Compliance guide

Strengthen third-party risk oversight across jurisdictions

This 3,300-word playbook translates U.S. OCC Bulletin 2023-17, Federal Reserve SR 13-19/CA 13-21, the European Banking Authority’s outsourcing guidelines, the Monetary Authority of Singapore’s outsourcing requirements, and Basel Committee operational resilience principles into actionable controls.

Updated 14 February 2025 with OCC concentration risk expectations, Federal Reserve third-party due diligence, EBA critical outsourcing governance, MAS outsourcing assurance requirements, and Basel Committee operational resilience guidance.

Primary sources: OCC Bulletin 2023-17, Federal Reserve SR 13-19/CA 13-21, EBA Outsourcing Guidelines, MAS Outsourcing Guidelines, Basel Committee Principles for Operational Resilience.

Executive overview

Financial regulators expect institutions to treat third-party risk management (TPRM) as an enterprise capability that spans vendor selection, contracting, ongoing monitoring, incident response, and exit strategies. OCC Bulletin 2023-17 consolidated U.S. federal banking agency guidance, emphasizing governance, risk assessment, due diligence, contracting, and oversight for third-party relationships.^{OCC Bulletin 2023-17} The Federal Reserve’s SR 13-19 letter aligns with this framework and highlights board accountability for critical service providers.^{Federal Reserve SR 13-19}

In the European Union, the EBA’s Guidelines on Outsourcing Arrangements prescribe robust governance for critical or important functions, including registers of outsourcing arrangements, risk assessments, and notification obligations.^{EBA Outsourcing Guidelines} The Monetary Authority of Singapore’s guidelines demand board oversight, due diligence, and independent audits for material outsourcing, with requirements to assess concentration risk and maintain contingency plans.^{MAS Outsourcing Guidelines} Basel Committee operational resilience principles add expectations for scenario analysis, mapping of critical operations, and third-party dependencies.^{Basel Committee Principles for Operational Resilience}

This guide delivers a cohesive program blueprint: regulatory obligations, governance models, due diligence checklists, contract clauses, continuous monitoring techniques, concentration risk management, incident response integration, and board reporting.

Regulatory landscape

OCC Bulletin 2023-17

The OCC guidance outlines a lifecycle approach comprising planning, due diligence and selection, contract negotiation, ongoing monitoring, and termination/contingency planning.^{OCC Bulletin 2023-17} Banks must maintain an inventory of third-party relationships, categorize them by criticality, and perform risk assessments that consider operational, compliance, strategic, reputation, and credit risks. The bulletin emphasizes board and senior management oversight, including approval of critical relationships, review of risk management frameworks, and monitoring of performance and risk indicators.

OCC examiners expect banks to tailor due diligence to the third party’s risk profile, covering financial condition, business experience, legal and regulatory compliance, operational resilience, cybersecurity, and subcontracting. Contracts should specify performance standards, control expectations, right-to-audit clauses, incident notification timelines, and termination rights. Banks must develop contingency plans, test exit strategies, and monitor the third party’s performance using metrics, issue tracking, and escalation procedures.

Federal Reserve SR 13-19/CA 13-21

SR 13-19 applies to supervised financial institutions and outlines expectations for managing outsourcing risks. Boards must approve risk management policies, review summaries of critical third-party relationships, and ensure management maintains appropriate staffing and expertise.^{Federal Reserve SR 13-19} The guidance emphasizes a risk-based approach to due diligence, contract structuring, and monitoring, with heightened expectations for services supporting critical activities.

Key elements include: assessing the third party’s business strategy and financial condition; evaluating legal, compliance, and reputational risks; reviewing control environments; and ensuring the right to conduct onsite reviews. The Federal Reserve highlights concentration risk management, recommending diversification strategies, contingency planning, and periodic scenario analysis.

EBA Guidelines on Outsourcing

The EBA guidelines apply to credit institutions, investment firms, and payment institutions. They require a documented outsourcing policy, board approval, and comprehensive registers capturing the nature, criticality, service providers, subcontractors, locations, and data protection considerations of each outsourcing arrangement.^{EBA Outsourcing Guidelines} Institutions must notify competent authorities of planned outsourcing of critical or important functions and provide details on risk assessments, due diligence, and exit strategies.

Due diligence must assess service provider capability, financial soundness, internal controls, ICT security, data protection compliance, and reliance on subcontractors. Contracts must cover service level agreements, reporting, access rights, audit rights (including regulators), data ownership, business continuity, and termination. Institutions must perform regular monitoring, onsite inspections, and independent reviews.

