Guide to Conducting Supplier Risk Assessments

Introduction

Regulators don't distinguish between what your firm did and what your vendor failed to do. The 2024 enforcement actions against Evolve Bank, Customers Bank, and Lineage Bank made that clear — all three faced regulatory consequences tied directly to their third-party relationships.

A supplier risk assessment is the structured process for identifying, evaluating, and prioritizing the risks that vendors introduce to your operations and compliance posture. For fintechs, crypto firms, banks, and embedded finance companies, it carries weight that standard due diligence doesn't. A vendor's AML gap, data breach, or lapsed license becomes your regulatory exposure.

This guide covers how to execute supplier risk assessments step by step, what makes them especially consequential in financial services, and the common mistakes that undermine even structured programs.

TL;DR

  • Supplier risk assessments evaluate vendors across five dimensions: financial stability, operational reliability, regulatory compliance, cybersecurity posture, and reputational/ethical exposure
  • Regulators (OCC, FFIEC, FCA, DORA) and sponsor banks now require documented third-party risk programs as a condition of operating
  • The process follows five steps: vendor inventory, risk prioritization, data collection and verification, scoring, and corrective action plans
  • Critical vendors should be assessed annually at minimum, with continuous monitoring between formal reviews
  • Treating this as a one-time onboarding checkbox instead of an ongoing program is the most common and costly mistake

What Is a Supplier Risk Assessment?

A supplier risk assessment is a due diligence process companies use to evaluate the risks third-party vendors introduce across financial, operational, legal, and ethical dimensions. Its purpose is to surface exposure before it becomes a disruption or a regulatory violation.

The goal is to compare vendor risk against your organization's risk appetite and regulatory obligations, then make informed sourcing or mitigation decisions — not to screen out every vendor with an imperfect profile.

How It Differs from Vendor Risk Assessment

These two terms get used interchangeably in practice. They're not the same.

Program Scope
Vendor risk assessment Typically focused on cybersecurity and data privacy
Supplier risk assessment Broader — includes financial stability, regulatory compliance, and operational continuity

Both programs often run in parallel for regulated financial entities. A fintech's vendor risk program might confirm whether a KYC provider holds ISO 27001 certification. The supplier risk assessment goes further — it examines whether that vendor can survive financially, maintain its licenses, and hold up under regulatory scrutiny.

Why Supplier Risk Assessment Is Critical for Fintech and Regulated Financial Services

Regulators across the US, UK, and EU are explicit: using a third-party provider doesn't transfer your compliance obligations to that provider. The 2023 interagency guidance from the OCC, FDIC, and Federal Reserve makes this concrete — banking organizations must manage third-party risk across the full lifecycle: planning, due diligence, ongoing monitoring, and termination.

The obligation stays with the bank. Full stop.

The enforcement record backs this up.

What 2024 Enforcement Actions Revealed

Three significant 2024 orders illustrate the stakes:

  • Evolve Bank & Trust received a cease and desist from the Federal Reserve for deficiencies in BSA/AML, OFAC, and fintech partnership oversight. New fintech partnerships now require prior regulatory approval.
  • Customers Bank entered a written agreement with the Federal Reserve over BSA/AML, OFAC, and third-party relationship failures tied to its digital-asset strategy.
  • Lineage Bank received an FDIC consent order requiring a written Third-Party Risk Management Program covering all direct and indirect fintech partners, plus a formal onboarding process before new partnerships could proceed.

2024 bank enforcement actions Evolve Customers Lineage third-party risk failures comparison

Across all three cases, the common thread is vendor oversight — specifically, the absence of documented controls over fintech partners. Regulators aren't waiting for a consumer harm event; deficient third-party programs are themselves grounds for enforcement.

Where Assessments Fit in the Fintech Lifecycle

Supplier risk assessment is an embedded compliance function that runs throughout the vendor relationship, not just at signing:

  • Pre-onboarding — before contracting a KYC vendor, payment processor, or core banking partner
  • Periodic reviews — annually, or when material changes occur at the vendor
  • In response to incidents — ownership changes, regulatory actions, or financial distress signals

For fintechs relying on sponsor bank relationships, documented third-party risk programs are frequently a prerequisite for partnership. Gaps in vendor oversight are a common reason fintech-bank partnerships stall during due diligence or get terminated after the fact.

