The OCC, Federal Reserve, and FDIC unified third-party risk management under a single interagency standard on June 6, 2023. Three years later, examiners are in their third cycle of measuring against that standard. The NCUA put vendor management and oversight on its named 2026 supervisory priorities list. Yet most banks, credit unions, and mortgage companies still treat fintech vendor due diligence as a procurement checklist instead of a documented examination-ready program.
That gap is the single fastest way to turn a routine vendor sign-up into an exam finding. Below is what your tech due diligence program needs to cover in 2026, why mortgage companies and community financial institutions face the steepest path, and how a Tier-1 Microsoft Cloud Solution Provider closes the most common gaps before they hit your next examination.
What examiners expect from your fintech vendor program in 2026
- A documented, risk-based vendor program aligned with OCC Bulletin 2023-17, FRB SR 23-4, FDIC FIL-29-2023, and NCUA LTCU 01-CU-20 / 07-CU-13.
- Pre-engagement due diligence covering operational, cyber, compliance, BSA/AML, and reputation risk for every fintech relationship.
- Contracts with audit rights, data protection clauses, breach notification timelines, and exit strategies that survive vendor failure.
- Ongoing monitoring via SOC 2 review, Microsoft Defender for Cloud Apps risk profiling, and Microsoft Sentinel telemetry on every API integration.
In This Article
- What Vendor Tech Due Diligence Looks Like When You Are the Buyer
- Why Banks, Credit Unions, and Mortgage Companies Face the Hardest Diligence Path
- Six Red Flags Examiners Want You to Catch
- How a Tier-1 Microsoft CSP Strengthens Your Vendor Review Program
- The 2026 Vendor Tech Due Diligence Checklist
- Turn Diligence Into a Competitive Edge
- Frequently Asked Questions
What Vendor Tech Due Diligence Looks Like When You Are the Buyer
Technical due diligence used to be a venture capital concept. Investors examined a fintech's security posture before they wrote a check. In 2026 the same examination happens in reverse: every bank, credit union, and mortgage company that signs a fintech vendor agreement is now expected by federal and state examiners to perform comparable scrutiny before any production data touches that vendor.
The regulatory drivers are no longer scattered. Three federal banking agencies aligned in 2023 on a single standard. The NCUA pointed credit unions back to the same baseline. Section 1033 sits paused but does not change vendor diligence obligations. State frameworks layer on top.
For a community bank running on Microsoft 365 with a fintech LOS, an account-opening API, and a fraud screening provider stacked on top, vendor diligence is no longer a six-week project before contract signature. It is a continuous control covering pre-engagement risk assessment, contract structure, ongoing monitoring, and a tested exit plan. Examiners now expect to see all four documented, not just the first one.
Why Banks, Credit Unions, and Mortgage Companies Face the Hardest Diligence Path
A payments startup worries about PCI-DSS. A health-tech vendor worries about HIPAA. A bank, credit union, or mortgage company runs under all of these and a stack of financial-services frameworks that no other industry vertical has to reconcile in parallel.
Interagency third-party risk guidance applies the same standard across three agencies. The OCC, Federal Reserve, and FDIC published joint guidance on June 6 and 7, 2023, that replaced ten years of agency-specific direction (including the long-cited OCC Bulletin 2013-29). The guidance covers the full vendor relationship lifecycle: planning, risk assessment, due diligence, contract negotiation, ongoing monitoring, and termination. It applies whether the institution is a national bank, a state member bank, or an FDIC-insured community bank. There is no longer a meaningful gap between regulators on what the program must contain.
The NCUA reaffirmed the same baseline for credit unions. Letters to Credit Unions 01-CU-20 (Due Diligence Over Third Party Service Providers) and 07-CU-13 (Evaluating Third Party Relationships) remain the controlling framework. The NCUA's 2026 Supervisory Priorities explicitly named third-party risk management practices for outsourced lending, servicing, and collections functions as a named examination focus, alongside vendor management and oversight for payment ecosystems. Examiners in 2026 are not asking whether a credit union has a vendor program. They are asking how the program documents risk-based decisions.
