What is TPRM? Definition and meaning

Navigating Third-Party Risk Management in the United States 

TPRM – Third-Party Risk Management is the structured process an organisation uses to identify, assess, monitor and manage the risks created by working with external parties, including vendors, suppliers, contractors, consultants, technology providers and outsourced service functions.

A complete TPRM programme runs across the full vendor relationship lifecycle: from pre-onboarding due diligence through continuous in-life monitoring to formal offboarding. It covers cybersecurity risk, financial stability, regulatory compliance, reputational exposure, ESG obligations and fourth-party (sub-vendor) risks simultaneously.

TPRM is most commonly used in regulated industries – financial services, insurance, healthcare, critical infrastructure and professional services where regulators including the FCA, OCC, EBA and DORA impose explicit, legally binding obligations to manage third-party risk.

Third-Party Risk Management is also known as ‘vendor risk management’, ‘supply chain risk management’, or ‘supplier risk management’, stands as a vital subset within the broader domain of risk management. 

TPRM (Third-Party Risk Management) is the process an organisation uses to identify, assess and control the risks arising from external vendors, suppliers, contractors and service providers across the full relationship lifecycle, from due diligence through continuous monitoring to offboarding.

Related: What is supply chain risk management? | Enhanced due diligence explained | Third-party risk management framework

What does TPRM stand for?

TPRM stands for Third-Party Risk Management.

Breaking down the term:

• Third-Party: Any external organisation or individual providing goods, services, data access or operational capability to your organisation. This includes direct vendors, software-as-a-service providers, outsourced operational functions, joint venture partners, professional advisors, cloud infrastructure providers and staffing agencies.
• Risk Management: The structured discipline of identifying, evaluating, treating and monitoring risks – before a relationship starts, during the engagement and after it ends.

The term appears in several forms across regulatory guidance and industry usage:

Related: TPRM vs Vendor Risk Management: Full comparison | What is a Vendor Risk Assessment? | TPRM Questionnaire Guide

Why TPRM matters in 2026

Third parties are now the primary attack surface for data breaches, financial crime and regulatory failure.

61% of data breaches now involve a third party. (IBM Cost of a Data Breach Report 2024) This is not a new trend – it has been rising consistently since 2020 as organisations outsource more critical functions and expand their vendor ecosystems.

60% of global AML fines in 2023 were linked to failures in third-party screening and vendor oversight. Regulators are no longer accepting “we didn’t know” as a defence for vendor-linked compliance failures.

The regulatory environment tightened sharply in 2025. DORA – the Digital Operational Resilience Act came into full force across EU financial services in January 2025 (European Banking Authority), creating binding requirements for ICT third-party risk management, mandatory incident reporting and formal concentration risk controls. The OCC’s Third-Party Relationships Interagency Guidance (OCC Bulletin 2023-17) updated the US framework in the same period, with the FCA’s operational resilience rules (FCA PS21/3) embedding parallel requirements in the UK.

TPRM programme gaps carry real financial consequences. In 2024, the FCA issued fines totalling £57.4m related to inadequate third-party and outsourcing controls. (FCA Annual Report 2023/24) Individual senior managers face personal liability under the Senior Managers and Certification Regime (SMCR) for TPRM failures in their area of responsibility.

The ICP reality check: Most UK and EU regulated firms are still operating TPRM programmes built for a 2015 regulatory environment. DORA alone requires significant programme redesign for the majority of financial institutions particularly around ICT concentration risk, contractual requirements and fourth-party visibility.

Related: How to build a TPRM programme: 8-step guide

Is your TPRM programme DORA-ready? Neotas has helped regulated firms across the UK and EU assess and redesign their third-party risk programmes for DORA compliance.

Request a DORA readiness review →

Read our Guide on DORA Compliance for Third-Party Risk Management: What Financial Services Firms Must Do in 2026 →

TPRM vs. Vendor Risk Management vs. Vendor Management: what’s the difference?

These three terms are frequently used interchangeably. They are not the same thing.

The practical distinction:

Vendor Management asks: “Is this supplier delivering what we paid for?”

Vendor Risk Management asks: “Is this supplier creating cybersecurity or operational risk?”

