The Interagency Guidance on Third-Party Relationships — issued jointly by the OCC, FDIC, and Federal Reserve Board in 2023 — is the primary regulatory framework governing how banks manage vendor and service provider relationships. It applies to national banks, federal savings associations, state non-member banks, state member banks, and bank holding companies. Credit unions are governed by parallel NCUA guidance. Understanding what the guidance actually requires — not just what practitioners assume it requires — is the starting point for building a compliant program.
The Core Requirement: Risk-Based Lifecycle Management
The guidance does not specify a particular monitoring frequency, a specific list of data sources to check, or a required audit format. What it specifies is a principles-based framework: banks must manage risks from third-party relationships throughout the entire lifecycle of each relationship, and the intensity of risk management activities must be commensurate with the risk level of each relationship. A critical technology vendor requires more intensive monitoring than an office supply company — but both require some level of ongoing monitoring.
What Ongoing Monitoring Must Include
The guidance identifies specific elements of ongoing monitoring: reviewing the third party's financial condition, monitoring for compliance with laws and regulations, reviewing audits and assessments, evaluating the third party's information security, and monitoring for adverse events including regulatory actions and news coverage. These are not aspirational — they are the minimum expected practices for critical and significant vendor relationships.
The Documentation Expectation
The guidance explicitly states that banks should maintain documentation of their third-party risk management activities. This includes documentation of the risk assessment at onboarding, the monitoring activities performed during the relationship, and any findings or remediation actions. The documentation is what an examiner reviews to determine whether the bank's TPRM program is operating as described in its policies. The Banking Vendor Risk AI Agent generates this documentation automatically as a byproduct of the monitoring activities.