Mortgage companies inherit every overlay. A nonbank mortgage company that licenses across all 50 states answers to the CFPB on disclosure timing and fair lending, FHA and VA on government-loan eligibility, GSE seller-servicer guides, state regulators on licensing and net worth, and now FHFA AI vendor-risk expectations on top. The diligence package must satisfy every overlapping reviewer. A Tier-1 Microsoft Cloud Solution Provider that already understands these mortgage-company overlays is materially faster to bring to readiness than a generalist managed service provider.
Section 1033 changed how data sharing decisions get reviewed. The CFPB's October 2024 Personal Financial Data Rights rule (the open banking rule) was paused. On August 22, 2025, the CFPB issued an Advance Notice of Proposed Rulemaking to reconsider it. On October 29, 2025, the Eastern District of Kentucky enjoined CFPB enforcement while reconsideration proceeds (Forcht Bank v. CFPB). What did not pause: every aggregator API token, every consumer-permissioned data flow, and every fintech that already integrated against the original schedule. The vendor diligence program now needs to document why a paused federal rule does not change the institution's API exposure today.
Section 1033 status, as of May 2026
The 2024 CFPB Personal Financial Data Rights rule is currently enjoined and under reconsideration. The original compliance schedule is not actively enforceable. Existing aggregator integrations, consumer-permissioned data flows, and fintech APIs that took on production data under the original schedule still operate. Vendor due diligence cannot wait for the rewrite. Existing exposure is the issue, not the future rule.
Six Red Flags Examiners Want You to Catch
The patterns below are the most frequently cited gaps in vendor diligence findings across federal and state exam programs. Each one is a finding that maps directly to an OCC 2023-17 or NCUA 01-CU-20 expectation.
1. Missing or Outdated SOC 2 Type 2 Attestations
A SOC 2 Type 2 report covering at least six months of operating effectiveness is the baseline. Bridge letters cover the gap between the report period and today. Fintechs that hand over a SOC 2 Type 1 (point-in-time), an expired Type 2, or a parent-company SOC 2 that does not cover the product in scope fail the threshold. The diligence file should record what report was reviewed, the period of coverage, the auditor, and which Common Criteria and Additional Criteria were tested.
2. Weak Microsoft 365 or Cloud Configuration at the Vendor
Most fintech vendors run their own delivery platform on Microsoft 365, Microsoft Azure, AWS, or Google Cloud. Misconfigured identity, weak Conditional Access on vendor administrative accounts, and over-permissive external sharing are the leading initial attack vectors. Examiners want evidence that the institution reviewed the vendor's configuration baseline against a recognized benchmark (CIS, NIST SP 800-53, or the Microsoft 365 secure configuration guidance) and not just accepted a marketing claim that the vendor is "secure by default."
3. No Tested Disaster Recovery or Documented RTO and RPO
Examiners now treat untested DR as binary. Either the vendor has documented Recovery Point Objectives, Recovery Time Objectives, and a tested failover within the last twelve months, or the diligence file is incomplete. For a fintech that handles loan applications, payment processing, or account opening, an untested DR plan means unknown member or borrower impact during a vendor outage. That gap shows up as a Matter Requiring Attention.
4. Compliance Gaps in Borrower or Member Data Handling
The GLBA Safeguards Rule (amended 2024) requires reporting to the FTC of any security event affecting 500 or more consumers as soon as possible and no later than 30 days after discovery. Vendors that cannot describe how they identify a reportable event, who is on the notification chain, and what timeline they commit to under the contract should not be processing nonpublic personal information. CFPB obligations layer on top. State frameworks like NYDFS 23 NYCRR 500 and Massachusetts 201 CMR 17.00 apply when the institution operates in those jurisdictions.
5. Vendor Subcontractor Risk Is Unmapped
The institution contracts with the vendor. The vendor contracts with three subprocessors. One of those subprocessors handles credential storage. A breach there is, for the examiner, the institution's breach. OCC 2023-17 made fourth-party oversight explicit. The diligence file should list every subprocessor that touches institution data, with their certifications, geographic location, and the contract clauses that govern flow-down of the institution's requirements.
