Third-Party Vendor Risk Management Checklist
This comprehensive third-party vendor risk management checklist ensures regulatory compliance with OCC, FDIC, CFPB, Federal Reserve, OCC Bulletin 2013-29. Annual third-party risk management review for financial institutions covering vendor due diligence, contract requirements, ongoing monitoring, and concentration risk per OCC Bulletin 2013-29, FDIC FIL-44-2008, and CFPB Supervisory Highlights on vendor management. Third-party failures increasingly drive bank examination findings and enforcement
- Industry: Financial Services
- Frequency: Monthly / Quarterly
- Estimated Time: 45 minutes
- Role: Compliance Officer / Branch Manager
- Total Items: 18
- Compliance: OCC, FDIC, CFPB, Federal Reserve, OCC Bulletin 2013-29
Vendor Inventory and Tiering
Maintain vendor inventory per OCC guidance.
- Is comprehensive vendor inventory maintained listing all third-party relationships with services provided?
- Has each vendor been assigned a risk tier (critical, high, moderate, low) based on business impact and data access?
- Are critical activities (core banking, payment processing, IT infrastructure) clearly identified with concentration risk noted?
- Are material fourth-party subcontractors of critical vendors identified and risk assessed?
Pre-Engagement Due Diligence
Verify due diligence per OCC 2013-29.
- Has vendor financial stability been assessed including financial statements and credit review for critical vendors?
- Has SOC 1 or SOC 2 Type II report been obtained and reviewed for critical technology vendors?
- Has vendor cybersecurity posture been assessed including penetration testing and vulnerability management?
- Has vendor's Business Continuity Plan been reviewed confirming recovery capability for critical services?
- Have vendor references been checked including peer financial institution users?
Contract Requirements
Verify contract protections per OCC guidance.
- Do vendor contracts include data security requirements, breach notification (typically 24-72 hours), and data disposal?
- Does contract provide bank right-to-audit or right-to-receive audit reports?
- Does contract require vendor to notify bank before engaging material subcontractors?
- Does contract define RTO/RPO requirements and vendor obligations for business continuity?
- Does contract include termination for cause and data return/destruction requirements?
Ongoing Monitoring and Performance
Verify ongoing monitoring per OCC lifecycle guidance.
- Are critical vendor relationships reviewed at least annually with refreshed due diligence?
- Are SLA performance metrics tracked and vendor failures escalated and documented?
- Are vendor incidents and disruptions logged and analyzed for trend patterns?
- Is aggregate third-party risk exposure reported to board or risk committee annually?
Related Financial Services Banking Checklists
- Community Reinvestment Act (CRA) Compliance Monitoring Checklist
- Bank Business Continuity Plan Testing and Readiness Checklist
- Model Risk Management Validation Checklist
- Bank Branch Opening & Closing Security Checklist [FREE PDF]
Why Use This Third-Party Vendor Risk Management Checklist?
This third-party vendor risk management checklist helps financial services teams maintain compliance and operational excellence. Designed for compliance officer / branch manager professionals, this checklist covers 18 critical inspection points across 4 sections. Recommended frequency: monthly / quarterly.
Ensures compliance with OCC, FDIC, CFPB, Federal Reserve, OCC Bulletin 2013-29. Regulatory-aligned for audit readiness and inspection documentation.
Frequently Asked Questions
What does the Third-Party Vendor Risk Management Checklist cover?
This checklist covers 18 inspection items across 4 sections: Vendor Inventory and Tiering, Pre-Engagement Due Diligence, Contract Requirements, Ongoing Monitoring and Performance. It is designed for financial services operations and compliance.
How often should this checklist be completed?
This checklist should be completed monthly / quarterly. Each completion takes approximately 45 minutes.
Who should use this Third-Party Vendor Risk Management Checklist?
This checklist is designed for Compliance Officer / Branch Manager professionals in the financial services industry. It can be used for self-assessments, team audits, and regulatory compliance documentation.
Can I download this checklist as a PDF?
Yes, this checklist is available as a free PDF download. You can also use it digitally in the POPProbe mobile app for real-time data capture, photo documentation, and automatic reporting.