Compliance — Third-party monitoring

Build continuous vendor compliance monitoring

Use this guide to operationalize regulatory expectations from OCC Bulletin 2023-17, Federal Reserve SR 13-19/CA 13-21, EBA outsourcing, and DORA Articles 28–32 with telemetry, attestations, and joint testing so vendor performance is provable year-round.

Updated with SOC 2 bridge letter handling, DORA critical ICT provider oversight requirements, and evidence templates aligned to ISO/IEC 27036 and SSAE 18.

Related research: Cloud incident RCA expectations, Semiconductor supply chain monitoring, and AI vendor oversight.

Executive summary

Supervisors now expect continuous oversight across the vendor lifecycle. OCC Bulletin 2023-17 and SR 13-19 require banks to monitor performance, information security, and resilience with documented triggers for escalation. EBA outsourcing guidelines demand risk-based monitoring and notification for material changes, while DORA extends requirements to ICT providers with contractual access and audit rights. SSAE 18 and ISO/IEC 27036 emphasise complementary user entity controls and shared responsibility. This guide provides the operating model to meet those expectations with real telemetry, disciplined evidence, and actionable thresholds.

Segment vendors and define monitoring depth

Tier vendors by criticality using impact criteria (customer harm, financial reporting, regulatory exposure, data sensitivity, concentration). Map each tier to monitoring depth:

  • Critical/Material. Continuous SLA/SLO telemetry, quarterly control attestations, annual onsite or virtual assessments, and contract clauses supporting regulator access (DORA Article 32) and exit plans.
  • High. Monthly KPI/KRI reviews, SOC 1/SOC 2 reliance with CUEC testing, annual resilience testing participation, and incident notification SLAs aligned to DORA Article 19 timelines.
  • Standard. Quarterly scorecards covering availability, security incidents, and compliance attestations; periodic penetration test summaries or ISO/IEC certifications.

Document segmentation decisions with rationale and approvals. Link tiers to funding for monitoring tools and to staffing plans for due diligence and remediation follow-up.

Instrument telemetry and assurance inputs

Collect data directly from providers wherever feasible:

  • Operational telemetry. Uptime, latency, error rates, capacity utilisation, change windows, and patch cadence via APIs or portal exports. Require time-synchronised logs and change tickets for critical services.
  • Security signals. Vulnerability scan cadence, incident notifications, third-party breach disclosures, and MFA/privileged access metrics. Request SBOMs and exploitability data for software suppliers.
  • Compliance attestations. SOC 1/SOC 2 Type II reports mapped to your control objectives, ISO/IEC 27001 or PCI DSS certificates, penetration test summaries, and privacy assessments where processors handle personal data.

Create ingestion playbooks that validate timestamps, parameters, and completeness. Apply change-control references to telemetry to maintain context. When using SOC reports, test CUECs and track bridge letter periods so control reliance remains defensible.

Dashboard the oversight package

Anchor monitoring in a single view that blends operational telemetry, assurance currency, and regulatory readiness. The layout below aligns with OCC 2023-17, SR 13-19, EBA outsourcing, ISO/IEC 27036, and DORA Article 32 expectations for critical ICT providers.

Dashboard layout showing service health, assurance currency, control performance, financial health, and regulatory readiness widgets for critical vendors.
Each widget is linked to underlying evidence: SLA and error-budget telemetry, SOC/ISO attestations and bridge windows, issue remediation queues, financial health signals, and notification timers for DORA/GDPR and contract SLAs.

Run monitoring councils and escalation paths

Establish a vendor compliance council with representatives from procurement, security, resilience, legal, finance, and business owners. Set agendas that cover risk themes, exceptions, remediation velocity, and contract enforcement. Maintain decision logs and assign actions with due dates.

Define escalation triggers: SLA breaches, repeated change failures, unvalidated SOC bridge periods, failed disaster recovery tests, or regulatory notifications. Pair each trigger with required actions—heightened monitoring, remediation plans, or contingency activation. For DORA-critical ICT providers, pre-authorize regulator notifications and joint exercises.

Publish scorecards that align to OCC/EBA oversight expectations: concentration metrics, dependency mapping, open issues, financial health indicators, and sub-outsourcing visibility. Provide board and audit committee summaries tied to SR 13-19 and DORA governance provisions.

Exercise resilience and validate controls

Run joint testing with critical vendors at least annually: failover drills, cyber incident simulations, data restoration exercises, and capacity stress tests. Capture evidence of roles, communication paths, and recovery outcomes. Align testing scope to contractual RTO/RPO commitments and regulatory expectations.

For cloud and SaaS providers, request participation in tabletop scenarios covering security incidents, data corruption, and regional outages. Validate that evidence is shared within agreed timelines and that corrective actions are tracked through closure. Tie testing results to contract remedies or fee adjustments where warranted.

Manage lifecycle changes and exit

Monitor ownership changes, financial health, and regulatory actions affecting key suppliers. Require notification for material subcontracting and data location changes. Update risk assessments and contract clauses when scope or technology shifts occur.

Maintain tested exit plans with data return/destruction evidence, transition assistance, and knowledge transfer steps. For DORA and EBA expectations, store exit rehearsals and vendor cooperation logs. Ensure backups, escrow arrangements, and alternative providers are validated for critical services.