The FDIC's requirements for third-party risk management at community banks are codified in FDIC FIL-44-2008 and the 2023 joint interagency guidance issued with the OCC and Federal Reserve. The FDIC has identified third-party risk management as one of its top examination priorities for community banks and regularly publishes examination findings that cite deficiencies in ongoing vendor monitoring as one of the most common compliance gaps found during examinations.
The Risk-Based Approach Requirement
The FDIC, like the OCC, requires a risk-based approach to vendor management. Not all vendors require the same monitoring intensity. The guidance distinguishes between vendors that provide critical services — those whose failure would materially affect the bank's operations or customers — and vendors providing routine or low-risk services. Critical vendors require more thorough due diligence, more robust contract provisions, and more frequent ongoing monitoring than routine vendors. Banks are expected to document their risk tiering criteria and apply them consistently.
What Examiners Are Citing at Community Banks
FDIC examination findings related to third-party risk most frequently cite: failure to perform ongoing monitoring on critical vendors between annual reviews, absence of OFAC screening for vendor relationships, inadequate documentation of vendor risk assessments, and failure to monitor vendors for financial health signals that could affect service continuity. The FDIC's guidance notes that institutions should be able to demonstrate, with supporting documentation, that monitoring activities are occurring at the frequency required by the bank's own TPRM policy.
The Documentation Requirement
A critical component of FDIC examination readiness for vendor risk is the audit trail. Examiners want to see documented evidence that monitoring activities occurred — not a policy statement saying they will occur. The Banking Vendor Risk AI Agent generates a timestamped monitoring log automatically from the first scan, providing a complete record of every vendor monitored, every source checked, and every finding generated. That log is the documentation the FDIC examiner is asking for.