Case Study 12.2: Third-Party Risk in Practice — Rafael's Cloud Vendor Assessment
The Situation
Organization: Meridian Capital (fictional US broker-dealer) Rafael's challenge: Evaluating and remediating third-party risk across Meridian's RegTech vendor portfolio following new OCC/Fed/FDIC interagency guidance Timeline: 2023 Trigger: The January 2023 issuance of interagency guidance on third-party relationships, and a parallel broker-dealer supervision letter from FINRA requesting information on outsourcing arrangements
Background: Meridian's Vendor Landscape
By 2023, Meridian Capital had transitioned significant compliance and risk functions to third-party technology providers. The vendor landscape had grown organically:
| Function | Vendor | Delivery Model | Annual Contract Value |
|---|---|---|---|
| AML transaction monitoring | RegTech vendor A | SaaS (AWS-hosted) | $385,000 |
| Sanctions screening | RegTech vendor B | API (GCP-hosted) | $120,000 |
| KYC/identity verification | RegTech vendor C | SaaS (Azure-hosted) | $220,000 |
| Trade surveillance | RegTech vendor D | On-premises software | $510,000 |
| Regulatory reporting | In-house (with vendor data feeds) | Hybrid | N/A |
| Core trading platform | Vendor E | Co-located servers | $1.2M |
Total external technology spend for compliance and risk functions: approximately $2.4M annually.
The interagency guidance divided the vendor landscape into: critical (failure would materially impair important functions); non-critical (significant but manageable impact). Rafael used the guidance's criteria to classify each vendor.
The Criticality Assessment
Rafael's classification:
Critical: - Vendor A (AML transaction monitoring): critical — failure stops SAR filing capability - Vendor B (Sanctions screening): critical — failure stops payment processing (real-time screening integration) - Vendor E (Core trading platform): critical — failure stops all trading operations
Non-critical (with management): - Vendor C (KYC): non-critical — onboarding delays are manageable; existing customer relationships unaffected - Vendor D (Trade surveillance): non-critical with enhanced monitoring — failure creates regulatory risk but not immediate operational failure; alerts can be reviewed retrospectively
The Due Diligence Gap Analysis
For each critical vendor, Rafael assessed the current state of due diligence against the interagency guidance's requirements:
Pre-contract due diligence: Had been conducted at contract signing but not refreshed. Vendor A's contract was three years old; Vendor B's two years old. Neither had been re-assessed following the interagency guidance.
Ongoing monitoring: Vendor A's service was reviewed quarterly through SLA reports. Vendor B's API performance was monitored through automated alerting. Neither had been subject to security due diligence since onboarding.
Contractual provisions: All contracts pre-dated the 2023 interagency guidance and were missing several required elements: - No audit rights for Rafael's team to assess vendor controls directly - No sub-contracting notification requirement - No data incident notification timelines (Vendor A's contract specified notification "within a reasonable time" — not a specific number of hours) - No exit assistance provision
Exit planning: No formal exit strategy existed for any vendor. Rafael had no documented plan for transitioning to an alternative AML monitoring vendor if Vendor A became unavailable.
The Remediation Program
Rafael developed a six-month remediation program:
Month 1–2: Contract Remediation
Rafael's legal team identified the required contractual changes for the two critical SaaS vendors (A and B): 1. Audit rights: institution's right to conduct or commission security assessments of the vendor 2. Sub-contracting: vendor must notify Meridian of any changes to its own sub-contractor relationships affecting the contracted service 3. Incident notification: data incidents and service disruptions must be notified within 4 hours for critical incidents, 24 hours for significant incidents 4. Exit assistance: upon contract termination, vendor must provide a minimum 6-month transition period with full data export and process documentation 5. Data residency: data must remain within specified jurisdictions (US for Vendor A/B) 6. Business continuity: vendor must maintain documented DR/BCP for the contracted service with an RTO consistent with Meridian's impact tolerance
Negotiation outcome: - Vendor A: accepted all six provisions after two rounds of negotiation; minor amendments to exit assistance timeline (9 months rather than 6) - Vendor B: accepted audit rights, incident notification, and data residency; declined to add sub-contracting notification; exit assistance was limited to 90 days and data export only (not full process documentation)
Vendor B's resistance to sub-contracting notification was particularly concerning: Vendor B used three sub-contractors for its API infrastructure. Rafael's legal team assessed the residual risk: noted as a contractual gap, added to the annual third-party risk report.
