Metricstream Logo
×

Third-Party Risk Management in Financial and Regulatory Sectors

Key Takeaways

  • Third-party risk management is a critical discipline for financial institutions, helping them govern vendor relationships across the full lifecycle while meeting increasingly stringent regulatory expectations.
  • Financial institutions face significant exposure from third-party dependencies, including cyber risk, operational disruption, concentration risk, and regulatory accountability for vendor failures.
  • Regulatory frameworks such as DORA, the EBA Guidelines, OCC/FRB/FDIC Interagency Guidance, and PRA SS2/21 require structured oversight of outsourcing and third-party relationships.
  • Effective TPRM programs rely on core capabilities including vendor inventory management, risk-based tiering, due diligence, contractual controls, continuous monitoring, and exit planning.
  • DORA has introduced particularly detailed requirements around ICT third-party risk, including Registers of Information, mandatory contract provisions, concentration risk monitoring, and incident reporting obligations.
  • Common challenges include managing large vendor populations, meeting overlapping regulatory requirements across jurisdictions, and maintaining audit-ready evidence for supervisory reviews.
  • GRC platforms help organizations address these challenges by centralizing vendor data, automating assessments and monitoring workflows, and supporting regulatory reporting and audit readiness.

Why Third-Party Risk Management Is Critical in Financial Services

Third-party risk management in financial and regulatory sectors is the discipline through which regulated financial institutions govern vendor and outsourcing relationships across the full engagement lifecycle, from pre-contract due diligence to exit planning, in conformance with prescriptive requirements set by authorities including DORA, the EBA, the OCC, and the PRA.

Financial institutions have long depended on external providers for functions that are central to daily operations: payment processing, core banking infrastructure, cloud hosting, fraud detection, and more. That dependency is not incidental. It is structural, and it carries significant risk implications for the institutions that regulators hold accountable.

The exposure is visible in the data. According to the Ncontracts 2025 Third-Party Risk Management Survey, nearly half of financial institutions experienced a vendor-related cyber incident in the prior year. The same survey found that 73% of institutions have two or fewer full-time employees managing vendor risk, even as more than half oversee portfolios of 300 or more vendors. That imbalance between risk volume and program capacity is a defining feature of the current operating environment.

Beyond cybersecurity exposure, financial institutions face several interconnected risk categories that make TPRM a strategic priority:

  • High dependency on ICT and outsourced services: Core functions, including settlement, data management, and customer-facing platforms, are routinely delivered by third parties, meaning a provider's outage or breach can become the institution's operational crisis.
  • Systemic concentration risk: A small number of infrastructure providers, particularly hyperscale cloud providers, serve large portions of the financial sector simultaneously. Disruption to a single provider can ripple across institutions and, in extreme cases, threaten financial stability.
  • Regulatory scrutiny and enforcement history: Financial regulators across the US, EU, and UK have progressively strengthened TPRM requirements following high-profile third-party incidents and supervisory reviews that found material gaps in vendor oversight programs.
  • Reputational and customer impact: When a third party fails to deliver, the customer experience damage falls on the regulated institution. Regulatory accountability follows the same path.

Key Regulatory Requirements for TPRM in Financial Services

The regulatory landscape for the financial sector TPRM is unusually dense. Institutions operating across jurisdictions must satisfy multiple overlapping frameworks simultaneously, each with its own scope definitions, documentation standards, and supervisory expectations. The core frameworks in force are set out below.

