AI Vendor Risk Assessment Template for Financial Institutions

Why vendor AI risk is a top regulatory concern

Financial institutions often adopt AI through third-party products before internal AI governance programs are mature. Vendor platforms may include underwriting models, fraud scoring, customer service automation, document processing, marketing analytics, employee productivity tools, cybersecurity tooling, or compliance monitoring. The institution may not build the model, but it remains responsible for understanding how the vendor tool affects customers, operations, privacy, security, and compliance.

The OCC Bulletin 2023-17 interagency guidance explains that third-party risk management should be commensurate with a bank's risk profile, complexity, and the criticality of the activity supported by the third party. The agencies' related release describes the third-party risk life cycle as planning, due diligence and selection, contract negotiation, ongoing monitoring, and termination. AI-enabled vendors need to be reviewed through that same life cycle, with extra attention to model transparency, data use, monitoring, and evidence access.

Current model risk governance language should also reflect SR 26-2, which superseded SR 11-7 for covered banking organizations. SR 11-7 may still appear in legacy policies, inventories, and audit workpapers, so continuity mapping remains useful, but new vendor AI review should be written in current model risk terms.

What to include in an assessment

A useful AI vendor assessment does more than ask whether a vendor has SOC 2 or a privacy policy. It should identify what the AI system does, what data it uses, whether outputs affect customers, how the vendor monitors performance, and what evidence the institution can produce if audit, management, the board, or an examiner asks.

Free template preview: 10 sample questions

These sample questions are representative of the full 40-question AI vendor risk assessment template. Use them to start a vendor review, then convert missing or partial answers into remediation items before contract approval or renewal.

1. 1Does the vendor clearly identify where AI, machine learning, automated decisioning, or generative AI is used in the product?
2. 2Can the vendor provide model documentation describing intended use, limitations, inputs, outputs, and material assumptions?
3. 3What customer, employee, or institution data is processed by the AI system, and is any data used for vendor training or model improvement?
4. 4Has the vendor completed independent validation, performance testing, bias testing, or outcome monitoring for the AI system?
5. 5How does the vendor monitor model drift, exceptions, overrides, complaints, false positives, and false negatives over time?
6. 6What audit rights, examination support, and evidence access are available to your institution and regulators?
7. 7How are material model changes, feature changes, retraining events, and new data sources communicated to clients?
8. 8What security controls protect AI inputs, outputs, prompts, logs, embeddings, training data, and user access?
9. 9What incident notification timeline applies to AI failures, data exposure, inaccurate outputs, or customer-impacting errors?
10. 10What exit plan, data return process, and transition support would apply if the AI vendor relationship is terminated?

Regulatory requirements for third-party AI risk

Third-party AI review sits at the intersection of vendor risk, current model risk governance, privacy, security, operational resilience, and consumer compliance. The practical question is whether your institution can prove that the vendor was reviewed before use, monitored after approval, and contractually obligated to support your institution's compliance and examination needs.

For AI vendors, due diligence should include model documentation, validation or testing evidence, data-use restrictions, security evidence, business continuity commitments, subcontractor controls, and change notification procedures. Contract review should address audit rights, data return or destruction, incident notice, performance commitments, regulatory cooperation, termination support, and restrictions on vendor use of institution data.

Ongoing monitoring should be risk based. A vendor used for employee drafting assistance may require a lighter review than a vendor supporting credit scoring, fraud detection, AML alerts, collections, marketing eligibility, or customer communications. The assessment file should document that tiering rationale.

How to conduct an AI vendor risk assessment

1. 1

   Classify the vendor and use case

   Start by identifying whether the vendor supports a critical activity, customer-impacting workflow, regulated decision, security process, or material operational dependency. The risk tier should drive the depth of due diligence.

2. 2

   Send a structured AI-specific questionnaire

   Generic vendor questionnaires often miss AI-specific issues. Use a dedicated assessment to ask about model documentation, training data, monitoring, bias testing, explainability, AI change management, and evidence access.

3. 3

   Score responses by domain

   Evaluate each answer as satisfactory, partial, missing, or not applicable. Separate contractual gaps from operational gaps so vendor management, legal, security, model risk, and compliance teams know what to remediate.

4. 4

   Negotiate evidence and contract protections

   Use the assessment findings to strengthen audit rights, model-change notice, data-use limits, incident timelines, service levels, subcontractor controls, and termination support.

5. 5

   Monitor and refresh the assessment

   Reassess when the vendor changes models, data sources, features, subcontractors, use cases, or risk posture. Keep evidence in the vendor file so audit, board, or examiner requests can be answered without reconstruction.

FAQ