U.S. regulators prioritize vendor management in 2025

Vendor management remains a top regulatory focus in 2025. Speaking at the Banking Outlook Conference in February, Joe Val-Llobera of the Federal Reserve Bank of Atlanta emphasized that despite ongoing regulatory uncertainties, strong vendor management processes continue to be a fundamental part of banking operations, and regulators are paying close attention.

The importance of third-party risk management was reinforced in June 2023, when the Federal Reserve, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) issued interagency guidance for managing third-party vendor risks. This updated framework replaces earlier regulations and remains the most current regulatory directive on the subject, reflecting the increasing reliance on external service providers, particularly fintech firms. As digital offerings expand, banks are seeking ways to enhance their technology stack through strategic partnerships with third-party providers.

For banks and financial institutions, strong vendor management is a regulatory expectation. Examiners continue to scrutinize how well banks assess, monitor, and manage their third-party relationships. Concerns also exist around monitoring non-financial risks, such as reputational and compliance risks. Let’s explore what this means and how institutions can strengthen their risk management strategies.

Phases of Vendor Risk Management

The 2023 guidance outlines five phases in managing third-party relationships that are still relevant today: planning, due diligence and selection, contract negotiation, ongoing monitoring, and termination. Here’s what banks should consider at each stage.

1. Planning

Before working with a vendor, banks need to assess whether the third party aligns with their business goals and risk tolerance. Considerations include:

• How critical is the vendor’s service to daily operations?
• Will it impact customer data, compliance, or cybersecurity?
• How does it fit within existing processes and systems?

As financial institutions expand digital offerings, integrating them smoothly within the existing technology infrastructure becomes increasingly important. Senior management and board should be involved in the planning process and aligning vendor selection with the bank’s overall strategy.

2. Due Diligence & Vendor Selection

Not all vendors carry the same level of risk, so due diligence efforts should match the complexity and risk level of each third-party relationship. Higher-risk vendors, especially those handling sensitive data or performing critical operations, require a more detailed evaluation.

A strong due diligence process should:

• Identify potential risks and how they can be mitigated.
• Assess the vendor’s risk factors including (but not limited to) security, financial stability, and regulatory compliance.
• Evaluate the vendor’s ability to support the bank’s digital needs and technology enhancements.
• Consider co-sourcing due diligence tasks to external specialists, while the bank retains final decision-making responsibility.

3. Contract Negotiation

A well-structured contract clearly defines roles, responsibilities, and risk-sharing between the bank and the vendor. Banks should discuss contract requirements and modifications with vendors and negotiate provisions that facilitate effective risk management.

Senior leadership, legal teams, and compliance officers should be involved in contract reviews to align with regulatory requirements and risk management expectations.

4. Ongoing Monitoring

Vendor oversight doesn’t stop after signing the contract. Banks need structured monitoring to evaluate vendor performance and identify emerging risks. However, many institutions struggle with monitoring non-financial risks, such as operational disruptions, reputational harm and compliance challenges, which can have significant long-term impacts.

Monitoring activities may include:

• Tracking changes in financial health, security practices, and regulatory compliance.
• Reviewing audit reports and security certifications.
• Identifying red flags like data breaches, operational failures, or regulatory violations.
• Addressing non-financial risks, such as ethical concerns, service quality issues, and reputational threats.

Escalating concerns to senior management or the board when necessary helps to mitigate risks before they become major issues.

5. Termination

Ending a vendor relationship whether through expiration or breach, requires careful planning to minimize disruptions. A well-considered exit strategy plan includes:

• Transitioning to a new service provider or discontinuing service.
• Handling sensitive or confidential information post-termination.
• Managing business continuity during the transition.

What to Expect Under Increased Scrutiny

Examiners are closely watching vendor management practices with a focus on:

• How banks identify and assess risks in third-party relationships.
• Whether oversight responsibilities are clearly assigned and documented.
• If ongoing monitoring processes are proactively addressing risks.

Regulators also have the authority to examine third-party vendors if necessary, reinforcing the importance of strong vendor oversight.

Internal Controls in Vendor Risk Management

Vendor management impacts a bank’s internal controls and financial reporting. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, which outlines key principles for risk management and internal controls, applies directly to third-party risk management.

Examples of internal controls include:

• Approving new vendors and updating vendor records with proper oversight.
• Conducting independent reviews of vendor agreements and performance reports.
• Reviewing audit reports to identify potential weaknesses.
• Monitoring financial disclosures for conflicts of interest or compliance concerns.

By integrating vendor management into broader risk and control frameworks, banks can protect themselves from financial, operational, and reputational risks.

We Can Help

As banks deepen their reliance on vendors and fintech companies, regulators are reinforcing expectations for strong vendor oversight. Institutions that proactively assess, monitor, and manage vendor risks will be in a better position to pass regulatory exams and strengthen overall operations.

Need assistance with vendor risk management? Our team at Elliott Davis can help banks strengthen their third-party risk programs and prepare for regulatory scrutiny.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.