TPRM asks both of those questions, plus: Is this supplier creating regulatory risk? Financial crime exposure? Reputational risk through adverse media or PEP connections? ESG obligations through modern slavery or corruption links? What risks flow from their sub-contractors?

For regulated financial institutions, TPRM is not a procurement discipline – it is a second-line risk function with direct regulatory accountability.

What about TPRM vs GRC?

GRC (Governance, Risk and Compliance) is an enterprise-wide framework covering all risk types. TPRM sits within GRC specifically as the component that manages external relationship risk. A GRC platform may house your TPRM programme data, but it is not a substitute for a purpose-built TPRM process.

Related: Full TPRM framework guide | Vendor risk assessment template

What is Third-Party Vendor Risk Management (TPVRM)?

Third-Party Vendor Risk Management (TPVRM) is the application of TPRM disciplines specifically to vendor and supplier relationships. It covers the same lifecycle – identification, risk tiering, due diligence, contract controls, monitoring and offboarding, scoped to organisations that provide goods, services or technology under a commercial contract.

In most regulated firm contexts, TPVRM and TPRM are used interchangeably. Where a distinction is drawn: TPVRM is the vendor management function’s risk responsibilities (procurement-led, commercially focused). TPRM is the second-line risk function’s oversight of all external relationships, including non-vendor third parties such as advisors, JV partners and staffing agencies.

The 7 steps in an effective TPVRM programme:

1. Vendor identification and classification: Full inventory of all vendors, categorised by service type, data access, operational criticality and regulatory sensitivity.
2. Risk assessment: Score each vendor’s inherent risk using consistent criteria. Use questionnaires, audits and independent screening to gather evidence.
3. Due diligence: Pre-onboarding assessment covering financial health, cybersecurity posture, compliance track record, adverse media and beneficial ownership. Depth matches the risk tier. See enhanced due diligence services at Neotas.
4. Contract management: Contracts must cover performance expectations, security obligations, audit rights, data protection terms (GDPR Art.28) and exit conditions. DORA adds binding ICT contractual requirements on top. (EBA DORA Art.30)
5. Continuous monitoring: Ongoing oversight of vendor performance, financial health, regulatory status and adverse media. Automated for critical vendors, periodic for lower-risk relationships. See TPRM lifecycle guide.
6. Incident response: Defined protocols for vendor-linked incidents: data breaches, service failures, sanctions exposure. Response plans must exist before an incident, not get drafted during one.
7. Offboarding: Data return or certified destruction, access revocation, contractual closeout. All confirmed in writing and documented.

For the full implementation methodology, see the Neotas TPRM framework guide and TPRM policy template.

 

Need to upgrade a vendor risk programme that’s still questionnaire-only? Neotas provides vendor due diligence and ongoing monitoring combining OSINT screening, adverse media, financial crime checks and ESG assessment in one workflow. See how it works

 

The 7 key third-party risk categories

A complete TPRM programme must cover all 7 risk categories. Standard questionnaire-based programmes typically cover only cybersecurity and operational risk. That leaves significant exposure in financial crime, ESG and reputational risk domains, precisely the areas regulators are now scrutinising most closely.

1. Cybersecurity and data risk

Vendor access points, API integrations, shared credentials, data processing agreements and SaaS platform vulnerabilities all create direct cybersecurity exposure. A vendor breach can expose your customer data and systems even when your own controls are sound.

Key assessment criteria: SOC 2 Type II certification, ISO 27001 certification, penetration test results (within 12 months), data breach history, incident response procedures, data residency.

Regulatory reference: DORA Articles 28-30 (EBA) | NIST SP 800-161 (NIST) | FCA PS7/23

Real example: The MOVEit vulnerability in 2023 exposed data at over 2,700 organisations globally through a single file-transfer vendor – despite those organisations having their own robust internal security controls. (Progress Software / Cl0p ransomware incident, CISA)

Related: Third-party cyber risk assessment services at Neotas

2. Financial stability and concentration risk

Vendor insolvency, financial instability, over-dependence on a single supplier for a critical function and inadequate capital reserves all create operational disruption risk. Concentration risk where too many critical processes depend on one vendor is explicitly flagged by DORA as a systemic risk requiring active monitoring and formal controls.