MAS Outsourcing Guidelines

The MAS guidelines require financial institutions to classify outsourcing arrangements by materiality, considering impact on business operations, customers, and regulatory obligations.^{MAS Outsourcing Guidelines} Boards must approve material outsourcing, ensure risk assessments are performed, and monitor management’s oversight. Institutions must maintain a register of all outsourcing arrangements and notify MAS of adverse developments, such as service disruptions or security breaches.

Key requirements include: due diligence covering service provider capabilities, financial soundness, compliance history, risk management practices, and subcontracting; contractual clauses mandating performance, confidentiality, audit access, and MAS inspection rights; business continuity plans with testing; and exit strategies. MAS expects independent audits of material outsourcing arrangements and robust concentration risk assessments.

Basel Committee principles

The Basel Committee on Banking Supervision’s Principles for Operational Resilience emphasize mapping critical operations, identifying dependencies (including third parties), setting impact tolerances, and conducting scenario analyses.^{Basel Committee Principles for Operational Resilience} Banks must integrate third-party risk into resilience planning, ensuring that disruptions at service providers are captured in testing and contingency planning. Supervisors expect banks to demonstrate that they can operate within impact tolerances even when key vendors fail.

Governance and accountability

Effective TPRM requires clear governance structures that span board oversight, executive sponsorship, and operational execution.

Board and senior management oversight

Boards should approve the TPRM framework, risk appetite, and policies. They must receive regular reporting on critical third-party relationships, risk assessment results, concentration exposures, incident summaries, and remediation status. OCC and Federal Reserve guidance require boards to understand dependency on third parties and challenge management when risk exposures exceed tolerance.^{OCC Bulletin 2023-17}^{Federal Reserve SR 13-19}

Senior management should establish governance committees, such as a third-party risk council, that includes procurement, legal, compliance, information security, and business unit leaders. The council reviews onboarding decisions, risk ratings, contract clauses, monitoring results, and exit plans.

Policies and standards

Develop a comprehensive policy suite covering vendor classification, due diligence, contracting, monitoring, issue management, concentration risk, data protection, and exit strategies. Align policies with regulatory references and ensure they apply enterprise-wide, including subsidiaries and joint ventures. Include escalation procedures for policy exceptions and board approval for high-risk deviations.

Translate policies into detailed standards and procedures for each lifecycle stage, with templates, checklists, and workflows. Embed regulatory requirements, such as mandatory notification to EBA supervisors or MAS, within procedures to ensure compliance with jurisdictional timelines.

Risk assessment and due diligence

Risk-based due diligence prevents downstream surprises and supports regulator expectations.

Determining criticality

Classify third parties based on their impact on critical operations, customer outcomes, regulatory obligations, data sensitivity, and substitutability. Use scoring models that weigh service criticality, financial exposure, access to customer data, geographic concentration, and dependency on subcontractors. Document classification decisions and review them annually or upon significant changes.

Critical relationships should trigger enhanced due diligence, contract requirements, board reporting, and contingency planning. Align definitions with regulatory terminology—“critical activities” in OCC guidance, “critical or important functions” in the EBA framework, and “material outsourcing arrangements” under MAS guidelines.^{OCC Bulletin 2023-17}^{EBA Outsourcing Guidelines}^{MAS Outsourcing Guidelines}

Due diligence coverage

Perform due diligence commensurate with risk. Core areas include:

Financial condition: audited financial statements, liquidity, debt, revenue concentration, and forecast stability.
Operational resilience: business continuity plans, disaster recovery capabilities, testing frequency, recovery time objectives, and dependency on critical suppliers.
Cybersecurity and data protection: security frameworks, certifications, penetration tests, vulnerability management, incident history, and data handling practices.
Legal and compliance: regulatory licenses, litigation history, sanctions screening, and compliance with privacy, anti-money laundering, and sector-specific rules.
Subcontracting: fourth-party management, transparency, approval processes, and contract controls.
Human capital: staffing levels, training programs, and key person dependencies.

Collect independent assurance reports, such as SOC 1/SOC 2, ISO/IEC 27001 certificates, or regulator inspection results. For high-risk vendors, conduct onsite assessments or remote walkthroughs. Document findings, risk ratings, and remediation plans.

Concentration risk analysis

Assess concentration risk at multiple levels: single vendor, sector, geographic region, and critical service cluster (e.g., cloud infrastructure, payment processing). Develop dashboards that quantify exposure and scenario analyses that model vendor failure. Align with OCC expectations for concentration risk management and Basel resilience principles.^{OCC Bulletin 2023-17}^{Basel Committee Principles for Operational Resilience}

Set thresholds for acceptable exposure and define triggers for mitigation actions, such as diversification, additional contractual protections, or contingency planning. Present concentration metrics to the board quarterly.

Contract structuring

Contracts should embed regulatory expectations and provide enforceable levers for oversight.

