Third-Party Vendor Risk Management Checklist

This comprehensive third-party vendor risk management checklist ensures regulatory compliance with OCC, FDIC, CFPB, Federal Reserve, OCC Bulletin 2013-29. Annual third-party risk management review for financial institutions covering vendor due diligence, contract requirements, ongoing monitoring, and concentration risk per OCC Bulletin 2013-29, FDIC FIL-44-2008, and CFPB Supervisory Highlights on vendor management. Third-party failures increasingly drive bank examination findings and enforcement

• Industry: Financial Services & Banking
• Frequency: Monthly / Quarterly
• Estimated Time: 45 minutes
• Role: Compliance Officer / Branch Manager
• Total Items: 18
• Compliance: OCC, FDIC, CFPB, Federal Reserve, OCC Bulletin 2013-29

Vendor Inventory and Tiering

Maintain vendor inventory per OCC guidance.

• Is comprehensive vendor inventory maintained listing all third-party relationships with services provided?
• Has each vendor been assigned a risk tier (critical, high, moderate, low) based on business impact and data access?
• Are critical activities (core banking, payment processing, IT infrastructure) clearly identified with concentration risk noted?
• Are material fourth-party subcontractors of critical vendors identified and risk assessed?

Pre-Engagement Due Diligence

Verify due diligence per OCC 2013-29.

• Has vendor financial stability been assessed including financial statements and credit review for critical vendors?
• Has SOC 1 or SOC 2 Type II report been obtained and reviewed for critical technology vendors?
• Has vendor cybersecurity posture been assessed including penetration testing and vulnerability management?
• Has vendor's Business Continuity Plan been reviewed confirming recovery capability for critical services?
• Have vendor references been checked including peer financial institution users?

Contract Requirements

Verify contract protections per OCC guidance.

• Do vendor contracts include data security requirements, breach notification (typically 24-72 hours), and data disposal?
• Does contract provide bank right-to-audit or right-to-receive audit reports?
• Does contract require vendor to notify bank before engaging material subcontractors?
• Does contract define RTO/RPO requirements and vendor obligations for business continuity?
• Does contract include termination for cause and data return/destruction requirements?

Ongoing Monitoring and Performance

Verify ongoing monitoring per OCC lifecycle guidance.

• Are critical vendor relationships reviewed at least annually with refreshed due diligence?
• Are SLA performance metrics tracked and vendor failures escalated and documented?
• Are vendor incidents and disruptions logged and analyzed for trend patterns?
• Is aggregate third-party risk exposure reported to board or risk committee annually?

Related Financial Services Banking Checklists

• Community Reinvestment Act (CRA) Compliance Monitoring Checklist
• Bank Business Continuity Plan Testing and Readiness Checklist
• Model Risk Management Validation Checklist
• Bank Branch Physical Security Audit Checklist

Why Use This Third-Party Vendor Risk Management Checklist?

This third-party vendor risk management checklist helps financial services & banking teams maintain compliance and operational excellence. Designed for compliance officer / branch manager professionals, this checklist covers 18 critical inspection points across 4 sections. Recommended frequency: monthly / quarterly.

Ensures compliance with OCC, FDIC, CFPB, Federal Reserve, OCC Bulletin 2013-29. Regulatory-aligned for audit readiness and inspection documentation.

Frequently Asked Questions

Browse More Checklists

• All Vendor Risk Management Checklists
• Financial Services Banking Checklists
• Browse 7,000+ Free Checklist Templates
• Operations Blog
• Book a Demo