Any method used to conduct a strategic risk assessment should leverage these overlaps to maximize efficiency.

6. Reputation risk

Reputation is hard to earn and easy to lose. Whether its lawsuits, fraud or data breaches, consumers notice bad headlines and take their business elsewhere.

Consider the headache $18.4 billion-asset First National Bank of Omaha faced in 2016 when it came out that its credit card add-on vendor charged customers for credit monitoring services they didn’t receive. Neither customers nor regulators differentiated between the bank and its vendor when assigning blame for ripping off customers. Not only did the bank pay millions in penalties to the CFPB and OCC, the bad publicity of newspaper headlines created costs that are not easily calculated from loss of goodwill.

Vendor mistakes like this can hurt a bank’s reputation, the FDIC and OCC say, when they cause:

  • Dissatisfied customers/poor service
  • Frequent or prolonged service disruptions
  • Interactions not consistent with institution policies
  • Inappropriate sales recommendations
  • Security breaches resulting in the disclosure of customer information
  • Violations of consumer law and regulation
  • Negative publicity involving the third party Vendor Risk

While there is no way to guarantee that vendor actions won’t damage an institution’s reputation, thorough due diligence can help an institution gauge the risk a particular vendor poses. It just takes some digging.

Go beyond the documents the vendor gives you and seek out publicly available information. Determine if the vendor is registered and in good standing with the proper authorities, including the state where it operates. Find out how many and what types of complaints it has filed against it with the CFPB website, and keep in mind that these claims are unsubstantiated. See how the business ranks with the Better Business Bureau and conduct a search of news stories to learn of any past problems.

Other good reference checks include the Federal Trade Commission, state attorneys general offices, state consumer affairs offices and the U.S. Securities and Exchange Commission. The OCC also recommends FIs “Review the third party’s Web sites and other marketing materials to ensure that statements and assertions are in-line with the bank’s expectations and do not overstate or misrepresent activities and capabilities. Determine whether and how the third party plans to use the bank’s name and reputation in marketing efforts.”

These materials help an FI identify potential reputation risks and find out what, if any steps, the vendor has taken to remediate past problems. Then an FI can decide if the risk can be mitigated with careful follow up and clarifying protocols to ensure oversight with service level agreements or if that vendor just isn’t worth the risk.

7. Cyber risk

In a world of increasingly sophisticated cyber threats, it’s essential that vendors are able to prevent, detect and respond to cyberattacks. Cyber risk is about having the tools, policies and procedures to identify and mitigate internal and external cyber threats and vulnerabilities.

Some people might argue that cyber risk is already covered by operational, transaction, strategic and compliance risk, and it may be covered based on the depth of your internal review. But the growing number of hacks, attacks and other threats make it clear more effort is needed.

Cyber risk is about having the tools, policies and procedures to identify and mitigate internal and external cyber threats and vulnerabilities.

In 2015, the FFIEC released its Cybersecurity Assessment Tool to help banks and credit unions evaluate potential cyber risks and understand inherent risk and cyber maturity.


Rather than lump cyber risk in with other categories, it’s important for banks and credit unions to directly address this critical risk with vendors, using the FFIEC Cybersecurity Assessment Tool as a guide. Chances are most institutions are already engaging in many of the activities recommended by the assessment in different departments and during different risk assessments. The FFIEC’s exercise will ensure information from these different silos will come together and ensure vendors are prepared.

While there is no way to guarantee that vendor actions won’t damage an institution’s reputation, thorough due diligence can help an institution gauge the risk a particular vendor poses.

Here are the areas where FIs should be focusing their cyber due diligence:

Identify high-risk activities. A vendor poses a greater cyber risk and requires increased management oversight when it:

  • Houses confidential data in a cloud-based system
  • Houses or outsources confidential data offshore
  • Outsources sensitive activities and/or a number of critical operations
  • Uses web-based services to conduct business transactions with customers
  • Permits access of confidential data to third-party providers

Controls from the top. Just like an FI, third party vendors should have controls and protocols to identify cyber risks. The vendor’s board or one of its committees should directly review and approve its cyber program Regular monitoring of the program is a must, identifying threats and vulnerabilities with a periodic risk assessment that estimates the likelihood and impact of cyber risks.

Protect systems. All system activity and events should be logged and monitored, and physical access controls should be monitored to detect suspicious activity. E-mail should be filtered for common cyber threats. Vendors’ vendors with access to data should meet defined data protection standards.