  • DORA (EU Regulation 2022/2554): The Digital Operational Resilience Act, effective from 17 January 2025, establishes the most comprehensive ICT third-party risk framework in EU financial regulation to date. It applies to approximately 22,000 financial entities across the EU and imposes requirements across five pillars: ICT risk management, incident reporting, resilience testing, third-party risk management, and cyber threat information sharing. For third-party risk specifically, DORA requires a maintained Register of Information covering all ICT arrangements, mandatory contractual provisions under Article 30, pre-contractual due diligence for critical or important functions, concentration risk monitoring, and exit strategy planning.
  • EBA Guidelines on Outsourcing Arrangements: The European Banking Authority's outsourcing guidelines require EU credit institutions and investment firms to maintain a register of all outsourcing arrangements, conduct risk assessments before entering into new arrangements, and ensure contracts include provisions covering audit rights, data security, business continuity, and subcontracting chains. EBA consultation papers published in July 2025 propose extending these requirements beyond ICT and outsourcing to a broader set of third-party arrangements.
  • OCC/Federal Reserve/FDIC Interagency Guidance (2023): The US federal banking agencies issued joint final guidance on 6 June 2023, replacing each agency's prior individual guidance and establishing a unified, risk-based framework for all banking organizations they supervise. The guidance covers the full third-party relationship lifecycle, from planning and due diligence through ongoing monitoring to termination, and emphasizes that a bank's use of a third party does not diminish its own regulatory obligations.
  • PRA Supervisory Statement SS2/21 (UK): The Bank of England's Prudential Regulation Authority sets detailed expectations for outsourcing and third-party risk in regulated firms, including requirements for written policies, risk assessments, contractual provisions, and supervisory notification for material outsourcing arrangements. The table below compares the four frameworks across their key TPRM dimensions.
RegulationJurisdictionScopeKey TPRM Requirements
DORA (Regulation EU 2022/2554)European Union~22,000 financial entities and their ICT service providersRegister of Information; Article 30 contractual clauses; CTPP oversight; incident reporting; exit planning
EBA Guidelines on OutsourcingEuropean UnionEU credit institutions and investment firmsOutsourcing register; risk assessments; audit rights; subcontracting controls
OCC/FRB/FDIC Interagency GuidanceUnited StatesAll federally supervised banking organizationsRisk-based due diligence; lifecycle management; fintech relationship oversight
PRA SS2/21United KingdomPRA-regulated banks and insurersMaterial outsourcing notification; written policies; contractual minimum standards

Core Components of a TPRM Program for Financial Institutions

A TPRM program designed to satisfy regulatory expectations across these frameworks shares a common set of structural components, regardless of the institution's size or geographic footprint. The specific depth of each component will vary with the risk profile of the institution and its vendor relationships, but all of the following must be present in a defensible program.

The core components that regulators across all major frameworks expect to find include:

  • Third-party inventory and classification: A complete, maintained register of all vendor relationships, categorized by function type, data access, and potential impact on critical services. Under DORA, this register must be submitted to the relevant competent authority in a prescribed format.
  • Risk-based due diligence tiering: Not all vendors warrant the same depth of assessment. Institutions must apply enhanced due diligence to vendors that support critical functions, and establish documented criteria for how tiering decisions are made and reviewed.
  • Contractual minimum standards: Agreements with critical vendors must include provisions covering information security requirements, audit and inspection rights, incident notification obligations, subcontracting controls, and exit assistance. DORA's Article 30 specifies these requirements in considerable detail for ICT arrangements.
  • Concentration risk monitoring: Institutions must identify where reliance on a single provider, or a small group of providers serving the same function, creates systemic exposure. ECB supervisory data indicates that more than 30% of total outsourcing spend at significant EU banks is concentrated on just ten providers, a figure that DORA's CTPP oversight regime directly targets.
  • Ongoing performance and risk monitoring: Due diligence conducted at contract inception does not satisfy the continuous monitoring obligations set by DORA, the EBA, or US interagency guidance. Programs must include periodic reassessment, incident tracking, and real-time or near-real-time monitoring for material changes in a vendor's risk profile.
  • Exit and substitutability planning: Institutions must document how they would transition away from a critical provider in a disorderly scenario, including the timelines, dependencies, and operational costs involved.

TPRM Obligations Under DORA

DORA deserves separate treatment given the specificity and enforcement weight of its third-party provisions. Financial entities subject to DORA must address the following obligations in their ICT vendor management programs.

  • Register of Information requirements: Financial entities must maintain a complete register of all contractual arrangements with ICT third-party service providers, covering both critical and non-critical functions. The register must be submitted to the relevant national competent authority on request and on a scheduled basis. The required data fields, set out in the Implementing Technical Standards, are specific: institutions must record contract dates, service descriptions, data locations, subcontracting chains, and concentration risk indicators.
  • Pre-contractual due diligence for ICT providers: Before entering into any new arrangement supporting a critical function, financial entities must assess the ICT provider's security practices, financial stability, business continuity capability, and regulatory compliance history. This assessment must be documented and retained.
  • Contractual clauses mandatory under DORA: Article 30 specifies a list of provisions that every ICT contract supporting a critical function must contain. These include: full service level descriptions, data security and access control requirements, incident notification timelines, cooperation with supervisory examinations, audit rights for the financial entity and its competent authority, termination rights, and exit assistance obligations. Contracts that predate January 2025 and lack these clauses are non-compliant and must be remediated at the next renewal opportunity.
  • Critical Third-Party Provider (CTPP) oversight framework: DORA establishes a direct oversight regime for ICT providers designated as critical. In November 2025, the Joint Committee of the European Supervisory Authorities published the first list of 19 designated CTPPs, including major cloud infrastructure providers. Financial entities that rely on a CTPP for critical functions must assess their concentration exposure to that provider and document their mitigation measures.
  • Incident reporting obligations related to ICT third parties: Major ICT-related incidents, including those caused by or involving a third party, must be reported to the relevant competent authority within defined timelines. DORA distinguishes between initial notification, intermediate reports, and final reports, each with specific content requirements.