Month 3–4: Security Due Diligence
Rafael commissioned security assessments for Vendors A and B: - SOC 2 Type II review: Both vendors provided recent SOC 2 Type II reports. Vendor A: no exceptions. Vendor B: one exception (patch management latency) — noted in the assessment. - Penetration testing: Neither vendor consented to Meridian-specific penetration testing (standard in SaaS contracts). Rafael accepted this limitation — it was consistent with vendor industry practice for multi-tenant SaaS. - Security questionnaire: A detailed security questionnaire (based on the Cloud Security Alliance CAIQ) was completed by both vendors. No material gaps identified for Vendor A. Vendor B had gaps in MFA enforcement for admin access — flagged as a remediation requirement.
Month 5: Exit Planning
For Vendor A (AML monitoring), Rafael developed a formal exit strategy:
Trigger events: Vendor A insolvency, regulatory enforcement against Vendor A, prolonged service outage (> 72 hours), unacceptable security event, acquisition by a competitor.
Pre-exit preparation: Maintain a parallel capability — a simplified rule-based monitoring system using Meridian's internal transaction data, capable of detecting the highest-priority typologies (structuring, OFAC-adjacent patterns) if Vendor A becomes unavailable.
Transition path: Two alternative vendors were evaluated for AML monitoring — Vendors F and G. Implementation timeline for either: 90–120 days. Data migration: transaction history data must be migrated in OFAC and BSA-compliant formats.
Documentation requirement: Annual review of exit plan; alternative vendor evaluations refreshed every two years.
Month 6: Ongoing Monitoring Framework
Rafael established a quarterly vendor review process for all critical vendors: - SLA performance review (response time, availability, incident history) - Security update review (new CVEs affecting vendor's technology stack, vendor's patch schedule) - Financial health review (for private vendors: annual review of financial statements or Dun & Bradstreet report) - Regulatory landscape review (is the vendor subject to any new regulatory requirements that could affect the service?)
An annual review included: SOC 2 Type II refreshed, security questionnaire updated, contract reviewed for required provisions, exit plan updated.
FINRA's Information Request
In parallel with the remediation program, Rafael responded to FINRA's information request on outsourcing arrangements. FINRA's letter requested:
- A list of all third-party technology services material to the firm's regulatory compliance functions
- For each: description of the service, criticality assessment, contractual provisions, monitoring approach
- Description of the firm's exit strategy for each critical vendor
Rafael submitted a 28-page response with the vendor inventory, criticality assessments, and remediation timeline. The response was straightforward because Rafael had just completed the internal assessment.
FINRA's response: acknowledgment of receipt, no follow-up action. "The submission demonstrates an adequate assessment of third-party risks and a credible remediation timeline."
The Cost of Remediation
Rafael's post-project cost analysis:
| Activity | Estimated Cost |
|---|---|
| Legal review and contract renegotiation | $85,000 |
| Security assessments (SOC 2 review + questionnaires) | $22,000 |
| Exit strategy development | $35,000 (internal + consultant time) |
| Simplified fallback AML system development | $48,000 |
| Ongoing monitoring framework (first year) | $15,000 |
| Total remediation | $205,000 |
Rafael's reflection: "If I had included third-party risk provisions in the original contracts three years ago, the renegotiation cost would have been near zero — these are standard provisions that vendors will accept at contract signing more readily than at contract renewal. The lesson is to get the governance right upfront."
Discussion Questions
1. Vendor B declined to add sub-contracting notification to the contract. Rafael noted this as a gap and continued the relationship. Under the 2023 interagency guidance, is this an acceptable approach? What additional compensating controls could Meridian implement to mitigate the gap?
2. The remediation cost was estimated at $205,000. Rafael's annual contract value with Vendors A and B is approximately $505,000. The remediation cost represents approximately 40% of one year's contract value for two vendors. What is the appropriate way to think about this cost — is it a one-time investment that protects against operational risk losses, or should it have been built into the original vendor selection and contracting process?
3. Rafael's exit strategy for Vendor A involved developing a simplified rule-based fallback monitoring system. This fallback system can detect the highest-priority typologies but not the full scenario library. What are the regulatory implications of operating on a degraded fallback monitoring system? What would the institution need to document to demonstrate adequate AML compliance during a period when the primary system is unavailable?
4. Vendor A's SOC 2 Type II report had no exceptions while Vendor B had one (patch management latency). Explain the significance of SOC 2 Type II exceptions: does a SOC 2 exception mean the vendor's controls are inadequate, or is further analysis needed?
5. The interagency guidance was issued in January 2023. Rafael's remediation program was complete by the end of 2023 — 12 months later. For a broker-dealer being examined by FINRA or the SEC, is a 12-month remediation timeline acceptable? What timeline would regulators likely expect for completing third-party risk remediation following the issuance of new guidance?