Incident response. Third-party vendors must have an incidence response policy that clearly defines a protocol for informing affected stakeholders, regulators and law enforcement officials of a cyber incident where confidential data was likely compromised.

Internal controls. Vendors must implement controls to prevent or mitigate the severity of a cyberattack. Network security controls such as anti-malware, firewalls, intrusion prevention and detection software, and segmented networks should be in place to reduce the likelihood of unauthorized users, devices, connections or software. There should be configuration, network and system change control processes and protocols. Protocols for anti-malware software updates/ patch management must be defined and implemented. Periodic vulnerability scans and/ or penetration testing should be performed, and the vendor should have cyber insurance coverage.

Human resources. Access controls should be role-based and granted based upon job function. Personnel should be screened before hiring and employees should undergo data safety training.

Data security. There should be protocols andmulti-factor authentication during data transmissions and storage and protocols for securely destroying data.

Cloud risk. Vendors that rely on a cloud-based system require additional scrutiny. (See Cloud Risk below.) With this information, FIs can identify cyber risks, deciding if the level of risk presented can be mitigated through protocols and service level agreements or if the risk is just too great.

8. Cloud risk

Perhaps there’s no buzz word more confusing to bankers and credit union executives than “the cloud.” It evokes an ethereal image of data floating safely and serenely overhead, able to materialize on screen with the press of a button.

But the cloud is a place on earth. Actually, it may be many places on earth.The cloud means someone else’s computer. It is typically a bunch of data centers. Using the cloud is buying space on someone else’s infrastructure (or data center) to store and/or process data which you can then access via the Internet. Sometimes these computers are used exclusively by one institution, known as a private cloud. Other times, several clients use the same computers at a data center, known as a shared cloud.

The cloud faces all the same risks as any other third-party IT vendor, which include cyber risk, reputation risk, operational risk, etc. After all, it’s a physical location with all the same inside and outside threats any organization faces. But’s is growing use and importance is undeniable—and it’s starting to attract regulator attention.

The FFIEC highlighted the importance of risk management and cloud use in a joint statement. When considering working with a cloud-based provider, institutions should ask questions like:

  • What is the type of cloud?
  • Who has access to the data?
  • Where is the data?
  • Is the data backed-up?
  • What is the third-party’s control structure?
  • Can you perform effective/on-going due-diligence?
  • How difficult is it to disengage?

Smart FIs are going beyond cyber risk to include cloud risk among their best practices for evaluating thirdparty vendors. When evaluating cloud-based vendors, an institution should pay mind to existing vendor management and cyber guidance paying special attention to:

Compliance. Ensure the provider is in compliance with privacy laws. Specific responsibilities for data protection must be defined and communicated, often in the service level agreement portion of the contract.

Cyber. There should be clearly defined procedures for responding to and reporting security incidents and notifying customers and regulators of any breaches.


Data security. Access to cloud data should be defined and restricted. Audit logs should be maintained to monitor and detect changes. Data should be encrypted at all times—both at rest and during transmission. When using shared clouds, an institution’s data must be segregated from other client data.

Country risk. All cloud data should be housed in the United States. If a vendor won’t tell you where data is stored, find another vendor.

Smart FIs are going beyond cyber risk to include cloud risk among their best practices for evaluating third-party vendors.

9. Concentration risk

When most bankers and credit union executives think of concentration risk, they think of lending. But concentration has a different meaning when talking about third-party vendors, as the Fed notes in its Guidance on Managing Outsourcing Risk. It specifically mentions concentration risk as something that should be considered when seeking out and managing vendors. The two main sources of third-party concentration risk are:

Over-reliance on a single vendor. This is a classic case of putting all your eggs in one basket. If an institution relies heavily on a single provider for many products and services that institution might be unable to conduct business if something catastrophic happens to that vendor. That’s not to say an FI can’t choose to outsource many major functions to a single vendor, but it just better have an airtight backup plan in place.

Geographic concentration. . If both an institution and its third-party vendors and subcontractors are in the same region, it’s possible the same event could impact everyone’s operations since they all rely on the same power and telecommunications infrastructure.

The good news is that because concentration risk overlaps with other areas including operational, credit and transactional risk, due diligence and supporting documentation shouldn’t require much extra effort as long as the risk management team is working cohesively. In fact, the OCC includes concentrations under operational risk.