How to Build a Regulation-Ready TPRM Program

Building a TPRM program that holds up under supervisory review requires more than completing a checklist at contract inception. The following steps reflect what regulators across the DORA, EBA, and US interagency guidance frameworks expect to find in a mature, defensible program.

Step 1: Establish a Complete Third-Party Inventory. Begin by identifying every vendor, service provider, and outsourced function across the institution, including subsidiaries and business lines that may manage their own vendor relationships outside a central program. Without a complete inventory, risk tiering and concentration analysis are unreliable. Regulators routinely find gaps between a firm's self-reported vendor count and the actual scope of arrangements during supervisory examinations.

Step 2: Define and Apply a Risk Tiering Framework. Once the inventory is complete, classify each vendor according to the criticality of the function they support, the sensitivity of the data they access, and the substitutability of their services. Tiering criteria must be documented and consistently applied. Critical function vendors attract the highest due diligence requirements and ongoing monitoring intensity.

Step 3: Conduct Tiered Due Diligence Before Contract Execution. For vendors in the highest tiers, due diligence must go beyond a standard questionnaire. Financial institutions are expected to assess information security controls, business continuity plans, financial stability, subcontracting arrangements, and regulatory compliance history. Under DORA and EBA guidelines, this assessment must be completed before a new arrangement for a critical function is entered into, not retrospectively.

Step 4: Build Regulatory Requirements Into Contract Templates. Work with legal and compliance teams to embed DORA Article 30 clauses, EBA-required provisions, and applicable US regulatory expectations into standard contract templates for each vendor tier. Audit rights, incident notification timelines, data security standards, subcontracting approval requirements, and exit assistance obligations must all be addressed explicitly. Existing contracts that lack these provisions should be flagged for remediation at renewal.

Step 5: Implement Continuous Monitoring With Defined Escalation Triggers. Periodic reassessment cycles, typically annual for critical vendors and less frequent for lower-tier relationships, must be supplemented by ongoing monitoring that can detect material changes between scheduled reviews. Monitoring indicators should include financial health signals, security incident notifications, regulatory actions against the vendor, and changes in subcontracting arrangements. Escalation triggers and the actions they require must be documented.

Step 6: Maintain Audit-Ready Evidence Throughout the Relationship Lifecycle. Supervisory examinations in financial services are not announced with significant lead time. TPRM programs must be in a state of continuous audit readiness, with evidence of due diligence, contract compliance checks, monitoring activity, and risk assessment updates accessible and organized. Competent authorities under DORA are entitled to direct access to the Register of Information and supporting documentation.

Managing regulatory TPRM obligations across DORA, EBA, and US interagency frameworks demands program infrastructure that most institutions cannot build through manual processes alone. Explore MetricStream Third-Party Risk Management

Challenges of TPRM in Regulated Financial Sectors

Despite the clarity of regulatory expectations, financial institutions consistently encounter a set of structural challenges that limit program effectiveness. Understanding these challenges is a prerequisite for addressing them.

  • Volume and complexity of vendor relationships across business lines: Large financial institutions maintain thousands of vendor relationships, often managed across business lines with different risk tolerances, contract templates, and assessment processes. Achieving a consolidated, accurate, and current view of vendor risk across the enterprise is a significant operational challenge, particularly where subsidiary or business line programs operate outside a central governance structure.
  • Meeting overlapping requirements from multiple regulators simultaneously: An institution operating across the EU, UK, and US must satisfy DORA, EBA guidelines, PRA SS2/21, and OCC/FRB/FDIC interagency guidance at the same time. These frameworks share common principles but differ in scope definitions, documentation standards, contractual requirements, and reporting timelines. Mapping each vendor relationship to its applicable regulatory obligations, and maintaining that mapping as regulations evolve is a persistent compliance challenge.
  • Maintaining audit-ready evidence for supervisory reviews: Regulators do not merely expect institutions to have TPRM programs in place. They expect evidence of how those programs operate: due diligence outputs, risk assessment records, contract compliance documentation, monitoring activity logs, and escalation histories. Assembling that evidence on demand, across hundreds or thousands of vendor relationships, is difficult without a centralized system of record purpose-built for this function.