Key assessment criteria: Audited financial statements (2-3 years), credit ratings, liquidity position, client concentration (what % of their revenue is your contract), geographic concentration of operations.

Regulatory reference: DORA Article 29 (concentration risk) (EBA) | OCC Bulletin 2023-17 (OCC)

Related: Financial crime compliance services | Supply chain risk management

3. Compliance and regulatory risk

Vendors that handle regulated data, operate in regulated jurisdictions or provide services covered by sector-specific rules must themselves comply with GDPR, DORA, FCA rules, AML regulations, sanctions requirements and sector-specific obligations. A vendor non-compliance event creates direct regulatory exposure for your organisation including personal liability for your Senior Managers even without your direct involvement.

Key assessment criteria: Regulatory status and licences, GDPR Article 28 Data Processing Agreement, AML programme, sanctions screening procedures, record of regulatory actions or fines.

Regulatory reference: GDPR Article 28 (ICO) | DORA Article 30 (EBA) | FCA SYSC 8 (FCA)

4. Operational resilience risk

Service disruption, SLA failures, key-person dependency, single points of failure and geographic concentration of operations (for example, critical services hosted in a single data centre region) all create operational resilience risk. DORA requires regulated firms to formally map, test and document their exposure to third-party operational failure including business continuity and disaster recovery capabilities at the vendor level.

Key assessment criteria: Business continuity plan, disaster recovery procedures and test results, SLA definitions and breach history, geographic redundancy, key-person dependency assessment.

Regulatory reference: DORA Chapter III (EBA) | FCA CP22/20 (FCA)

5. Reputational and adverse media risk

Vendor misconduct, political exposure (PEPs and their associates), sanctions connections, corruption allegations, data privacy violations and negative media coverage all create reputational risk that can attach to your organisation by association. Adverse media screening across traditional press, social media and emerging sources is a regulatory requirement for higher-risk vendor relationships in financial services.

Standard database checks miss most of this. They cover structured sanctions lists and known adverse records but they cannot surface newly emerging allegations, social media red flags, foreign-language adverse media or politically motivated exposure. This is the gap that intelligence-led OSINT screening fills.

Key assessment criteria: Adverse media screening (traditional + social + dark web), PEP and sanctions screening, beneficial ownership verification, media sentiment analysis, reputational risk classification.

Neotas capability: Neotas’s OSINT-enhanced adverse media screening covers 200+ languages, social media platforms, open-web sources and structured databases simultaneously surfaces risks that no single database check or questionnaire reveals. See how Neotas screens vendors →

6. ESG, ethics and financial crime risk

Modern slavery and forced labour in vendor operations or supply chains, environmental violations, anti-bribery and corruption (ABAC) failures, and human rights abuses now create both regulatory and commercial exposure. The UK Modern Slavery Act 2015, the EU Corporate Sustainability Due Diligence Directive (CSDDD) (European Commission), the US Foreign Corrupt Practices Act (DOJ) and the UK Bribery Act 2010, all require evidence of active ESG due diligence across third-party relationships.

Key assessment criteria: Modern slavery statement, ABAC policy and training evidence, environmental certifications, labour practice documentation, FCPA/Bribery Act compliance procedures, beneficial ownership transparency.

Related: ESG due diligence services at Neotas | Financial crime compliance

 

Running a regulated procurement process? Neotas provides ESG and financial crime due diligence reports on third-party suppliers that satisfy CSDDD, UK Modern Slavery Act and ABAC requirements. Request an ESG vendor screening →

7. Fourth-party and Nth-tier supply chain risk

Your vendors have their own vendors. Fourth-party risk is the exposure that flows through your direct suppliers to their sub-contractors, cloud infrastructure providers, data processors and technology partners. Most TPRM programmes have almost no visibility here.

DORA explicitly requires regulated firms to understand and manage ICT supply chain concentration risk at the fourth-party level (EBA DORA RTS), including identification of critical sub-contractors and assessment of cascading failure scenarios. This is new territory for most firms, the majority of existing vendor contracts do not even require sub-contractor disclosure.

