Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
About This Template
A comprehensive TPRM program that covers the full vendor lifecycle: initial risk tiering and due diligence, contract review, onboarding, ongoing monitoring, and offboarding. Designed to meet OCC Bulletin 2013-29, FFIEC guidance, and financial services regulatory expectations for third-party risk.
Every fintech has vendors. Most fintechs don't have a formal way to assess whether those vendors are going to cause them problems. This kit gives you a risk tiering methodology so you're not doing full due diligence on your coffee supplier, a questionnaire that covers InfoSec, financial stability, business continuity, and compliance, and a scorecard that turns qualitative answers into a defensible risk rating. The offboarding checklist is the part most programs forget — and the part examiners love to ask about.
🎉 First-Time Buyer?
Enter your email to get 20% off this purchase.
Who Is This For?
- → Your bank partner has asked for your TPRM program documentation and you don't have a formal one yet
- → You have a vendor list but no way to distinguish which vendors need deep due diligence vs. a quick review
- → An examiner has asked about your third-party risk lifecycle and you need to demonstrate offboarding procedures exist
- → You're onboarding AI tools or vendors with significant data access and need OCC Bulletin 2013-29-aligned oversight
- → You're a compliance officer managing 20+ vendors without a structured intake, scoring, or monitoring process
Preview
TPRM lifecycle — 6 stages from onboarding through offboarding, mapped to vendor risk tier
Vendor risk tiering framework — Critical, High, Medium-High, Medium, and Low tiers with criteria
Due diligence checklist — 12 categories of questions to ask before onboarding any vendor
AI vendor risk assessment — 8 special questions for AI tools that traditional vendor due diligence misses
Excel template — Vendor Inventory with risk tiers, assessment status, and contract dates
TPRM Dashboard — vendor counts by tier, overdue assessments, and concentration alerts
What's Included
- Vendor risk tiering methodology
- Due diligence questionnaire
- Vendor risk scorecard
- Contract risk review checklist
- Ongoing monitoring templates
- Vendor offboarding checklist
- TPRM program policy template
30-Day Money-Back Guarantee
If this template doesn't meet your expectations, email us within 30 days for a full refund. No questions asked.
Frequently Asked Questions
How does the vendor risk tiering methodology work?
Vendors are tiered based on 4 factors: data access (do they handle customer PII or financial data?), system access (do they have direct access to core systems?), operational criticality (would an outage stop your operations?), and regulatory relevance (are they relevant to specific regulatory obligations?). The tiering output is Critical, High, Medium-High, Medium, or Low — with different due diligence and monitoring requirements for each tier.
What does the due diligence questionnaire cover?
The due diligence questionnaire spans 12 categories: financial stability, information security controls, business continuity, subcontractor management, data handling and privacy, insurance coverage, legal and regulatory compliance, executive leadership stability, concentration risk, incident notification procedures, exit/transition provisions, and AI tool usage. For Critical and High tier vendors, all 12 categories apply; lower tiers use a shorter subset.
Does this meet OCC Bulletin 2013-29 and FFIEC requirements?
Yes. The kit is designed around OCC Bulletin 2013-29 (Third-Party Relationships: Risk Management Guidance), FFIEC IT Examination Handbook guidance, and the interagency guidance on third-party risk from 2023. It covers the full lifecycle OCC expects: due diligence, contract provisions, ongoing monitoring, and termination planning.
What's in the vendor offboarding checklist?
The offboarding checklist covers: data return and deletion confirmation, access revocation (with confirmation that all credentials are disabled), contract termination notice, final invoice reconciliation, transition assistance requirements, regulatory notification (if the vendor is relevant to a regulatory obligation), and a post-offboarding confirmation review. It's the part most TPRM programs forget — and the part examiners love to ask about.
The kit includes 8 special questions for AI vendors — what are they?
The 8 AI-specific questions cover: training data sourcing and bias controls, model explainability documentation, drift monitoring and retraining procedures, incident notification for model failures, regulatory compliance certifications (if any), data handling restrictions for AI training, decision override capabilities, and contractual AI governance obligations. These questions don't appear in traditional TPRM questionnaires but are now expected by bank compliance teams.
How does ongoing monitoring work for Critical and High-tier vendors?
The ongoing monitoring templates include: annual reassessment questionnaire triggers, quarterly financial stability checks (for Critical vendors), continuous alert monitoring setup (news monitoring, credit ratings), contract renewal review checklist, and performance SLA tracking. Monitoring frequency scales by tier — Critical vendors get quarterly reviews; Low vendors need only annual reconfirmation.
Not ready to buy?
Try our free Risk Register first — no payment required.
Download Free Risk Register →Related Products
New Product Risk Assessment
Structured risk review process for new products, services, and business initiatives.
AI Risk Assessment Template & Guide
Comprehensive AI model governance and risk assessment templates for financial services teams.
Data Privacy Compliance Kit
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
Ready to Get Started?
Get the Third-Party Risk Management (TPRM) Kit and start building a defensible risk program today.