How GRC Platforms Support Regulated TPRM Programs

Purpose-built GRC platforms address the structural limitations of manual and fragmented TPRM operations by centralizing program management and automating the workflows that regulators expect to see executed consistently. 

  • Centralized third-party register aligned to DORA and EBA requirements: A GRC platform provides a single system of record for all vendor relationships, with data fields mapped to the specific requirements of the Register of Information under DORA and the outsourcing registers required by EBA guidelines. Centralization eliminates the fragmentation that makes enterprise-level concentration risk analysis unreliable, and ensures that the institution's vendor inventory is the same one that regulatory reporting draws from.
  • Automated due diligence workflows with risk tiering logic: Platforms enable institutions to build their tiering criteria into automated workflows that route each new vendor through the appropriate due diligence track based on function criticality and data access. Assessment questionnaires, document requests, and risk scoring are standardized across the program, reducing variability and ensuring that the depth of assessment is proportionate to the risk the vendor presents.
  • Continuous monitoring and incident escalation: Rather than relying on scheduled review cycles alone, GRC platforms can ingest monitoring signals from internal and external sources, flag material changes in a vendor's risk profile, and route escalations to the appropriate risk owner. Regulatory incident reporting workflows, including the multi-stage reporting timelines required under DORA, can be built into the platform to reduce the operational burden of compliance during a live incident.
  • Regulatory reporting and audit evidence management: Platforms maintain a structured, time-stamped record of every due diligence activity, risk assessment, contract review, and monitoring event across the vendor lifecycle. When supervisors request documentation, the institution can produce it from a single source rather than reconstructing it from emails, spreadsheets, and file directories.

Ready to align your TPRM program with DORA, EBA, and interagency regulatory expectations? Talk to an Expert

How MetricStream Supports TPRM in Financial and Regulatory Sectors

MetricStream's Third-Party Risk Management solution provides financial institutions with a purpose-built platform for managing the full vendor relationship lifecycle under DORA, EBA, and US interagency requirements. The platform supports vendor inventory management, risk-based due diligence tiering, contractual compliance tracking, and continuous monitoring, with workflows configurable to the specific documentation and reporting standards each regulatory framework demands. Institutions using the solution can maintain their Register of Information in a format aligned to DORA's ITS data field requirements and generate regulatory reporting outputs directly from the platform.

For institutions with obligations under DORA's operational resilience provisions, MetricStream's Operational Resilience solution supports concentration risk analysis, exit strategy documentation, and impact tolerance mapping for critical vendor relationships. These capabilities address the substitutability and resilience planning obligations that DORA and PRA SS2/21 impose on institutions that depend on a small number of critical ICT providers for core functions.

MetricStream's Internal Audit Management solution complements the TPRM program by supporting supervisory examination readiness. Audit evidence, vendor assessment records, and control documentation are maintained in a structured, accessible format that can be produced on demand during regulatory review. For institutions that face supervisory examinations from multiple authorities simultaneously, the ability to draw on a single, authoritative record of TPRM program activity is a material operational advantage.

Explore MetricStream Third-Party Risk Management

  • Third-party risk management is a critical discipline for financial institutions, helping them govern vendor relationships across the full lifecycle while meeting increasingly stringent regulatory expectations.
  • Financial institutions face significant exposure from third-party dependencies, including cyber risk, operational disruption, concentration risk, and regulatory accountability for vendor failures.
  • Regulatory frameworks such as DORA, the EBA Guidelines, OCC/FRB/FDIC Interagency Guidance, and PRA SS2/21 require structured oversight of outsourcing and third-party relationships.
  • Effective TPRM programs rely on core capabilities including vendor inventory management, risk-based tiering, due diligence, contractual controls, continuous monitoring, and exit planning.
  • DORA has introduced particularly detailed requirements around ICT third-party risk, including Registers of Information, mandatory contract provisions, concentration risk monitoring, and incident reporting obligations.
  • Common challenges include managing large vendor populations, meeting overlapping regulatory requirements across jurisdictions, and maintaining audit-ready evidence for supervisory reviews.
  • GRC platforms help organizations address these challenges by centralizing vendor data, automating assessments and monitoring workflows, and supporting regulatory reporting and audit readiness.