Key assessment criteria: Sub-contractor disclosure requirements in contracts, mapping of critical fourth-party relationships, cloud infrastructure concentration (AWS/Azure/GCP dependency), ICT supply chain risk assessment.

Related: Supply chain risk management services

 

Want a full third-party risk assessment across all 7 categories? Neotas runs intelligence-led vendor assessments that cover cybersecurity, financial, regulatory, reputational, ESG and fourth-party risks in a single integrated report. See a sample vendor risk report →

The TPRM lifecycle: 7 stages

A complete TPRM programme follows a structured lifecycle across every third-party relationship. Below is a summary of each stage. For the full methodology, see the Neotas TPRM lifecycle guide.

Stage 1: Third-party identification and inventory

Map every external party that accesses your data, systems, or processes. Without a complete inventory, you cannot risk-tier or monitor what you have not found. Most organisations running their first inventory discover they have 30-50% more active third-party relationships than documented in their procurement records.

Include direct vendors, sub-contractors with system access, cloud service providers, professional advisors with data access and any third party that could affect your operational resilience.

Stage 2: Risk tiering and classification

Assign every third party to a risk tier based on their inherent risk to your organisation. A critical SaaS provider processing personal financial data is categorically different from a stationery supplier.

Risk tiering uses inherent risk factors: type of data accessed, criticality to operations, regulatory sensitivity of services, jurisdictional exposure and financial dependency. Most regulated programmes use 3 or 4 tiers. Higher tiers receive more intensive due diligence and more frequent ongoing monitoring.

Related: TPRM risk tiering methodology

Stage 3: Due diligence and assessment

Due diligence depth matches the risk tier. Tier 1 (critical) vendors receive comprehensive assessment covering financial health, cybersecurity posture, regulatory compliance, reputational screening, adverse media, beneficial ownership and ESG obligations. Tier 3 (low risk) vendors may need only a self-certification questionnaire.

The most common programme failure at this stage is relying entirely on vendor-completed questionnaires. Self-reported information misses the risks vendors will not or cannot disclose. Independent intelligence-led screening is the control that catches what questionnaires miss.

Related: Enhanced due diligence services | TPRM questionnaire template | Vendor risk assessment template

 

Upgrade from questionnaire-only to intelligence-led: Neotas runs independent vendor due diligence that combines structured assessment with OSINT screening, adverse media analysis and financial crime checks. See how it works →

 

Stage 4: Contract and commercial controls

TPRM obligations must be embedded in vendor contracts. Contracts should cover: data protection terms (GDPR Article 28 compliant), audit rights, incident notification obligations, business continuity requirements, sub-contractor disclosure requirements, and exit and termination rights.

DORA specifies mandatory contractual requirements for all ICT third-party service providers to regulated financial entities including minimum provisions on service descriptions, data locations, audit cooperation and exit assistance. (DORA Article 30) Existing vendor contracts that predate DORA need reviewing and updating before the next renewal.

Stage 5: Ongoing monitoring

Third-party risk does not stop at onboarding. Circumstances change: vendors suffer data breaches, face sanctions exposure, enter financial distress, receive regulatory fines, acquire new sub-contractors or change beneficial ownership. All of these change the risk profile of an existing relationship.

Continuous monitoring covers: adverse media alerts, sanctions and PEP list changes, financial health indicators, regulatory action notices and changes to fourth-party relationships. Monitoring frequency is risk-tiered critical vendors typically require monthly or real-time monitoring, lower-risk vendors quarterly or annual review.

Related: Third-party risk monitoring services at Neotas

Stage 6: Issue management and remediation

When a monitoring alert fires, the programme must have defined escalation paths, remediation timelines and board-level reporting obligations. Regulators examine issue management records closely during supervision a good issue management trail demonstrates a functioning programme. Poor issue management is where most regulatory enforcement actions in this space originate.

Stage 7: Offboarding and termination

When a vendor relationship ends, offboarding must ensure: data return or certified destruction, access revocation confirmed and documented, final financial settlement, contractual obligations discharged and formal written confirmation the relationship is closed. Poorly managed offboarding leaves residual data and access risks that persist years after the relationship has ended.

