Third-Party AI Risk in Banking:
What Financial Institutions Need to Know
Most banks and credit unions adopt AI from vendors or fintech partners, as building custom systems is less efficient. However, relying on external AI means the institution may lack insight into how these tools work, what data they use, or what happens if something fails.
Third-party AI risk is the exposure arising from the use of AI systems built or operated by external providers. Banks may be accountable for the outcomes even if they didn’t develop the tool.
What is Third-Party AI Risk in Banking?
What Federal Guidance Says About Third-Party Risk
Banking regulators have addressed third-party risk management directly. In June 2023, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency issued final joint guidance on managing risks associated with third-party relationships.¹ The guidance covers the full life cycle of third-party relationships, including planning, due diligence, contract negotiation, ongoing monitoring, and termination.
The guidance states that a banking organization's use of third parties does not diminish its responsibility to operate in a safe and sound manner and in compliance with applicable laws and regulations, to the same extent as if its activities were performed in-house.¹
Why AI Vendor Relationships Create Distinct Challenges
AI tools introduce new types of risk that traditional vendor management frameworks do not address. A conventional vendor might provide a service that the institution can observe and measure directly. An AI vendor may provide a model whose internal logic is difficult to inspect. The inspection issues are due to outputs that can shift over time as the model changes, and training data that may not be fully disclosed to the institution using it.
The Financial Stability Board has identified third-party dependencies and service provider concentration as key vulnerabilities in the financial sector's adoption of AI.² Its 2025 monitoring report noted that the growing use of AI tools built on pre-trained models often does not involve formal contractual relationships with the underlying model developers, yet still introduces third-party risk.² That layered exposure is particularly relevant for smaller institutions that rely entirely on external providers for their AI capabilities.
The NIST AI Risk Management Framework addresses this directly. Its GOVERN function emphasizes the importance of establishing policies for third-party AI systems and data, including requirements for transparency into third-party system functions, thorough testing before deployment, and contingency processes for handling third-party system failures.³
Why This Is a Leadership Problem
When a vendor-supplied AI tool produces an undesirable outcome, the institution faces the same accountability questions it would for any other business process it owns.
Who approved this tool?
What due diligence was done before it was deployed?
Who is monitoring its performance on an ongoing basis?
Is there a documented process for what happens when the tool fails or produces unexpected results?
Institutions that have mapped their AI activity, documented their vendor relationships, and assigned named owners to each tool are in a different operational position than those in which AI tools were introduced through individual contracts without centralized review. Governance structures may help organizations be prepared to answer those questions before they become urgent.
A governance committee positioned to ask gate questions before a vendor AI tool is approved for use could consider whether the vendor has provided sufficient documentation of how the tool works, whether the institution can explain the outcomes the tool produces, what the plan is if the vendor changes the model or discontinues the service, and who inside the institution owns ongoing monitoring of this relationship.
Those are not technical questions. They are governance and ownership questions, exactly the kind of decisions a cross-functional committee is structured to make.
Sources
FDIC, Federal Reserve, and OCC, Interagency Guidance on Third-Party Relationships: Risk Management, June 2023 - https://www.fdic.gov/news/financial-institution-letters/2023/fil23029.html
Financial Stability Board, Monitoring Adoption of AI in the Financial Sector, October 2025 - https://www.fsb.org/2025/10/monitoring-adoption-of-artificial-intelligence-and-related-vulnerabilities-in-the-financial-sector/
NIST, AI Risk Management Framework 1.0 - https://www.nist.gov/itl/ai-risk-management-framework
Related pages in this series:
For a plain language overview of how the NIST AI RMF applies to banks and credit unions, see NIST AI RMF for Banks and Credit Unions
For a detailed statutory overview of Texas HB 149, see Texas HB 149 and Financial Institutions
For context on federal AI strategy and its connection to state-level governance requirements, see Federal Strategy to State Law
For context on fair lending and AI explainability requirements, see AI Fair Lending Compliance for Banks
This page is for informational purposes only. It provides a general factual overview of publicly available laws, regulatory guidance, and frameworks. It does not constitute legal advice, regulatory interpretation, compliance guidance, or a recommendation of any specific course of action. Laws and guidance referenced here may be subject to change. Qualified legal and compliance professionals can help organizations assess their specific circumstances and obligations.