Third-party risk management in financial and regulatory sectors is the discipline through which regulated financial institutions govern vendor and outsourcing relationships across the full engagement lifecycle, from pre-contract due diligence to exit planning, in conformance with prescriptive requirements set by authorities including DORA, the EBA, the OCC, and the PRA.

Financial institutions have long depended on external providers for functions that are central to daily operations: payment processing, core banking infrastructure, cloud hosting, fraud detection, and more. That dependency is not incidental. It is structural, and it carries significant risk implications for the institutions that regulators hold accountable.

The exposure is visible in the data. According to the Ncontracts 2025 Third-Party Risk Management Survey, nearly half of financial institutions experienced a vendor-related cyber incident in the prior year. The same survey found that 73% of institutions have two or fewer full-time employees managing vendor risk, even as more than half oversee portfolios of 300 or more vendors. That imbalance between risk volume and program capacity is a defining feature of the current operating environment.

Beyond cybersecurity exposure, financial institutions face several interconnected risk categories that make TPRM a strategic priority:

  • High dependency on ICT and outsourced services: Core functions, including settlement, data management, and customer-facing platforms, are routinely delivered by third parties, meaning a provider's outage or breach can become the institution's operational crisis.
  • Systemic concentration risk: A small number of infrastructure providers, particularly hyperscale cloud providers, serve large portions of the financial sector simultaneously. Disruption to a single provider can ripple across institutions and, in extreme cases, threaten financial stability.
  • Regulatory scrutiny and enforcement history: Financial regulators across the US, EU, and UK have progressively strengthened TPRM requirements following high-profile third-party incidents and supervisory reviews that found material gaps in vendor oversight programs.
  • Reputational and customer impact: When a third party fails to deliver, the customer experience damage falls on the regulated institution. Regulatory accountability follows the same path.

The regulatory landscape for the financial sector TPRM is unusually dense. Institutions operating across jurisdictions must satisfy multiple overlapping frameworks simultaneously, each with its own scope definitions, documentation standards, and supervisory expectations. The core frameworks in force are set out below.

  • DORA (EU Regulation 2022/2554): The Digital Operational Resilience Act, effective from 17 January 2025, establishes the most comprehensive ICT third-party risk framework in EU financial regulation to date. It applies to approximately 22,000 financial entities across the EU and imposes requirements across five pillars: ICT risk management, incident reporting, resilience testing, third-party risk management, and cyber threat information sharing. For third-party risk specifically, DORA requires a maintained Register of Information covering all ICT arrangements, mandatory contractual provisions under Article 30, pre-contractual due diligence for critical or important functions, concentration risk monitoring, and exit strategy planning.
  • EBA Guidelines on Outsourcing Arrangements: The European Banking Authority's outsourcing guidelines require EU credit institutions and investment firms to maintain a register of all outsourcing arrangements, conduct risk assessments before entering into new arrangements, and ensure contracts include provisions covering audit rights, data security, business continuity, and subcontracting chains. EBA consultation papers published in July 2025 propose extending these requirements beyond ICT and outsourcing to a broader set of third-party arrangements.
  • OCC/Federal Reserve/FDIC Interagency Guidance (2023): The US federal banking agencies issued joint final guidance on 6 June 2023, replacing each agency's prior individual guidance and establishing a unified, risk-based framework for all banking organizations they supervise. The guidance covers the full third-party relationship lifecycle, from planning and due diligence through ongoing monitoring to termination, and emphasizes that a bank's use of a third party does not diminish its own regulatory obligations.
  • PRA Supervisory Statement SS2/21 (UK): The Bank of England's Prudential Regulation Authority sets detailed expectations for outsourcing and third-party risk in regulated firms, including requirements for written policies, risk assessments, contractual provisions, and supervisory notification for material outsourcing arrangements. The table below compares the four frameworks across their key TPRM dimensions.
RegulationJurisdictionScopeKey TPRM Requirements
DORA (Regulation EU 2022/2554)European Union~22,000 financial entities and their ICT service providersRegister of Information; Article 30 contractual clauses; CTPP oversight; incident reporting; exit planning
EBA Guidelines on OutsourcingEuropean UnionEU credit institutions and investment firmsOutsourcing register; risk assessments; audit rights; subcontracting controls
OCC/FRB/FDIC Interagency GuidanceUnited StatesAll federally supervised banking organizationsRisk-based due diligence; lifecycle management; fintech relationship oversight
PRA SS2/21United KingdomPRA-regulated banks and insurersMaterial outsourcing notification; written policies; contractual minimum standards

A TPRM program designed to satisfy regulatory expectations across these frameworks shares a common set of structural components, regardless of the institution's size or geographic footprint. The specific depth of each component will vary with the risk profile of the institution and its vendor relationships, but all of the following must be present in a defensible program.

