SOP Template: Vendor Management for Financial Services
Free vendor management SOP template for financial services. Covers vendor due diligence, risk assessment, contract review, ongoing monitoring, and regulatory compliance.
Purpose
Establish a repeatable process for evaluating, onboarding, monitoring, and managing third-party vendors at your financial institution. This SOP ensures that vendor relationships are assessed for risk before contracts are signed, monitored throughout the engagement, and documented to the standard regulators expect. Financial regulators hold your institution accountable for the actions of your vendors — this SOP is how you demonstrate that accountability.
Scope
Covers the full lifecycle of third-party vendor relationships at banks, credit unions, investment firms, and fintech companies. Includes initial due diligence, risk assessment, contract review, onboarding, ongoing monitoring, and termination. Applies to all vendors that access customer data, provide critical services, or affect regulatory compliance. Does not cover procurement of commodity goods or services that involve no data access or operational dependency.
Prerequisites
- Vendor management policy approved by the board of directors
- Vendor risk classification framework defined (critical, significant, limited)
- Vendor management platform configured (Archer, ServiceNow VRM, or equivalent)
- Legal review process established for vendor contracts
- SOC report review procedures documented for critical vendors
Roles & Responsibilities
Vendor Management Officer
- Own the vendor management program and ensure all vendors are assessed and monitored
- Maintain the vendor inventory with current risk classifications
- Coordinate annual vendor reviews and due diligence renewals
Information Security Officer
- Review vendor security posture through SOC reports, penetration test results, and security questionnaires
- Assess data security risks for vendors that access or store customer financial data
- Approve or reject vendor access to institution systems and data
Compliance Officer
- Verify vendor activities comply with applicable regulations (GLBA, BSA/AML, PCI-DSS)
- Review vendor contracts for required regulatory clauses
- Report vendor management program status to the board and examiners
Business Unit Owner
- Serve as the primary relationship owner for vendors in their department
- Monitor vendor performance against contract SLAs
- Escalate vendor issues to the Vendor Management Officer
Procedure
Before engaging any new vendor, the requesting business unit must define the business need and the type of relationship being established. Classify the vendor as critical, significant, or limited based on the services they will provide, the data they will access, and the impact on operations if the vendor fails to perform.
- aDocument the business need and why an external vendor is required
- bDetermine what customer data or institution data the vendor will access
- cAssess the operational impact if the vendor's services are disrupted
- dClassify the vendor relationship using the risk classification framework
- eIdentify the business unit owner who will manage the relationship
Completion Checklist
Key Performance Indicators
Vendors with current due diligence on file
100% of active vendors
Critical vendor review frequency
Quarterly reviews completed on schedule
Vendor SLA compliance rate
95% or higher across all vendors
Board reporting timeliness
Report delivered at every scheduled board meeting
Vendor data destruction confirmation upon termination
100% of terminated vendors provide written confirmation
Why This Matters for Financial Services
Financial regulators are clear: your institution is responsible for the actions of its vendors. The OCC's Third-Party Relationship Guidance (OCC 2023-17) and the FDIC's interagency guidance on third-party relationships establish that banks must manage vendor risk with the same rigor they apply to their own operations. Examiners routinely test vendor management programs during IT and safety-and-soundness examinations. Institutions with weak vendor oversight face MRAs, enforcement actions, and — in severe cases — restrictions on new vendor relationships. With core banking, payment processing, and compliance monitoring increasingly outsourced to FIS, Fiserv, Jack Henry, and specialized fintech providers, the vendor management program is now a critical regulatory control.
Common Mistakes
- ×Performing due diligence only at the start of the relationship and never renewing it — examiners flag stale due diligence as a control weakness
- ×Classifying core banking and payment processing vendors as 'significant' instead of 'critical' to reduce oversight requirements
- ×Not including right-to-audit and regulatory examination access clauses in vendor contracts, which limits your institution's ability to oversee the vendor
- ×Treating SOC report review as a checkbox rather than reading the reports and assessing whether exceptions affect your institution
- ×Allowing vendor access to systems and data to persist after the relationship is terminated
Financial Services-Specific Notes
The OCC's Bulletin 2023-17 and the FDIC's Guidance on Third-Party Relationships (FIL-44-2023) establish the regulatory framework for vendor management in banking. Both require risk-based due diligence, contract provisions for regulatory access, ongoing monitoring, and board oversight. FINRA Notice 21-29 addresses broker-dealer vendor management. Institutions using FIS, Fiserv, Jack Henry, or Temenos as their core banking provider should treat these vendors as critical relationships and conduct the most rigorous level of due diligence and monitoring. SOC 1 reports from these vendors should be reviewed for exceptions that affect your institution's internal controls over financial reporting (relevant for SOX). nCino, Salesforce Financial Cloud, and Bloomberg Terminal are additional vendors that frequently fall into the critical or significant category.
Frequently Asked Questions
Learn More About Vendor Management
For a deeper look at building onboarding documentation, see our complete guide.