Related: Full TPRM lifecycle guide | TPRM questionnaire | Enhanced due diligence

TPRM regulatory requirements

No questionnaire or platform satisfies all of these simultaneously. A UK financial institution operating in the EU typically needs to satisfy FCA SYSC 8, DORA, GDPR, the Modern Slavery Act and the Bribery Act across the same vendor population.

Related: TPRM framework | TPRM policy guide

 

Operating across multiple regulatory jurisdictions? Neotas produces third-party risk assessments that satisfy DORA, FCA and OCC requirements in a single workflow.
Speak to a specialist →

DORA and third-party risk management

DORA – the Digital Operational Resilience Act (EU) 2022/2554 is the most significant regulatory development for third-party risk management in a decade. It came into full force across EU financial services in January 2025 and sets binding, enforceable obligations for how regulated firms identify, assess, monitor and contract with ICT third-party service providers.

If your firm is an EU-regulated financial entity, or a UK firm with EU operations, DORA directly governs your TPRM programme.

What DORA requires for third-party risk:

Does DORA apply to UK firms?

DORA is EU law. It does not apply directly to UK-regulated firms unless they operate EU branches, serve EU clients through EU-authorised entities or are ICT service providers to EU-regulated firms. The FCA’s operational resilience framework (PS21/3) and SYSC 8 cover equivalent ground for UK firms. (FCA) UK firms with EU operations need to satisfy both.

The three DORA gaps most firms have right now:

1. Contractual gaps. Legacy ICT contracts predate DORA’s Article 30 requirements. Audit rights, incident notification timelines, exit assistance and sub-contractor disclosure clauses are frequently absent. Every ICT contract needs reviewing at next renewal.
2. The ICT register. DORA requires a maintained register of all ICT third-party arrangements, reported to regulators. Most firms have procurement records – few have a DORA-compliant register with the required data fields.
3. Concentration risk visibility. DORA Article 29 requires firms to identify and manage situations where critical functions depend on a single ICT provider or a single geographic region. Most TPRM programmes track individual vendors, not concentration patterns across the portfolio.

Related: TPRM regulatory requirements table | TPRM framework guide | TPRM policy template

 

Is your TPRM programme DORA-compliant? Neotas runs DORA gap assessments for regulated firms -covering ICT register completeness, contractual compliance, concentration risk mapping and fourth-party sub-contractor visibility.

Request a DORA readiness review →

How to build a TPRM programme in 2026

Eight steps. The order matters – most firms fail by jumping to technology before they have a risk tiering model.

For the full implementation roadmap, see the Neotas TPRM framework guide.

1. Define scope and governance: Establish ownership (typically Risk or Compliance), define what counts as a third party, get board sign-off, assign Senior Manager accountability under SMCR.
2. Build the third-party inventory: Combine procurement records, AP data and IT access logs. Expect to find more vendors than documented. (Deloitte 2024)
3. Design the risk tiering model: Score inherent risk using: data sensitivity, operational criticality, regulatory exposure, jurisdictional risk and financial dependency. Avoid tiering by vendor category alone.
4. Design due diligence by tier: Tier 1: full intelligence-led assessment. Tier 2: structured questionnaire plus independent screening. Tier 3: questionnaire. Tier 4: self-certification. See enhanced due diligence and TPRM questionnaire.
5. Select tools and technology: Manual-only programmes typically fail regulatory review at scale. Options: standalone TPRM platform, GRC module, specialist screening provider, or a combination. See TPRM software guide.
6. Establish contractual standards: Embed GDPR Art.28, audit rights, DORA Art.30 ICT provisions, incident notification timelines and exit obligations. Review legacy contracts at next renewal.
7. Implement continuous monitoring: Automate adverse media and sanctions alerts for Tier 1 and 2. Define escalation paths and response timelines before the first alert fires.
8. Define governance and reporting: Board-level TPRM reporting, KRI dashboard, outsourcing register (required under EBA Guidelines and DORA). Document the programme in a TPRM policy.

 

Starting from scratch or upgrading an existing programme? Neotas runs TPRM programme assessments and gap analyses against DORA, FCA and OCC requirements.
Request a programme review →

TPRM maturity model

Most regulated firms sit at Level 2 or 3. DORA and FCA guidance effectively require Level 4. The gap is real and closing it before a regulatory visit is significantly cheaper than closing it after.