6. AI Governance Gaps in Underwriting and Compliance
The FHFA's decision to remove Anthropic from approved AI vendors in 2026 reset the bar for AI vendor risk. NCUA's published AI guidance directs credit unions back to LTCU 01-CU-20 and 07-CU-13 and adds explainability, bias testing, and disparate-impact review when models touch lending decisions. A fintech that runs an AI model in production must hand over model documentation, training data lineage, fair lending testing, and a rollback procedure when the model produces a finding the institution cannot defend. What the FHFA Anthropic decision means for financial institutions walks through the implications for banks, credit unions, and mortgage companies in detail.
"Prudent credit unions ensure that users of artificial intelligence understand the models and their associated risks, can explain how the models work, evaluate whether the lending algorithms and data used by partners avoid disparate impacts, and collaborate with model risk experts to evaluate and verify that the models and algorithms do not promote bias or discrimination."
NCUA Guidance Statement on CUSO activities and associated risks, ncua.gov
Microsoft publishes its own SOC 1 Type 2, SOC 2 Type 2, SOC 3, and ISO 27001 attestations on the Microsoft Service Trust Portal for both Microsoft 365 and Microsoft Azure. The portal covers Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Intune, and Dynamics 365 under the same audit scope. ABT uses the Service Trust Portal as the benchmark for what a fintech vendor's own attestation package should look like. If a vendor cannot produce comparable artifacts on request, the gap is the diligence finding.
Source: Microsoft Learn, Service Trust Portal documentation (learn.microsoft.com/compliance/regulatory/offering-soc-2)
How a Tier-1 Microsoft Cloud Solution Provider Strengthens Your Vendor Review Program
ABT is a Tier-1 Microsoft Cloud Solution Provider for over 750 financial institutions. We manage your Microsoft 365 tenant and host your Microsoft Azure environment. That positioning gives the vendor review program five concrete leverage points that a generalist managed service provider cannot supply.
Microsoft Defender for Cloud Apps Cloud App Catalog
Microsoft Defender for Cloud Apps maintains a catalog of tens of thousands of SaaS applications, each evaluated against dozens of security, compliance, privacy, and operational risk attributes. The catalog scores apps on identity (SSO, RBAC, audit logging), encryption posture, regulatory coverage (SOC 2, ISO 27001, GDPR, HIPAA, FedRAMP), data residency, and incident response practices. Before a fintech vendor goes into production with the institution, the catalog produces a baseline risk score that the diligence file can incorporate as one input alongside the SOC 2 review.
Conditional Access on Every Vendor Portal
Microsoft Entra ID Conditional Access gates access to vendor administrative consoles and vendor-facing applications by user, group, location, device compliance, sign-in risk, and session controls. A fintech vendor that requires institution administrators to log in from named-device sessions with phishing-resistant multi-factor authentication is a fundamentally different risk profile than one that accepts any browser session from any device. Conditional Access policies for financial institutions: 2026 best practices documents the policy set that examiners now expect to see.
Microsoft Purview Data Classification on Shared Data
Sensitivity labels applied through Microsoft Purview travel with the data when it moves from the institution's Microsoft 365 tenant to a fintech SaaS application via OAuth integration. Microsoft Purview Data Loss Prevention policies can block sharing of high-sensitivity content to vendor apps that do not meet the institution's data handling requirements. This is the technical control that closes the gap between "we contractually require the vendor to protect NPI" and "we can prove the data did not leave with weaker protection."
Microsoft Sentinel on API Integrations
Every fintech integration is an API connection. Microsoft Sentinel ingests sign-in logs, audit logs, and Microsoft Graph activity from the vendor side of the relationship (where the vendor exposes the telemetry) and the institution side of the relationship (always). Anomalous service-principal usage, unexpected geographic patterns, and bulk-read activity on aggregator tokens generate analytic-rule alerts that feed the institution's Security Operations Center. The Marquis breach showed what happens when no vendor telemetry exists, with a 60-day undetected window from initial compromise to customer impact.
