Third-Party Risk Management for Community Banks: A Practical Checklist

Every community bank uses outside vendors. Core banking. Payments. Cybersecurity. Loan platforms. The list adds up fast. 

Regulators know this. And they expect you to have a process for managing the risk that comes with it. If you do not, your next exam is going to tell you so.

Here is what a practical vendor management program actually looks like. No theory. Just the steps that matter.

Step 1: Get a Complete Vendor Inventory 

You cannot manage what you have not identified. Start here.

Go through your accounts payable, your IT contracts, and your operations team's list of tools. Build a complete picture of every third party that has any kind of access to your systems, your data, or your customers. At minimum, that includes:

• Core banking system providers
• Payment processors and card networks
• IT support, cloud hosting, and cybersecurity vendors
• Compliance and BSA/AML software providers
• Loan origination and servicing platforms
• Any vendor with access to customer data or bank systems

Assign someone ownership of this list. Build a check into your calendar a couple of times a year to make sure it stays current. Vendors change, contracts end, and new tools get added without anyone updating the inventory. An outdated list creates gaps you may not find until an examiner does.

A spreadsheet works fine for smaller banks. The format does not matter much. What matters is that it exists, it is accurate, and someone is responsible for keeping it that way.

Step 2: Rate the Risk for Each Vendor 

Not every vendor on that list deserves the same level of attention. Your Vendor Management Policy should include a risk rating framework. Most banks use something like Low, Moderate, and High or Critical.

The rating matters because it determines how much due diligence you do, how often you review the relationship, and how much documentation you need to maintain. It drives the whole program.

A vendor generally lands in the Critical category if it:

• Has access to sensitive customer data or nonpublic personal information
• Supports critical banking operations in a way that, if disrupted, would significantly impact the bank's ability to serve customers
• Processes payments or moves funds on behalf of the bank

One thing banks sometimes get wrong is treating the risk rating as a one-time decision. It is not. A vendor you rated as Low two years ago may have expanded access to your systems since then. Revisit the ratings periodically and update them when the relationship changes.

Here is how the rating typically maps to review frequency:

• Critical / High — Core systems, payment processors, cybersecurity providers → Annual review
• Moderate — Marketing firms, vendors with limited system access → Every 1–2 years
• Low — Janitorial, landscaping, office supplies → Every 2–3 years or as needed
  

Step 3: Do the Due Diligence Before You Sign 

Before you bring on a new vendor, especially one that ends up in the Critical or High category, you need to collect some basic documentation and actually review it. This is your due diligence, and it is what protects you when something goes wrong down the road.

For any new vendor, gather at minimum:

• SOC 1 or SOC 2 report (read the exceptions and findings, not just the auditor's opinion)
• If the vendor does not have a SOC report, request an alternative such as a recent security assessment or completed security questionnaire, and document why a SOC report was not available
• Financial statements or other evidence they are financially stable
• Insurance certificates covering cyber liability, errors and omissions, and general liability
• Business continuity and disaster recovery plan
• Information security policy
• References from other banks or financial institutions they work with

Write down what you collected and when. Note anything that gave you pause and how you resolved it. The point is not just to gather documents. It is to actually understand who you are working with and whether they can do the job safely.

If a regulator asks how you vetted a vendor, you should be able to walk them through it. A folder with documents and no notes is harder to defend than a folder that shows you actually looked at what was in it.

Step 4: Review the Contract Before You Sign It 

A lot of banks accept vendor contracts as they come. That is a mistake, especially for Critical vendors.

The contract is what you fall back on when something goes sideways. Make sure it actually covers the things that matter. For any Critical vendor, check for:

• Right to audit or examine the vendor's controls
• Clear data ownership rights and requirements for data return or destruction when the contract ends
• Disclosure of subcontractors or fourth parties who will have access to your data
• Incident notification timelines that are consistent with your regulatory obligations
• Business continuity and recovery obligations on the vendor's part
• Clear termination rights and a workable exit process

If something is missing, ask for it. Vendors expect negotiation on contract terms. If they will not move, document why you accepted the contract without the provision and why the risk is still manageable. Have legal counsel take a look at Critical vendor contracts, especially at renewal time or when the scope of the relationship has changed.

Step 5: Do Not Skip the Annual Review for Critical Vendors 

This is where a lot of vendor management programs fall apart. The onboarding is solid, the file looks good, and then nothing happens for two or three years.

Your Vendor Management Policy almost certainly requires that Critical vendors be reviewed at least annually. That requirement exists for a reason. Things change. Vendors get acquired. Security incidents happen. Financial conditions shift. An annual review is how you catch those changes before they become your problem.

The review does not need to be a huge project. It needs to be consistent and documented. Each year, for every Critical vendor, work through this:

• Pull and review the updated SOC report, paying attention to any new exceptions or findings
• Check on the vendor's financial health, especially for smaller providers
• Look for any reported incidents, data breaches, or regulatory actions involving the vendor
• Review contract terms and flag any upcoming renewals or changes in scope
• Assess whether the vendor is actually meeting their service level commitments
• Revisit the risk rating to confirm it still reflects the current relationship

Put it on the compliance calendar at the start of each year. Assign it to someone. Set a deadline. Treat it like any other regulatory requirement, because it is one. An outdated vendor file for a Critical vendor is a finding waiting to happen.

Step 6: Keep the Documentation Current 

A solid vendor management program that is not documented is very hard to defend in an exam. Examiners want to see evidence of what you did, not just hear about it.

For each vendor, keep a file that includes:

• The risk rating and how you determined it
• Due diligence documents collected and the date you got them
• The current contract and any amendments
• Annual review workpapers for each completed review cycle
• Board or management approval where your policy requires it

Set up a consistent folder structure and use it the same way every time. When an examiner asks to see your vendor files, your team should be able to pull them quickly. A disorganized vendor file raises questions. A clean, well-organized one usually does not.

Examiners are also looking at whether the reviews are actually happening on schedule. If your last annual review for a Critical vendor was 26 months ago, that is going to come up. Dates matter. Keep them visible in the file.

This does not need to be complicated. Consistent and current is what matters.

Bottom Line 

Third-party risk management is a regulatory expectation for community banks. That is not going to change. As more bank operations move to outside providers, the scrutiny on those relationships is only going to increase. The banks that get this right are the ones that build a repeatable process and actually follow it.

The good news is that a solid program is not complicated to run. Build the process. Apply it consistently. Make sure your Critical vendors get the annual attention your policy requires. Keep the files current. You do not need a big team or expensive software to do this well.

Start with the inventory, work through the steps, and you will be in good shape when examiners ask. And if you have questions along the way, that is what we are here for.