All terms

Third-Party Risk Management

TPRM

The lifecycle of identifying, assessing, and monitoring the risks vendors and partners introduce to your institution.

Third-Party Risk Management (TPRM), also called vendor risk management, is the discipline of managing the risk that outside vendors, service providers, and partners create. Regulators expect institutions to remain responsible for activities they outsource — you cannot outsource accountability.

A TPRM program runs across a lifecycle: risk-tiering vendors by criticality and data access, performing due diligence before onboarding, setting contractual controls, and conducting ongoing monitoring (financial health, security posture, adverse media) at a cadence matched to each vendor’s tier.

Examiners look for a vendor inventory, documented due diligence proportional to risk, and evidence of ongoing oversight — especially for vendors touching BSA/AML, KYC, custody, or core technology.

This glossary entry is educational and does not constitute legal advice. Always consult qualified legal counsel for jurisdiction-specific guidance.

Related terms

Inherent vs. Residual Risk

Inherent risk is exposure before controls; residual risk is what remains after controls are applied — the model regulators expect in a risk assessment.

BSA/AML

The US legal framework requiring financial institutions to detect, prevent, and report money laundering and other financial crime.

Does this obligation apply to you?

PliOS maps your obligations, drafts your policies, and keeps you exam-ready. Start with a free, AI-guided gap assessment — no credit card required.

Run My Free Assessment