10. Country Risk

Speaking of overlapping risks, country risk is another example—touching everything from cloud and reputation risk to transaction and operational risk. Country risk is “an exposure to economic, social, and political conditions in a foreign country that could adversely affect a vendor’s ability to meet its service level requirements,” according to the FFIEC’s Appendix C: Foreign-Based Third-Party Service Providers.11 In extreme cases, country risk might result in loss data loss. It’s not always obvious when a company poses country risk. For banks and credit unions the threat is most pronounced when it comes to data centers and the cloud, but can affect any overseas operation. Many data centers store their data on the other side of the world in foreign countries to ensure their systems are always running, which is the extreme opposite of geographic concentration.

While this sounds good on the surface, it’s a challenge for FIs that must then answer questions about the country where their data is stored. Topics to address include: political and economic stability; infrastructure such as the power grid; and local regulatory and legal oversight such as background checks and authorization.

In extreme cases, country risk might result in loss data loss.

The FDIC warns, “Managing country risk requires the ability to gather and assess information regarding a foreign government’s policies, including those addressing information access, as well as local political, social, economic, and legal conditions.” The Fed encourages ongoing monitoring of these risks. Managing these risks “should include the establishment of contingency, service continuity, and exit strategies in the event of unexpected disruptions in service,” says the FFIEC. The OCC also addresses the topic.


There’s no shortage of risks when it comes to outsourcing to third-party service providers, but it still frequently makes sense to outsource critical operations. The key is to carefully assess vendors and, when it comes to the most critical vendors, choose the ones that are most effective in helping FIs mitigate those risks.

The overlapping nature of these risks makes it essential for FIs to have a comprehensive, top-down approach to enterprise risk management and vendor management. By taking a broad view of risk management, FIs can leverage the risk assessment and mitigation work performed by various departments throughout the institution, streamlining the process to make it more effective and more efficient.

Ncontracts provides a variety of tools to help FIs face this challenge in a methodical, organized way.

Nvendor is a secure, feature-rich, online vendor and contract management solution that enables financial institutions to achieve and maintain regulatory compliance in their third-party vendor relationships. Features include assistance with vendor policies and procedures, vendor classification, vendor due diligence, risk assessment and vendor monitoring.

Ncyber guides institutions through the FFIEC’s Cybersecurity Assessment Tool, helping analyze inherent risk and cybersecurity maturity levels.

Ncontinuity is a flexible, scalable, and secure online business continuity planning solution. Its interactive dashboard, tools and support strengthen business continuity needs throughout your organization and in your third-party vendor relationships.

Nrisk is a secure, online risk management solution that enables continuous measurement of financial and non-financial impacts by location, department, business process, application or line of business. It simplifies the risk assessment process using natural language navigators and wizards that guide users step-by-step through the process of evaluating risk and related financial exposures—leveraging the hard work your institution has already done. Regardless of approach, FIs need to be assessing each of these vendor risks to determine the level risk and amount oversight and monitoring a specific vendor requires. As regulators continue to expand and investigate categories of risk, it’s no longer efficient or effective to conduct these risk assessments in silos. Careful risk assessment and monitoring from pre-contract due diligence and throughout the length of the relationship is critical for proper vendor management.

The NcontractsManager platform helps break down the silos with a secure, web-based repository for all your contracts. With our expertise, you can reduce risk exposure and develop contracts that save money and increase profits for your organization.

Nverify gives your team the tools and support to conduct automated, integrated auditing capabilities that not only ensure compliance, but also identify opportunities for internal process improvement that can create cost savings for years to come. Nverify is easy to implement — in as little as two hours, your team can have access to all the data they need to generate audits that enable positive exam results.

Ncommunity integrates with other software in our lending compliance suite, for holistic lending compliance that enables your financial institution or financial services company to experience the upside of risk. Our platform is designed, built, and supported by professionals with extensive experience in financial institutions and mortgage companies, empowering lenders to navigate the lending ecosystem, reduce compliance and lending risk, and accelerate healthy business growth.

Nfindings lets your organization access and manage findings. Our centralized platform makes it easy to access and manage findings from internal, external, and regulatory audits in real time, so you have what you need, right when you need it.

With extensive reporting capabilities, your team can identify and evaluate exam and audit findings to take the appropriate steps for exam readiness and overall compliance.

Your team can assign tasks to each finding, direct the best course of action, and monitor the work being done. Automated reminders and notifications help to expedite and accelerate workflow.

Ntransmittal integrates with other software in our lending compliance suite, for holistic lending compliance that enables your financial institution or financial services company to experience the upside of risk. Learn more about the comprehensive compliance solutions we offer banks, mortgage companies, and credit unions.

New call-to-action


Subscribe to the Nsight Blog