When a bank outsources a function to a third party, the regulatory obligation does not transfer with it. The June 2023 Interagency Guidance on Third-Party Relationships makes this explicit: engaging a third party does not diminish or remove a bank’s responsibility to operate in a safe and sound manner, just as if the bank were performing the service itself.
That framing matters for how examiners approach TPRM reviews. They are not evaluating whether a process exists. They are evaluating whether management can demonstrate that it is working — on an ongoing basis, not just at the last annual review.
Most banks and credit unions have a TPRM program. What FFIEC-aligned examinations are finding is that most of those programs cannot answer the question the guidance actually asks: how do you know your vendors’ risk posture is current?
The regulatory framework FFIEC examiners use in 2026
The current TPRM examination framework for national banks, state member banks, and credit unions is built on two primary documents:
- The Interagency Guidance on Third-Party Relationships: Risk Management, issued June 2023 jointly by the Federal Reserve, FDIC, and OCC — the governing guidance document
- The Third-Party Risk Management: A Guide for Community Banks, published May 2024 by the same agencies — an implementation companion that clarifies how examiners expect the guidance to be applied at community bank scale
Both documents organize TPRM oversight around a five-stage third-party relationship lifecycle. Examiners evaluate programs against all five stages:
Stage four, ongoing monitoring: is where most examination findings originate. The guidance is specific about what ongoing monitoring requires: confirming the quality and sustainability of a third party’s controls, escalating material audit findings, security breaches, service interruptions, and other indicators of increased risk. That requirement cannot be satisfied by an annual questionnaire.
Ongoing monitoring enables a banking organization to confirm the quality and sustainability of a third party's controls and ability to meet contractual obligations; escalate significant issues or concerns, such as material or repeat audit findings, deterioration in financial condition, security breaches, data loss, service interruptions, compliance lapses, or other indicators of increased risk.
The May 2024 community bank guide further specifies that information security testing results and review and testing of control effectiveness are among the expected sources of ongoing monitoring evidence. That language matters: examiners expect technical evidence of vendor posture, not just documentation that a questionnaire was sent and returned.
Where most bank TPRM programs fail the lifecycle test
The structural problem is that most TPRM tools were built around the due diligence and contract stages — gathering vendor information before engagement and documenting it. What they do not do well is ongoing monitoring, which is the stage examiners scrutinize most closely.
Questionnaire-based programs produce records of what a vendor said about itself at a point in time. When an examiner asks how the institution detects changes in a vendor’s security posture between annual reviews, a questionnaire program has no mechanism to answer. The vendor self-reported twelve months ago. Nothing has been monitored since.
The second gap is data quality at the due diligence and ongoing monitoring stages. Ratings-based platforms aggregate externally observed signals to produce scores. Those scores can misattribute findings to the wrong entity, lag real-world changes by weeks, and produce inconsistent results for the same vendor across platforms. When an examiner asks for the evidentiary basis behind a vendor risk rating, a third-party aggregated score is harder to defend than findings from a direct technical assessment.
The institutions that receive examination findings are rarely those with no TPRM program. They are institutions whose programs satisfy the planning, due diligence, and contract stages but cannot demonstrate that ongoing monitoring is producing current, technically grounded data.
What to evaluate in TPRM software for FFIEC compliance
| Criteria | What to look for | Red flag |
|---|---|---|
| Ongoing monitoring methodology | Direct, non-intrusive scanning of vendor posture producing current technical findings — not reliance on self-assessments or aggregated scores | Questionnaire completion as the primary evidence of ongoing monitoring |
| Data currency | Live or near-real-time data on vendor findings detectable between annual reviews | No mechanism to detect vendor posture changes except at renewal |
| Audit readiness | Examiner-ready reports showing vendor posture at a point in time and over time — satisfying the documentation and reporting governance requirement | Audit trail limited to questionnaire responses and SOC 2 reports collected at onboarding |
| Critical vendor tiering | Ability to apply proportionate monitoring depth by vendor risk tier — aligned with the guidance's higher-risk activity framework | Flat treatment of all vendors regardless of criticality or access to sensitive data |
| Regulatory framework alignment | Built-in mapping to FFIEC, NCUA, NYDFS, and applicable frameworks with examiner-ready output | Generic GRC workflow not specific to financial services regulatory requirements |
TPRM platforms for FFIEC compliance: how they compare
FortifyData
Built around direct, non-intrusive scanning rather than questionnaire workflows or aggregated ratings. FortifyData produces live vendor risk data — findings attributed to the correct entity, updated continuously rather than annually. For FFIEC and interagency guidance requirements, the practical difference is the ability to satisfy the ongoing monitoring stage with technical evidence rather than documentation of self-reported assessments. Financial services clients have used FortifyData to establish examination-ready TPRM programs within 45 days of implementation, including vendor tiering, continuous monitoring methodology, and audit-ready reporting. Pricing is structured for mid-market institutions that need defensible, regulator-ready TPRM without enterprise platform cost.
BitSight
The most recognized name in the category, with strong vendor portfolio monitoring at scale. Primary methodology relies on externally observed signals and aggregated third-party data rather than direct technical scanning — which means findings can lag real-world changes and misattribute risk to the wrong entity. Strongest at the due diligence stage; ongoing monitoring relies on the same ratings signals rather than continuous technical assessment. Pricing scales aggressively with vendor count. Brand recognition makes internal buy-in easier but examiner questions about evidentiary basis for ongoing monitoring are harder to answer with aggregated scores.
SecurityScorecard
Similar ratings-based methodology to BitSight with strong enterprise market presence, increasingly positioned around supply chain risk. Same core limitation for ongoing monitoring under the interagency guidance — scores derived from aggregated external signals rather than direct technical assessment of vendor posture. Will compete aggressively on price when a deal is at risk.
Prevalent (Mitratech)
Workflow-heavy platform with strong documentation capability across the full lifecycle — particularly due diligence, contract negotiation, and governance stages. Lighter on continuous technical monitoring for the ongoing monitoring stage. Primary strength is process management and audit documentation rather than real-time risk visibility. Well-suited for institutions where the compliance workflow and documentation requirements are the primary need.
The question the FFIEC guidance is actually asking
The interagency guidance does not require a specific platform. It requires a program that functions across all five lifecycle stages — including ongoing monitoring that produces current, technically grounded evidence of vendor posture. The institutions that handle examinations without findings are the ones that can answer the continuity question, not just demonstrate that they asked the right questions once a year.
The liability does not transfer to the vendor. The board remains accountable. The question is whether the program management has built gives them the data to be accountable with confidence.
FortifyData is built for institutions that need to answer that question with current data. Security and compliance teams at banks and credit unions have used it to establish examination-defensible TPRM programs within 45 days — including the monitoring methodology, vendor tiering, and audit-ready reporting that examiners look for across the five lifecycle stages.
If your current TPRM program satisfies due diligence and contract documentation but relies on annual questionnaires for ongoing monitoring, it is worth understanding what continuous technical monitoring looks like before your next examination cycle.