The core components that regulators across all major frameworks expect to find include:

  • Third-party inventory and classification: A complete, maintained register of all vendor relationships, categorized by function type, data access, and potential impact on critical services. Under DORA, this register must be submitted to the relevant competent authority in a prescribed format.
  • Risk-based due diligence tiering: Not all vendors warrant the same depth of assessment. Institutions must apply enhanced due diligence to vendors that support critical functions, and establish documented criteria for how tiering decisions are made and reviewed.
  • Contractual minimum standards: Agreements with critical vendors must include provisions covering information security requirements, audit and inspection rights, incident notification obligations, subcontracting controls, and exit assistance. DORA's Article 30 specifies these requirements in considerable detail for ICT arrangements.
  • Concentration risk monitoring: Institutions must identify where reliance on a single provider, or a small group of providers serving the same function, creates systemic exposure. ECB supervisory data indicates that more than 30% of total outsourcing spend at significant EU banks is concentrated on just ten providers, a figure that DORA's CTPP oversight regime directly targets.
  • Ongoing performance and risk monitoring: Due diligence conducted at contract inception does not satisfy the continuous monitoring obligations set by DORA, the EBA, or US interagency guidance. Programs must include periodic reassessment, incident tracking, and real-time or near-real-time monitoring for material changes in a vendor's risk profile.
  • Exit and substitutability planning: Institutions must document how they would transition away from a critical provider in a disorderly scenario, including the timelines, dependencies, and operational costs involved.

DORA deserves separate treatment given the specificity and enforcement weight of its third-party provisions. Financial entities subject to DORA must address the following obligations in their ICT vendor management programs.

  • Register of Information requirements: Financial entities must maintain a complete register of all contractual arrangements with ICT third-party service providers, covering both critical and non-critical functions. The register must be submitted to the relevant national competent authority on request and on a scheduled basis. The required data fields, set out in the Implementing Technical Standards, are specific: institutions must record contract dates, service descriptions, data locations, subcontracting chains, and concentration risk indicators.
  • Pre-contractual due diligence for ICT providers: Before entering into any new arrangement supporting a critical function, financial entities must assess the ICT provider's security practices, financial stability, business continuity capability, and regulatory compliance history. This assessment must be documented and retained.
  • Contractual clauses mandatory under DORA: Article 30 specifies a list of provisions that every ICT contract supporting a critical function must contain. These include: full service level descriptions, data security and access control requirements, incident notification timelines, cooperation with supervisory examinations, audit rights for the financial entity and its competent authority, termination rights, and exit assistance obligations. Contracts that predate January 2025 and lack these clauses are non-compliant and must be remediated at the next renewal opportunity.
  • Critical Third-Party Provider (CTPP) oversight framework: DORA establishes a direct oversight regime for ICT providers designated as critical. In November 2025, the Joint Committee of the European Supervisory Authorities published the first list of 19 designated CTPPs, including major cloud infrastructure providers. Financial entities that rely on a CTPP for critical functions must assess their concentration exposure to that provider and document their mitigation measures.
  • Incident reporting obligations related to ICT third parties: Major ICT-related incidents, including those caused by or involving a third party, must be reported to the relevant competent authority within defined timelines. DORA distinguishes between initial notification, intermediate reports, and final reports, each with specific content requirements.

Building a TPRM program that holds up under supervisory review requires more than completing a checklist at contract inception. The following steps reflect what regulators across the DORA, EBA, and US interagency guidance frameworks expect to find in a mature, defensible program.

Step 1: Establish a Complete Third-Party Inventory. Begin by identifying every vendor, service provider, and outsourced function across the institution, including subsidiaries and business lines that may manage their own vendor relationships outside a central program. Without a complete inventory, risk tiering and concentration analysis are unreliable. Regulators routinely find gaps between a firm's self-reported vendor count and the actual scope of arrangements during supervisory examinations.

Step 2: Define and Apply a Risk Tiering Framework. Once the inventory is complete, classify each vendor according to the criticality of the function they support, the sensitivity of the data they access, and the substitutability of their services. Tiering criteria must be documented and consistently applied. Critical function vendors attract the highest due diligence requirements and ongoing monitoring intensity.