Key Risk Categories in a Financial Services Supplier Risk Assessment

Financial Stability

Assess whether the vendor can sustain operations. The 2024 Synapse bankruptcy — which froze customer accounts across multiple partner banks — demonstrated what happens when a critical fintech middleware provider fails without warning.

Key indicators to review:

  • Audited financial statements
  • Credit ratings and payment history
  • Concentration of revenue (single-client dependency signals fragility)
  • Ownership structure and recent capital events

Regulatory Compliance and Legal Risk

Evaluate whether the vendor holds required licenses, maintains current certifications, and has a clean regulatory history. Applicable frameworks include BSA/AML, GDPR, CCPA, PCI-DSS, and SOC 2, depending on the vendor's role and geography.

A vendor's compliance failure can directly implicate your firm in a regulatory examination. This category carries high weight for payment processors, KYC providers, and any vendor touching regulated functions.

Cybersecurity and Data Protection

Any vendor with access to customer data or core systems is a potential attack vector. According to Verizon's 2025 Data Breach Investigations Report, third-party involvement in breaches doubled from 15% to 30% across all sectors.

Assess:

  • Security certifications (ISO 27001, SOC 2 Type II)
  • Data handling practices and access controls
  • Incident response capabilities and breach notification procedures
  • PCI-DSS compliance for payment vendors

Operational and Business Continuity Risk

For payment and financial infrastructure vendors, even brief outages carry financial and reputational consequences. Evaluate:

  • Disaster recovery and business continuity plans
  • Geographic concentration risk
  • Single-source dependencies
  • Historical uptime and SLA performance

Reputational and Ethical Risk

Review the following before onboarding any vendor:

  • Labor practices and governance structure
  • Sanctions exposure and AML track record
  • Adverse media history across all jurisdictions

Association with a sanctioned or ethically compromised vendor can damage regulatory relationships and customer trust. Adverse media monitoring requires continuous tracking, not a one-time check at onboarding.

How to Conduct a Supplier Risk Assessment: A Step-by-Step Process

An effective supplier risk assessment follows a repeatable framework that scales across vendor types. For early-stage fintechs and crypto firms without a full-time CRO or BSA Officer, this process is typically designed and owned by fractional compliance leadership. Fraxtional's CCO, CRO, and BSA Officer engagements are built around exactly this work — producing assessments that hold up to auditor and sponsor bank scrutiny, not just internal review.

Step 1: Build and Segment Your Supplier Inventory

Compile a complete list of active and prospective vendors. For each, capture:

  • Services provided and data access levels
  • Contract terms and renewal dates
  • Business criticality (what breaks if this vendor goes down?)

Segment vendors into tiers based on regulatory impact, operational dependency, and data sensitivity. Not every vendor warrants the same depth of review — a payroll provider and a sanctions screening tool require entirely different levels of assessment rigor.

Step 2: Prioritize by Risk Exposure

Rank vendors using a combination of criticality and inherent risk factors. Spend volume alone is a poor proxy for risk.

A low-spend KYC vendor with access to customer PII may carry more compliance risk than a high-spend office supply vendor. Build your tiering model around:

  • Regulatory touchpoints (does this vendor touch AML, KYC, or payment rails?)
  • Geographic risk (offshore vendors in high-risk jurisdictions)
  • Data access and sensitivity
  • Dependency depth (can operations continue if this vendor fails?)

5-step supplier risk assessment process flow for fintech compliance programs

Step 3: Collect and Verify Supplier Data

Gather information through structured questionnaires, financial disclosures, third-party audit reports, regulatory filings, and reference checks.

Self-reported data must be corroborated — unverified self-assessments won't hold up with regulators or sponsor banks. Independent verification sources include:

  • Regulatory databases and enforcement action records
  • Sanctions screening results (OFAC, UN, EU lists)
  • Certification records (SOC 2 reports, ISO certificates)
  • Public financial disclosures

Step 4: Score and Rank Risk Findings

Apply a consistent scoring framework that weighs both inherent risk (industry, geography, data access) and performance risk (the vendor's actual controls and track record).

