Bank examiners approach vendor risk management with a specific set of questions that test whether the institution's TPRM program meets the ongoing monitoring standard in the interagency guidance. Knowing exactly what those questions are — and having documented, specific answers ready — is the difference between a clean exam finding and a Matter Requiring Attention that goes to the board.
The Four Questions Every Examiner Asks
Question 1: "Describe your ongoing vendor monitoring process." This question tests whether monitoring is actually ongoing — not just annual — and whether it covers the sources the guidance identifies. The expected answer describes monitoring frequency, the data sources checked, how findings are classified, and how they are routed for action. A compliance officer who responds with "we send annual questionnaires" is giving an answer that does not satisfy the ongoing monitoring standard.
Question 2: "How did you learn about [specific adverse event] involving [vendor]?" This question often comes after the examiner has already identified an event — a data breach, a regulatory enforcement action, a significant financial filing — that occurred months before the examination. The examiner is testing whether the bank detected it in real time or learned about it from the examiner. Learning about it from the examiner is the citation.
Question 3: "How do you assess vendor financial health between annual reviews?" This question tests whether the bank has a mechanism for detecting financial distress signals — credit deterioration, UCC liens, bankruptcy filings — that emerge between scheduled reviews. Annual questionnaires do not provide this. Ongoing monitoring of financial health data does.
Question 4: "Do you screen vendors against OFAC? Show me the screening log." This is a documentation request. The examiner wants to see evidence that OFAC screening happened — when, for which vendors, and what the results were. A verbal "yes we do that" without a log does not satisfy the documentation requirement.
What a Prepared Answer Looks Like
A compliance officer with the Banking Vendor Risk AI Agent running answers all four questions by opening the monitoring log: 12 months of daily scans, OFAC screening results, financial health alerts, adverse media flags, and routing records. The documentation exists automatically. The preparation time is pulling up the log, not reconstructing what should have been documented.