Step 3: Conduct Tiered Due Diligence Before Contract Execution. For vendors in the highest tiers, due diligence must go beyond a standard questionnaire. Financial institutions are expected to assess information security controls, business continuity plans, financial stability, subcontracting arrangements, and regulatory compliance history. Under DORA and EBA guidelines, this assessment must be completed before a new arrangement for a critical function is entered into, not retrospectively.

Step 4: Build Regulatory Requirements Into Contract Templates. Work with legal and compliance teams to embed DORA Article 30 clauses, EBA-required provisions, and applicable US regulatory expectations into standard contract templates for each vendor tier. Audit rights, incident notification timelines, data security standards, subcontracting approval requirements, and exit assistance obligations must all be addressed explicitly. Existing contracts that lack these provisions should be flagged for remediation at renewal.

Step 5: Implement Continuous Monitoring With Defined Escalation Triggers. Periodic reassessment cycles, typically annual for critical vendors and less frequent for lower-tier relationships, must be supplemented by ongoing monitoring that can detect material changes between scheduled reviews. Monitoring indicators should include financial health signals, security incident notifications, regulatory actions against the vendor, and changes in subcontracting arrangements. Escalation triggers and the actions they require must be documented.

Step 6: Maintain Audit-Ready Evidence Throughout the Relationship Lifecycle. Supervisory examinations in financial services are not announced with significant lead time. TPRM programs must be in a state of continuous audit readiness, with evidence of due diligence, contract compliance checks, monitoring activity, and risk assessment updates accessible and organized. Competent authorities under DORA are entitled to direct access to the Register of Information and supporting documentation.

Managing regulatory TPRM obligations across DORA, EBA, and US interagency frameworks demands program infrastructure that most institutions cannot build through manual processes alone. Explore MetricStream Third-Party Risk Management

Despite the clarity of regulatory expectations, financial institutions consistently encounter a set of structural challenges that limit program effectiveness. Understanding these challenges is a prerequisite for addressing them.

  • Volume and complexity of vendor relationships across business lines: Large financial institutions maintain thousands of vendor relationships, often managed across business lines with different risk tolerances, contract templates, and assessment processes. Achieving a consolidated, accurate, and current view of vendor risk across the enterprise is a significant operational challenge, particularly where subsidiary or business line programs operate outside a central governance structure.
  • Meeting overlapping requirements from multiple regulators simultaneously: An institution operating across the EU, UK, and US must satisfy DORA, EBA guidelines, PRA SS2/21, and OCC/FRB/FDIC interagency guidance at the same time. These frameworks share common principles but differ in scope definitions, documentation standards, contractual requirements, and reporting timelines. Mapping each vendor relationship to its applicable regulatory obligations, and maintaining that mapping as regulations evolve is a persistent compliance challenge.
  • Maintaining audit-ready evidence for supervisory reviews: Regulators do not merely expect institutions to have TPRM programs in place. They expect evidence of how those programs operate: due diligence outputs, risk assessment records, contract compliance documentation, monitoring activity logs, and escalation histories. Assembling that evidence on demand, across hundreds or thousands of vendor relationships, is difficult without a centralized system of record purpose-built for this function.

Purpose-built GRC platforms address the structural limitations of manual and fragmented TPRM operations by centralizing program management and automating the workflows that regulators expect to see executed consistently. 

  • Centralized third-party register aligned to DORA and EBA requirements: A GRC platform provides a single system of record for all vendor relationships, with data fields mapped to the specific requirements of the Register of Information under DORA and the outsourcing registers required by EBA guidelines. Centralization eliminates the fragmentation that makes enterprise-level concentration risk analysis unreliable, and ensures that the institution's vendor inventory is the same one that regulatory reporting draws from.
  • Automated due diligence workflows with risk tiering logic: Platforms enable institutions to build their tiering criteria into automated workflows that route each new vendor through the appropriate due diligence track based on function criticality and data access. Assessment questionnaires, document requests, and risk scoring are standardized across the program, reducing variability and ensuring that the depth of assessment is proportionate to the risk the vendor presents.
  • Continuous monitoring and incident escalation: Rather than relying on scheduled review cycles alone, GRC platforms can ingest monitoring signals from internal and external sources, flag material changes in a vendor's risk profile, and route escalations to the appropriate risk owner. Regulatory incident reporting workflows, including the multi-stage reporting timelines required under DORA, can be built into the platform to reduce the operational burden of compliance during a live incident.
  • Regulatory reporting and audit evidence management: Platforms maintain a structured, time-stamped record of every due diligence activity, risk assessment, contract review, and monitoring event across the vendor lifecycle. When supervisors request documentation, the institution can produce it from a single source rather than reconstructing it from emails, spreadsheets, and file directories.