Audit-Ready Vendor Program Documentation
ABT builds the institution's vendor risk documentation pack to match the structure examiners read against. That includes the program charter, the risk-rating methodology, the diligence questionnaire mapped to OCC 2023-17 phases, the contract clause library (audit rights, breach notification, exit strategy, subprocessor flow-down), and the ongoing monitoring cadence with evidence retention. FFIEC IT examination readiness for financial institutions covers how the vendor program fits inside the broader IT examination package.
The six-phase vendor review program ABT operates with financial institution customers
- Plan. Define the business activity, classify the risk tier, and document why a third party is the right delivery path.
- Diligence. Review SOC 2 Type 2 reports, Microsoft Defender for Cloud Apps catalog score, financial condition, insurance coverage, subprocessor list, and AI governance posture.
- Contract. Negotiate audit rights, data protection schedules, breach notification timelines, performance SLAs, subprocessor flow-down, and an executable exit plan.
- Onboard. Apply Conditional Access, Purview sensitivity labels, and Sentinel monitoring before any production data flows.
- Monitor. Quarterly performance review, annual SOC 2 refresh, telemetry review, and reassessment when the vendor changes ownership or material services.
- Terminate. Execute the exit plan, verify data return or destruction, retain evidence, and update the institution's vendor inventory.
Vendor risk assessment for banks, credit unions, and mortgage companies
Get an examiner-ready vendor due diligence program in 6 weeks
ABT builds your fintech vendor diligence program against OCC 2023-17, NCUA 01-CU-20, and the 2026 NCUA supervisory priorities. Microsoft Defender for Cloud Apps risk scoring, Conditional Access on vendor portals, Sentinel telemetry on API integrations, and the documentation pack examiners read against.
Talk to a financial institution specialistThe 2026 Vendor Tech Due Diligence Checklist
Score every fintech vendor against this matrix before they receive a single production record. A vendor that scores below threshold on any row should not advance without documented compensating controls and explicit risk acceptance from the institution's executive committee.
| Category | Control | Microsoft 365 evidence path |
|---|---|---|
| Governance and compliance | Documented alignment with GLBA Safeguards Rule, CFPB requirements (where applicable), FFIEC IT Examination Handbook, and OCC 2023-17 lifecycle expectations | Microsoft Compliance Manager regulatory templates |
| Identity and access | Phishing-resistant multi-factor authentication, role-based access control, quarterly access reviews, and 24-hour offboarding | Microsoft Entra ID Conditional Access policies and access reviews |
| Data protection | Encryption at rest and in transit, data classification, sensitivity labels on shared records, and 30-day Safeguards Rule breach notification | Microsoft Purview Information Protection and Data Loss Prevention |
| Vendor platform security | Configuration baseline against CIS or NIST SP 800-53, vulnerability management cadence, and incident response runbook | Microsoft Defender for Cloud Apps catalog risk score |
| Disaster recovery and resilience | Tested failover within the last 12 months, documented RPO and RTO, and verified backup integrity | Microsoft Azure Site Recovery for institution-side workloads |
| Subprocessor and fourth-party risk | Complete subprocessor inventory, certifications, geographic footprint, and contract flow-down of institution requirements | Microsoft Service Trust Portal as the model attestation package |
| AI governance | Model documentation, training data lineage, fair lending testing, explainability, and rollback procedure | Microsoft Purview AI Hub and Microsoft Compliance Manager AI templates |
| Ongoing monitoring | SOC 2 Type 2 annual refresh, performance review, telemetry review, and reassessment on material change | Microsoft Sentinel analytic rules on vendor API integrations |
Turn Diligence Into a Competitive Edge
A documented vendor diligence program is not only an examination control. For banks, credit unions, and mortgage companies that compete for deposit relationships, embedded fintech partnerships, and warehouse lines, the same program creates speed advantages.
Three operational benefits from the same program
- Faster vendor onboarding. A diligence package built on Microsoft 365 controls drops the typical 12-week onboarding to four to six weeks. Sales cycles for embedded fintechs and core integrations move accordingly.
- Lower remediation cost. Examination findings on vendor management have a documented cost in remediation hours, legal fees, and reputational impact. A program built to OCC 2023-17 from the outset avoids the back-end cost of fixing it later.