TPRM best practices

These apply regardless of where your programme sits on the maturity scale.

Related: TPRM framework | TPRM policy template | TPRM software options | TPRM questionnaire guide

 

Want a gap assessment of your current TPRM practices against DORA, FCA and OCC requirements? Neotas runs programme maturity reviews for regulated firms across the UK and EU. Request a TPRM review

 

How Neotas delivers intelligence-led TPRM

Standard TPRM platforms run structured database checks: sanctions lists, PEP databases, credit reports, cybersecurity ratings. These are necessary. They’re not sufficient.

They miss adverse media in 200+ languages, emerging financial crime indicators, ESG red flags embedded in supply chains, and fourth-party relationships that never appear in any database.

Neotas addresses this gap by combining OSINT-enhanced screening with analyst-led investigation, rated in the Chartis FCC50 as a leading financial crime compliance technology provider.

Built for regulated financial services, insurance, legal and professional services firms where questionnaire-only programmes no longer satisfy regulatory expectations.

See how Neotas works for your programme.
Request a demonstration →
View TPRM case studies →

Neotas Due Diligence Platform

TPRM in practice: real cases from Neotas

• Third-party risk found through open-source intelligence A regulated firm needed vendor due diligence beyond standard database checks. Neotas OSINT screening surfaced adverse media, undisclosed corporate connections and reputational red flags invisible to structured data sources. Read the full TPRM case study
• Supply chain risk identified before contract signature An organisation screening a prospective supply chain partner discovered hidden operational and reputational risks through open-source intelligence – before any contract was signed. The engagement prevented a high-value relationship with a materially compromised vendor.
  Read the supply chain OSINT case study
• ESG due diligence uncovers supply chain exposure A global firm commissioned ESG risk screening on its vendor population. Neotas investigation uncovered labour practice violations and environmental breaches embedded in a Tier 2 supplier – exposure that standard ESG questionnaires had not flagged.
  Read the ESG supply chain case study
• ESG framework assessment with OSINT integration A client needed an ESG risk management framework that went beyond self-reported vendor data. Neotas integrated OSINT-based screening into their existing ESG assessment process, providing independent verification across the vendor population.
  Read the ESG framework case study
• PEP screening reveals undisclosed political connections A European organisation screening a prospective third party found no flags on standard PEP database checks. Neotas intelligence analysis identified undisclosed political links that created direct regulatory and reputational exposure.
  Read the PEP screening case study
• Dangerous senior manager identified before appointment A firm conducting pre-engagement due diligence on a prospective senior manager used Neotas to go beyond CV verification. The investigation surfaced a pattern of conduct that standard reference checks had not identified.
  Read the senior manager due diligence case study
• Network analysis uncovers international credit risk links Standard financial checks on a counterparty returned clean results. Neotas network analysis mapped undisclosed international corporate relationships that created material credit risk exposure the client had no visibility of.
  Read the network analysis case study
• AML compliance strengthened through OSINT A financial institution needed to validate AML due diligence on third-party relationships beyond transaction monitoring. Neotas open-source intelligence provided independent verification of customer and counterparty backgrounds across multiple jurisdictions.
  Read the AML compliance case study

Every case above started with a vendor or counterparty that looked clean on paper. Neotas intelligence screening goes where databases don’t. See how it works for your TPRM programme →

TPRM and due diligence checklists

Practical tools for risk and compliance teams running third-party assessments. All checklists are available on the Neotas due diligence resource page.

 

Running EDD on a high-risk vendor? Neotas combines the checklist framework with OSINT
Explore our EDD Solutions →

 

FAQs on TPRM

What is TPRM and what does it stand for?

TPRM stands for Third-Party Risk Management. It’s the process organisations use to identify, assess and manage the risks that come from working with external vendors, suppliers, contractors and service providers. Think of it as the structured discipline that sits between your organisation and everyone outside it who touches your data, systems or operations.

What is the TPRM process?