Core contractual clauses

Include clauses covering scope of services, performance standards, reporting, pricing, ownership of data and intellectual property, confidentiality, security, compliance with laws, audit rights, subcontracting, business continuity, incident notification, termination, and dispute resolution. Explicitly grant regulators access to data and premises, as required by the EBA and MAS guidelines.^{EBA Outsourcing Guidelines}^{MAS Outsourcing Guidelines}

Specify service levels and key performance indicators (KPIs), with remedies for breaches, such as service credits, termination rights, or step-in rights. Mandate timely notification of incidents, regulatory inquiries, or significant changes in ownership or leadership. For cloud services, address data location, access control, encryption, and exit support.

Change management and renegotiation

Establish procedures for approving changes to services, subservice providers, pricing, or contractual terms. Require prior written consent for material changes and ensure risk assessments are updated accordingly. Document change approvals and incorporate them into the vendor risk register.

For long-term contracts, schedule periodic renegotiation or benchmarking to ensure alignment with market conditions, regulatory updates, and performance expectations. Include provisions for technology modernization, compliance with new regulations, and integration of resilience testing results.

Ongoing monitoring and assurance

Continuous monitoring verifies that third parties deliver services within risk appetite and remain compliant.

Performance monitoring

Develop dashboards tracking KPIs, service level adherence, incident volumes, remediation status, and customer impacts. Collect monthly or quarterly reports from vendors and compare results against contractual obligations. Conduct periodic business reviews with critical vendors to discuss performance, risk, innovation, and strategic alignment.

Integrate monitoring with enterprise risk management, operational resilience, and cybersecurity programs. Share insights with business units and escalate breaches to the TPRM governance committee.

Control testing and assurance

Obtain independent assurance through SOC reports, ISO certifications, penetration tests, and regulatory examinations. Review reports for scope, testing periods, control objectives, exceptions, and remediation. For critical vendors, commission targeted assessments or onsite visits to validate controls. Align testing frequency with risk levels and regulatory expectations.

Document management’s assessment of assurance reports, including evaluation of complementary user entity controls. Track remediation commitments, due dates, and verification of completion. Provide summaries to auditors and regulators when requested.

Issue management

Implement an issue management system that records vendor-related findings from due diligence, monitoring, incidents, and audits. Assign owners, due dates, and remediation steps. Monitor progress and escalate overdue items to senior management and the board. Align severity ratings with regulatory definitions, triggering reporting obligations when necessary.

Operational resilience integration

TPRM must integrate with operational resilience frameworks to ensure continuity of critical services.

Impact tolerances and mapping

Identify critical operations, map supporting processes, technology, data, facilities, and third parties. Set impact tolerances (maximum tolerable outage or service degradation) and align vendor performance requirements accordingly. Basel resilience principles require banks to demonstrate capability to operate within tolerances under severe scenarios.^{Basel Committee Principles for Operational Resilience}

Use mapping to inform concentration analysis, contingency planning, and scenario testing. Update maps when services change, new vendors are onboarded, or organizational restructuring occurs.

Scenario testing and exercises

Conduct joint exercises with critical vendors to test response to cyber incidents, system outages, natural disasters, and geopolitical events. Evaluate communication channels, escalation paths, recovery time objectives, and fallback arrangements. Document lessons learned and integrate them into remediation plans.

Coordinate scenario testing with MAS requirements for business continuity testing and EBA expectations for regular testing of critical outsourcing arrangements.^{MAS Outsourcing Guidelines}^{EBA Outsourcing Guidelines}

Incident response and exit strategies

Vendor incidents can escalate quickly; coordinated response plans reduce disruption.

Incident integration

Integrate vendor incident reporting into enterprise incident management. Require vendors to notify within defined timeframes for security events, operational outages, regulatory inquiries, or financial distress. Establish joint incident response protocols covering communication, investigation, evidence sharing, and reporting to regulators.

Maintain playbooks for high-impact scenarios: cloud platform outages, payment processor failures, data breaches, and sanctions violations. Coordinate with compliance teams to meet regulatory notification timelines (e.g., OCC reporting, MAS notification requirements).

Exit and termination

Develop exit strategies for critical vendors, including data retrieval, transition services, knowledge transfer, and alternative provider identification. Test exit plans periodically through tabletop exercises or partial migration pilots. Document decision criteria for activating exit strategies, such as repeated SLA failures, insolvency, or regulatory findings.

Maintain warm standby arrangements or multi-vendor strategies for essential services. Align exit planning with contractual provisions and ensure stakeholders understand roles and responsibilities.

Technology enablement

Modern TPRM programs leverage technology for scalability, transparency, and audit readiness.