- Better board reporting. The same Microsoft 365 evidence path that supports the diligence file feeds the board's vendor risk dashboard. The institution gets one set of numbers, not two.
Scenario: $1.2B community bank evaluating a new account-opening fintech
Without the program. Procurement reviews the marketing site, signs the master services agreement, and turns on the integration. Eight months later, the FDIC examiner reviews the vendor file, finds no SOC 2 Type 2 in the diligence record, and writes a Matter Requiring Board Attention. The bank now has 90 days to retroactively build the file.
With the program. The fintech's SOC 2 Type 2 is logged with period of coverage and Common Criteria tested. Microsoft Defender for Cloud Apps shows a baseline risk score with the data points that justify production approval. Conditional Access is in place on the vendor's administrative portal before the first record moves. Microsoft Sentinel has analytic rules on the API integration from day one. The examiner reads the file in 20 minutes and moves on.
6 weeks
From program kickoff to examination-ready vendor diligence package for banks, credit unions, and mortgage companies
Schedule a vendor program assessmentFrequently Asked Questions
OCC Bulletin 2023-17 transmits the joint Interagency Guidance on Third-Party Relationships: Risk Management, issued June 6, 2023 by the OCC, Federal Reserve, and FDIC. It replaces OCC Bulletin 2013-29 and related FAQ bulletins, and unifies the standard across the three federal banking agencies. The 2023 guidance applies a single risk-based framework to the full vendor lifecycle (planning, diligence, contract, monitoring, termination), rather than the agency-specific guidance that preceded it. Federal Reserve SR 23-4 and FDIC FIL-29-2023 are the companion releases.
Yes. NCUA Letters to Credit Unions 01-CU-20 (Due Diligence Over Third Party Service Providers) and 07-CU-13 (Evaluating Third Party Relationships) remain the controlling baseline. The NCUA's 2026 Supervisory Priorities named vendor management and oversight as an examination focus area, with specific attention to third-party risk management practices for outsourced lending, servicing, and collections. NCUA's published guidance on artificial intelligence directs credit unions back to the same letters when evaluating AI vendors.
Section 1033 is currently enjoined and under reconsideration. The Eastern District of Kentucky enjoined CFPB enforcement on October 29, 2025 (Forcht Bank v. CFPB), and the CFPB issued an Advance Notice of Proposed Rulemaking on August 22, 2025 to reconsider the rule. The original compliance schedule is not actively enforceable while reconsideration proceeds. None of that changes existing vendor exposure: aggregator tokens, consumer-permissioned data flows, and fintech APIs that already integrated continue to operate. The due diligence program should focus on existing API exposure today, not the future rule.
A SOC 2 Type 1 report attests that controls are designed appropriately at a single point in time. A SOC 2 Type 2 report attests that those same controls operated effectively over a period (typically six to twelve months). For a fintech vendor that will process nonpublic personal information, only a SOC 2 Type 2 covering the in-scope product, with a bridge letter covering the gap between report date and today, meets the threshold. Microsoft publishes its own SOC 2 Type 2 attestations on the Microsoft Service Trust Portal for Microsoft 365, Microsoft Azure, and related services as the model package.
The FTC's amended Safeguards Rule requires covered financial institutions to notify the FTC of a security event affecting customer information of 500 or more consumers as soon as possible and no later than 30 days after discovery. "Discovery" begins on the first day the event is known to any employee, officer, or agent (other than the person committing the breach). Vendor contracts should require the vendor to report a qualifying event to the institution on a timeline that allows the institution to meet the 30-day federal threshold (typically 24 to 72 hours of vendor discovery).
A typical engagement runs four to six weeks for a community bank, credit union, or mortgage company with under 75 fintech vendors. The work covers program charter, risk-rating methodology, diligence questionnaire alignment to OCC 2023-17 and NCUA 01-CU-20, contract clause library, Microsoft Defender for Cloud Apps risk scoring, Conditional Access on vendor portals, Microsoft Sentinel telemetry, and the documentation pack examiners read against. Institutions with more than 75 fintech vendors or with state-specific overlays (NYDFS, California CPRA, Massachusetts 201 CMR 17.00) extend to eight or ten weeks.