The TPRM process runs in seven stages: identify all third parties, tier them by inherent risk, conduct due diligence, embed controls in contracts, monitor continuously, manage issues when they arise, and formally offboard vendors when relationships end. It’s a continuous cycle, not a one-time assessment. See the full TPRM lifecycle guide.

What is the difference between TPRM and vendor risk management?

TPRM covers all external relationships: vendors, contractors, advisors, JV partners, staffing agencies. Vendor Risk Management (VRM) covers vendors only, typically focused on cybersecurity and operational risk. TPRM goes further it adds financial crime, ESG, reputational and fourth-party risk. For FCA, DORA and OCC compliance, TPRM is the correct framework. VRM alone won’t satisfy those obligations.

What is a TPRM framework?

A TPRM framework is the structured set of policies, processes and controls an organisation uses to manage third-party risk consistently. It defines how vendors get inventoried, tiered, assessed, contracted and monitored. A good framework aligns with DORA, FCA SYSC 8 and OCC 2023-17 requirements and produces the documented evidence trail regulators expect to see. See the Neotas TPRM framework guide.

What regulations require third-party risk management?

The main ones: DORA for EU financial services (EBA), FCA SYSC 8 for UK regulated firms (FCA), OCC Bulletin 2023-17 for US national banks (OCC), GDPR Article 28 for any organisation handling personal data, and the UK Modern Slavery Act for firms above £36m UK turnover. Non-compliance carries financial penalties and personal senior manager liability.

What is third-party risk monitoring?

Third-party risk monitoring is the ongoing surveillance of active vendor relationships after onboarding. It covers adverse media alerts, sanctions and PEP list changes, financial health signals and regulatory action notices. For critical vendors, this runs continuously. For lower-risk vendors, quarterly or annual review is typical. Most TPRM programme failures happen between annual review cycles not at onboarding.

What is a TPRM questionnaire?

A TPRM questionnaire is a structured set of questions sent to vendors to collect information on their security controls, financial health, compliance status and data handling practices. It’s a core due diligence tool but has one major limitation: it’s entirely self-reported. Vendors can’t always disclose what they don’t know, and some won’t disclose what they do. Independent screening is what catches the gaps. See the TPRM questionnaire guide.

What is TPRM software and what does it do?

TPRM software manages the processes inside a third-party risk programme: vendor inventory, risk tiering, questionnaire distribution, due diligence tracking, monitoring alerts and board reporting. Options range from standalone TPRM platforms to GRC modules to specialist intelligence-led screening tools. Manual-only approaches typically fail regulatory review at scale. See the TPRM software guide

What is fourth-party risk in TPRM?

Fourth-party risk is the exposure that flows through your direct vendors to their own sub-contractors and technology providers. Your contract is with the vendor but the risk can sit two levels down. A cloud provider using a sanctions-linked data centre is a real example. DORA requires regulated firms to map and manage fourth-party ICT concentration risk explicitly. (EBA DORA RTS) Most TPRM programmes currently have no visibility here at all.

What is a TPRM maturity model?

A TPRM maturity model is a five-level scale that describes how sophisticated a third-party risk programme is from Level 1 (no formal programme, entirely reactive) to Level 5 (intelligence-led, continuous monitoring, fourth-party visibility, financial crime integration). Most regulated firms sit at Level 2 or 3. DORA and FCA guidance require Level 4 as a practical minimum.

Why is third-party risk management important?

61% of data breaches involve a third party. (IBM Cost of a Data Breach Report 2024) 60% of global AML fines in 2023 were linked to third-party control failures. For regulated firms, TPRM is a legal obligation with direct financial penalties and personal senior manager liability under SMCR. For any organisation, vendor relationships are the most common source of data breaches, compliance failures and operational disruptions and the least visible.

What is TPRM in financial services?

In financial services, TPRM is a binding regulatory requirement with named senior manager accountability. FCA SYSC 8 requires formal outsourcing governance. DORA requires an ICT third-party risk programme, a register of all ICT contracts and documented concentration risk controls all in force since January 2025. (EBA) OCC 2023-17 requires US national banks to run a lifecycle-based programme for all third-party relationships. (OCC) Financial crime screening adverse media, sanctions, PEP checks is embedded in due diligence for higher-risk vendor relationships.