OCC third-party risk for sponsor banks: evidence across every partner
The interagency guidance treats a fintech partnership as a lifecycle, and each stage is expected to leave evidence. The stages at the front are filed once. The one in the middle, ongoing monitoring, runs for years and is where exams concentrate. Here is how to keep that evidence in one place.
The lifecycle, and where the evidence lives
The 2023 interagency guidance on third-party relationships, issued by the OCC, the Federal Reserve, and the FDIC, sets out a lifecycle: planning, due diligence and selection, contract negotiation, ongoing monitoring, and termination. Each stage is expected to produce evidence a supervisor can review. For a sponsor bank, a fintech partner program is a third-party relationship that runs through every one of those stages.
Due diligence and contracting are point-in-time and relatively easy to file. The stage that strains a program is ongoing monitoring, because it runs for the life of the relationship, spans every product the partner operates and every vendor in the flow, and is the area examiners probe hardest. It is also where the evidence is most fragmented.
Ongoing monitoring is a continuous-evidence problem
Monitoring a fintech partner means tracking, throughout the relationship, the signals that change after onboarding: OFAC and public-list movements, ownership and registered-agent changes, complaint and dispute drift, and the partner's end-customer decisions across products. When those signals sit in different vendor consoles per product, demonstrating that monitoring happened, continuously, across everything the partner runs, becomes an assembly job at exam time.
One record per partner and end-customer
FinQub is the single source of truth for fintech risk decisions. It lands every signal from every vendor on one record per Subject, partner or end-customer, with the decision it informed and the policy version that applied.
Monitoring evidence accumulates in one place. Every post-onboarding signal lands on the partner or end-customer record as it arrives, so ongoing monitoring is a continuous trail rather than a quarterly reconstruction.
The exam response is a query. Because every decision is pinned to its policy version, the supervisor's question, what did you know and when, under which policy, is one query and a signed export per Subject.
A checklist for the monitoring stage
- Keep monitoring evidence for each partner on one record, across every product they run.
- Capture post-onboarding changes as they arrive, not in a periodic batch.
- Attach each oversight decision, its rationale, and its decider to the evidence.
- Pin every decision to the policy version in force, so the look-back is point in time.
- Confirm you can produce the monitoring trail for any partner or end-customer on one query.
Frequently asked questions
What does the third-party risk guidance cover?
The 2023 interagency guidance from the OCC, Federal Reserve, and FDIC frames a third-party relationship as a lifecycle: planning, due diligence and selection, contract negotiation, ongoing monitoring, and termination. For a sponsor bank, a fintech partner program runs through all of those stages, and each one is expected to produce evidence.
Which stage is hardest to evidence?
Ongoing monitoring. Due diligence and contracting happen once and are easy to file. Monitoring runs for the life of the relationship, across every product the partner operates and every vendor in the flow, and it is the stage examiners probe most. It is also where the evidence is most scattered.
Does FinQub run our third-party risk program?
No. Your program, governance, and decisions stay with you. FinQub is the record the monitoring evidence lands on: every partner and end-customer signal, every decision and its rationale, every policy version, on one record per Subject. That turns the ongoing-monitoring stage and the exam response into a query rather than a reconstruction.
The third-party risk record runs on your own vendor stack. FinQub is the single source of truth for fintech risk decisions beneath it. See the continuous-monitoring approach in full, or book a short walkthrough below.