TPRM platforms

Deploy platforms that centralize vendor inventories, risk assessments, due diligence artifacts, contract clauses, monitoring data, and metrics. Key features include workflow automation, configurable questionnaires, integration with security ratings services, analytics dashboards, and evidence repositories. Ensure platforms support jurisdiction-specific reporting and can export regulator-ready data.

Integrate TPRM platforms with procurement systems, identity governance, risk and control frameworks, and operational resilience tools. Automate triggers that initiate risk assessments when new vendors are onboarded or when services expand.

Data analytics and continuous control monitoring

Use analytics to detect anomalies in vendor performance, financial health, and cyber posture. Integrate external intelligence (news feeds, financial filings, regulatory actions) to monitor early warning signals. Deploy continuous control monitoring to track access logs, configuration changes, and data transfers involving vendor connections.

Provide dashboards to governance committees, compliance officers, and business units. Use predictive analytics to forecast concentration risks and potential SLA breaches, enabling proactive mitigation.

Reporting and metrics

Transparent reporting keeps leadership and regulators informed.

Board reporting

Deliver quarterly board reports covering: inventory of critical vendors, risk ratings, concentration exposures, performance trends, significant incidents, remediation status, and upcoming contract renewals. Highlight regulatory developments and how policies align with new expectations. Provide scenario analysis results and updates on contingency planning exercises.

Include forward-looking indicators such as financial stress signals, cyber risk trends, and supplier market changes. Document board discussions and action items to demonstrate oversight.

Regulatory reporting

Prepare to provide regulators with detailed information on critical outsourcing arrangements, including risk assessments, due diligence documentation, contracts, and monitoring results. Maintain templates for responding to supervisory requests promptly. For EBA-regulated entities, ensure outsourcing registers meet required data fields and can be shared in machine-readable formats.^{EBA Outsourcing Guidelines}

For MAS-supervised institutions, maintain notification workflows for adverse developments and ensure documentation is ready for independent audits. In the U.S., prepare for OCC or Federal Reserve examinations by organizing policies, committee minutes, due diligence files, and monitoring reports.

Implementation roadmap

A phased roadmap allows institutions to strengthen TPRM while maintaining service continuity.

Phase 1: Mobilize (0–120 days)

Establish governance committees, update policies, and map regulatory requirements across jurisdictions.
Inventory third-party relationships, classify criticality, and identify documentation gaps.
Prioritize high-risk vendors for enhanced due diligence and contract remediation.
Launch quick-win controls, such as incident notification clauses and updated performance dashboards.

Phase 2: Build and integrate (120–300 days)

Implement TPRM platforms, automate workflows, and integrate with procurement and risk systems.
Execute enhanced due diligence, concentration analyses, and contract renegotiations for critical vendors.
Conduct scenario testing with key vendors and update business continuity plans.
Develop metrics dashboards for board and regulator reporting.

Phase 3: Optimize and assure (300–540 days)

Embed continuous monitoring, analytics, and predictive indicators for vendor performance.
Institutionalize independent assurance through internal audit reviews and external assessments.
Refine concentration risk strategies, diversify critical services, and test exit plans.
Review regulatory changes annually and update policies, contracts, and monitoring programs.

Resource library

OCC Bulletin 2023-17 — Third-Party Relationships: Risk Management Guidance.
Federal Reserve SR 13-19/CA 13-21 — Guidance on Managing Outsourcing Risk.
EBA Guidelines on Outsourcing Arrangements — Supervisory expectations for EU institutions.
MAS Guidelines on Outsourcing — Requirements for Singapore financial institutions.
Basel Committee Principles for Operational Resilience — Global standards for resilience and third-party dependencies.

Supplement these with industry utilities such as the Shared Assessments Program, Financial Services Information Sharing and Analysis Center (FS-ISAC), and sectoral cyber resilience exercises to maintain situational awareness.

Appendix: Third-party risk checklist

Maintain an up-to-date inventory of third-party relationships, including criticality, services, data access, and geographic footprint.
Document risk assessments, due diligence findings, and remediation plans for all critical vendors.
Ensure contracts include regulatory access, audit rights, incident notifications, performance standards, and exit provisions.
Integrate TPRM metrics into board reporting and enterprise risk management dashboards.
Conduct periodic scenario testing, business continuity exercises, and exit rehearsals with critical vendors.
Monitor concentration risk and implement diversification or contingency strategies.
Align third-party risk controls with operational resilience and cybersecurity frameworks.
Automate evidence collection and maintain regulator-ready documentation packages.
Coordinate with internal audit and compliance for independent assurance and continuous improvement.
Review regulatory developments annually and update policies, procedures, and contracts.

Applying this checklist ensures third-party risk programs meet regulatory expectations and support resilient operations.