<\!DOCTYPE html> FFIEC Vendor Management: What Examiners Are Looking for at Your Next Exam | Bluegrass Cybersecurity Solutions
← Back to Blog

FFIEC Vendor Management: What Examiners Are Looking for at Your Next Exam

Published February 20, 2026

The Problem

Third-party vendor management is one of the most consistently cited examination findings at organizations nationwide. Many smaller organizations still treat it as a checkbox exercise — a folder with certificates of insurance, a few vendor contracts, and a spreadsheet that hasn’t been touched since the last exam cycle.

That approach no longer satisfies examiners. Regulators have spent the past decade ratcheting up expectations, and in 2023 the OCC, FDIC, and Federal Reserve finalized joint guidance formalizing what was previously a patchwork of agency-specific standards. NCUA has followed with parallel expectations for federally insured credit unions. If your program isn’t keeping pace, your next exam may be where you find out.

Why It Matters

Vendor-related enforcement actions have resulted in civil money penalties, consent orders, and mandatory remediation plans — including for institutions that were otherwise well-managed. In several documented cases, smaller institutions faced operational disruptions when a critical vendor experienced a breach or service failure, and the institution had no documented exit strategy or business continuity provision in the contract.

Beyond regulatory risk, vendor exposure is operational risk. Your core processor handles nearly every customer transaction. Your loan origination platform touches borrower data at scale. Your cloud-hosted document system may hold years of sensitive files. When those relationships aren’t properly managed, the institution absorbs the residual risk — regardless of what the service agreement says.

For small regulated institutions, the stakes are higher in one specific way: you typically have fewer vendors, but you are often more operationally dependent on each one. A single critical vendor failure can impair your ability to serve customers in ways a larger institution with redundant systems could absorb.

What Examiners Expect

Examiners use the FFIEC IT Examination Handbook — specifically the Management booklet — as the baseline for evaluating your vendor management program. Here is what they are looking for across six core areas:

1. A Complete Vendor Inventory

Examiners want to see a current, comprehensive list of all third-party relationships, organized by the business function they support. This includes software vendors, cloud providers, payment processors, consultants with system access, and any other party handling customer data or supporting critical operations.

2. Risk Tiering and Criticality Scoring

Not all vendors carry the same risk. Examiners expect a documented methodology for scoring and tiering vendors — typically Critical, High, Medium, and Low — based on factors such as access to nonpublic customer information, operational dependency, and concentration risk. Your due diligence and review frequency should follow from that tiering.

3. Pre-Contract Due Diligence

Before entering a significant vendor relationship, examiners expect documented evidence that you evaluated the vendor’s financial stability, security posture, regulatory history, and operational resilience. SOC 2 Type II reports have become a standard expectation for any vendor with access to customer data or core systems.

4. Ongoing Monitoring and Annual Reviews

Initial due diligence is not enough. Examiners look for evidence of periodic reviews — at minimum annually for Critical and High-tier vendors — including review of updated SOC reports, financial statements, and any reported security incidents or regulatory actions against the vendor since your last review.

5. Contract Provisions

Examiners will pull vendor contracts and look for specific provisions: right-to-audit clauses, data breach notification timelines, business continuity and disaster recovery requirements, data return or destruction upon contract termination, and subcontractor disclosure. Missing or vague contract language is a common finding that results in required remediation.

6. Board-Level Oversight and Reporting

Your board of directors (or a designated committee) should receive regular reporting on the status of your vendor management program — including new or terminated relationships, open risks, and results of annual reviews. Examiners will ask for board or committee meeting minutes demonstrating that this oversight is actually occurring.

How to Fix It

If your vendor management program needs significant work, prioritize these four steps before your next examination cycle:

  1. Build your inventory first. Pull every active vendor contract and create a register with vendor name, service type, data access (yes or no), contract expiration, and an initial criticality estimate. Even a spreadsheet is fine at this stage — visibility is the goal.
  2. Tier your vendors using a documented scoring matrix. Weight factors by data access, operational dependency, and financial impact of disruption. Your top five to ten vendors will become the focus of your most intensive due diligence. Document the scoring criteria so you can apply it consistently going forward.
  3. Request and review current SOC 2 Type II reports. For any vendor with access to customer data or critical systems, obtain their most recent report. Assign a staff member to review it, and note the coverage period, scope, and any exceptions or deviations — then document that review.
  4. Document everything in writing. Examiners review documentation as much as they evaluate practice. A well-run vendor program with poor documentation will still generate findings. Create a standard template for pre-contract due diligence and annual review so the documentation process is repeatable.

Practical Checklist

Before your next examination, confirm your vendor management program includes all of the following:

  • A complete vendor inventory with criticality tiers assigned to each relationship
  • A written, board-approved vendor management policy reviewed within the last 12 months
  • Pre-contract due diligence documented for all vendors onboarded in the last 24 months
  • Current SOC 2 Type II reports on file for all Critical and High-tier vendors
  • Annual review documentation completed for all Critical and High-tier vendors
  • Contracts reviewed for right-to-audit, breach notification, BCP/DR provisions, and data disposition clauses
  • A documented exit strategy or transition plan for each Critical vendor
  • Board or committee meeting minutes reflecting vendor management reporting within the last 12 months

Need help implementing this? Book a $500 Risk Assessment.