Convert findings into actionable risk tiers:

Risk Tier Response
Low Standard monitoring cycle
Moderate Proactive engagement, enhanced questionnaire
High Immediate remediation required
Critical Escalate to leadership; consider contingency sourcing

A risk matrix makes findings easier to communicate to leadership and sponsor banks during reviews.

Step 5: Implement Corrective Action Plans and Ongoing Monitoring

For vendors with identified gaps, establish corrective action plans with defined remediation timelines, KPIs, and named accountability. Vague recommendations collapse under regulatory scrutiny — accountability has to be specific and documented.

Critical vendors also need continuous monitoring between formal review cycles, not just point-in-time snapshots:

  • News and adverse media alerts
  • Sanctions list updates
  • Financial distress signals (credit downgrades, late filings, leadership changes)
  • Regulatory action monitoring

Continuous monitoring is where most programs fail — the vendor that passed last year's review may have a new enforcement action, a leadership departure, or a deteriorating financial profile today. Catching those signals between review cycles is the difference between a paper program and one that actually manages risk.

Vendor risk monitoring four-signal framework for continuous third-party oversight

Common Mistakes in Supplier Risk Assessment

Treating It as a One-Time Onboarding Checkbox

Many fintech teams conduct an initial assessment but never build a reassessment cycle. Vendors change: ownership shifts, licenses lapse, regulatory sanctions land, and financial conditions deteriorate. The 2023 interagency guidance and the 2024 community bank guide both explicitly require ongoing monitoring — not just pre-onboarding review.

Relying Solely on Self-Reported Questionnaires

Vendors naturally present their best face in self-assessments. Without independent verification through audit reports, regulatory records, or third-party databases, the assessment creates a false sense of assurance. When regulators or sponsor banks request evidence of due diligence, "the vendor told us they were compliant" is not a defensible answer.

Failing to Weight Risk by Regulatory Relevance

Not all vendor risks carry equal weight. A cybersecurity gap in a payment processor is far more material than the same gap in a marketing vendor.

Assessments that apply a uniform checklist to every supplier miss the differentiated regulatory exposure that examiners focus on. The practical cost: limited compliance team resources get spent on low-priority reviews while high-stakes vendors go underscrutinized. A tiered approach addresses this directly:

  • Flag critical vendors (payment processors, KYC providers, core banking integrations) for full-scope reviews
  • Apply streamlined reviews to low-exposure vendors with minimal regulatory touchpoints
  • Reassign review frequency based on vendor risk tier, not just onboarding date

Frequently Asked Questions

What are the 5 criteria to evaluate suppliers?

The five core evaluation criteria are financial stability, operational reliability, regulatory and legal compliance, cybersecurity posture, and reputational or ethical standing. In financial services, compliance and cybersecurity criteria typically carry the highest weight given the direct link to regulatory exposure.

How often should a supplier risk assessment be conducted?

Critical and high-risk vendors should be assessed annually at minimum. Immediate reassessment should be triggered by material events such as ownership changes, regulatory actions, or financial distress signals. Continuous monitoring should supplement — not replace — formal review cycles.

What regulatory requirements apply to supplier risk assessments for fintech companies?

Key frameworks include the 2023 FFIEC/OCC/FDIC interagency guidance (US), FCA outsourcing rules (UK), and DORA — applicable from January 17, 2025 — which imposes binding ICT third-party risk requirements across the EU. Fintechs operating across jurisdictions should align to the most demanding applicable standard.

What's the difference between a supplier risk assessment and a vendor risk assessment?

Vendor risk assessments typically focus on cybersecurity and data privacy. Supplier risk assessments cover a broader scope including financial stability, operational continuity, regulatory compliance, and ethical exposure. Both programs often run in parallel for regulated financial entities.

Which suppliers should fintech companies prioritize for risk assessment?

Prioritize vendors with access to customer data, payment infrastructure, or regulated functions such as KYC and AML screening, plus any vendors required by sponsor bank agreements. Operational criticality and regulatory touchpoints should drive prioritization — not spend volume alone.

What should a fintech do when a critical vendor fails a risk assessment?

Response options range from issuing a corrective action plan with defined remediation timelines, to increasing monitoring frequency, activating a contingency supplier, or beginning offboarding. Where continued use creates unacceptable AML, sanctions, or data security exposure, escalation to leadership and sponsor bank notification may be required.