The interagency guidance reads like consolidation. Three things change in practice for banks under $50B — most of them aren't what the headlines say.
May 2026 · 7 minute read · Finance · TPRM
The 2023 interagency guidance on third-party relationships (jointly issued by the OCC, FRB, and FDIC, commonly cited as SR 23-4) reads on first pass as a consolidation exercise — three agencies finally agreeing on one TPRM playbook. That framing is correct but incomplete. For community and midsize banks specifically, three things actually change in practice. They aren't the items getting most attention.
The guidance doesn't use the word "continuous" prominently, but the language around "ongoing monitoring proportional to risk" is materially stronger than the 2013 OCC bulletin it replaces. Examiners are reading this as: for your most critical vendors — core processors, key cloud infrastructure, FedLine and SWIFT connectivity, primary cyber tools — you need real-time or near-real-time signal on financial health, cyber posture, and operational status. The annual questionnaire is no longer sufficient evidence.
What to do: integrate at least one external signal feed (cyber rating, financial health score, SOC 2 status) into your monitoring layer for Tier-1 vendors. Examiners will ask. "We're considering it" is not the answer.
The guidance is explicit that banks remain responsible for the risk introduced by their vendors' subcontractors. Most community-bank TPRM programs don't capture this layer at all. The first AWS outage that takes down three of your critical vendors simultaneously will be a board-level conversation about why your concentration analytics didn't surface this.
What to do: extend your vendor inventory to capture at least the cloud / infrastructure tier of sub-processors for Tier-1 and Tier-2 vendors. Tools exist; this isn't a build-from-scratch problem.
For each critical vendor relationship, examiners now expect documented exit strategies — what would you do, how long would it take, what would it cost — not as a planning fiction but as something you could execute if the vendor failed or pulled out. Most community banks have nothing on this for their core processor relationships.
What to do: a one-page exit playbook for each Tier-1 vendor. Doesn't have to be exhaustive; has to exist.
The "risk-based" language in the guidance is being read by some consultants as a mandate to re-tier every vendor relationship from scratch. It isn't. If your existing tiering reflects real risk and you can defend it, the guidance doesn't require a rebuild — it requires you to evidence that the depth of diligence and monitoring is proportional to the tier you've assigned.
— Written from active TPRM engagements across regional and community banks in 2025–2026.
We've run TPRM rebuilds at this exact bank scale. Start with a 60-minute conversation.