Ready to align your TPRM program with DORA, EBA, and interagency regulatory expectations? Talk to an Expert

MetricStream's Third-Party Risk Management solution provides financial institutions with a purpose-built platform for managing the full vendor relationship lifecycle under DORA, EBA, and US interagency requirements. The platform supports vendor inventory management, risk-based due diligence tiering, contractual compliance tracking, and continuous monitoring, with workflows configurable to the specific documentation and reporting standards each regulatory framework demands. Institutions using the solution can maintain their Register of Information in a format aligned to DORA's ITS data field requirements and generate regulatory reporting outputs directly from the platform.

For institutions with obligations under DORA's operational resilience provisions, MetricStream's Operational Resilience solution supports concentration risk analysis, exit strategy documentation, and impact tolerance mapping for critical vendor relationships. These capabilities address the substitutability and resilience planning obligations that DORA and PRA SS2/21 impose on institutions that depend on a small number of critical ICT providers for core functions.

MetricStream's Internal Audit Management solution complements the TPRM program by supporting supervisory examination readiness. Audit evidence, vendor assessment records, and control documentation are maintained in a structured, accessible format that can be produced on demand during regulatory review. For institutions that face supervisory examinations from multiple authorities simultaneously, the ability to draw on a single, authoritative record of TPRM program activity is a material operational advantage.

Explore MetricStream Third-Party Risk Management

Frequently Asked Questions

Third-party risk management in financial services is the set of policies, processes, and controls through which regulated institutions identify, assess, and monitor risks arising from vendors and outsourced functions. Regulators hold institutions accountable for third-party failures to the same extent as for failures in internally managed operations.

The primary frameworks are DORA (EU, effective January 2025), EBA Guidelines on Outsourcing Arrangements, the OCC/Federal Reserve/FDIC Interagency Guidance issued in June 2023, and PRA Supervisory Statement SS2/21 in the UK. Institutions operating across jurisdictions must satisfy several of these simultaneously.

DORA requires EU financial entities to maintain a Register of Information for all ICT arrangements, conduct pre-contractual due diligence for critical functions, embed mandatory contractual clauses under Article 30, monitor concentration risk, and report ICT-related incidents within defined timelines. All obligations have applied since 17 January 2025.

Concentration risk arises when an institution depends heavily on a single provider or a small group of providers for critical functions. A disruption to that provider can cascade across multiple institutions. DORA addresses this directly through its Critical Third-Party Provider oversight regime and mandatory concentration risk monitoring requirements.

Tiering is based on the criticality of the function a vendor supports, the sensitivity of data they access, and how easily they could be replaced. Vendors supporting critical functions receive enhanced due diligence and more intensive ongoing monitoring. Tiering criteria must be documented and applied consistently across the institution.

Regulators expect contracts with critical vendors to include service level descriptions, data security requirements, audit and inspection rights, incident notification obligations, subcontracting controls, termination rights, and exit assistance provisions. DORA's Article 30 sets out these requirements in the most prescriptive detail currently in force across any major jurisdiction.

The June 2023 guidance replaced each agency's prior individual guidance and established a single, risk-based framework for all federally supervised banking organizations. It covers the full third-party lifecycle, clarifies expectations for fintech partnerships, and reaffirms that outsourcing an activity does not reduce a bank's regulatory accountability.

A CTPP is an ICT provider designated as systemically important to the EU financial sector by the Joint Committee of the European Supervisory Authorities. In November 2025, 19 providers received this designation. Financial entities relying on a CTPP for critical functions face enhanced concentration monitoring obligations and must cooperate with the provider's direct ESA oversight process.

Audit readiness requires due diligence records, risk assessments, contract compliance documentation, and monitoring logs to be maintained in an accessible format throughout the vendor lifecycle, not assembled reactively when a supervisory review is announced. Institutions subject to DORA must also be able to produce their Register of Information to competent authorities on request.

MetricStream's Third-Party Risk Management solution supports vendor inventory management, risk-based due diligence tiering, contract compliance tracking, continuous monitoring, and regulatory reporting aligned to DORA and EBA requirements. It integrates with MetricStream's Operational Resilience and Internal Audit Management solutions to address concentration risk and supervisory examination readiness.

lets-talk-img

Ready to get started?

Speak to our GRC experts Let’s talk