Financial Institutions Face a Perfect Storm in Vendor Risk: Inside the 2025 Ncontracts Third-Party Risk Management Survey
In an era defined by rising cyber threats, regulatory scrutiny, and technological disruption, financial institutions are under unprecedented pressure to manage vendor risk effectively. Ncontracts, a leading provider of integrated risk, compliance, and third-party management solutions for the financial services industry, has released its 2025 Third-Party Risk Management (TPRM) Survey. The comprehensive report offers critical insights into how banks, credit unions, and mortgage companies are navigating the evolving landscape of vendor risk, with a strong emphasis on the emerging challenges of artificial intelligence, cybersecurity incidents, staffing constraints, and return on investment (ROI).
Based on data collected from more than 170 financial institutions between November 2024 and January 2025, this year’s survey highlights key strategies, pain points, and trends in how organizations are adapting their TPRM programs to meet both internal and external demands.
A Lean Staff, a Heavy Lift
One of the survey’s most revealing insights is that a significant number of financial institutions are operating their third-party risk programs with minimal staffing. Nearly three-quarters (73%) of respondents reported having just one or two full-time employees dedicated to managing vendor risk. This is despite the fact that over half of those institutions are overseeing more than 300 vendors. The mismatch between staffing and operational demands creates significant inefficiencies and bottlenecks, particularly in areas like due diligence and ongoing monitoring.
This lean staffing model appears increasingly unsustainable as third-party ecosystems grow more complex. Two-thirds of financial institutions (66%) acknowledged feeling growing pressure to bolster their TPRM efforts. Regulatory examiners and internal audit teams were cited by nearly half of respondents as the primary drivers of this pressure, underscoring the importance of compliance readiness in shaping program priorities.
Cybersecurity Incidents: A Widespread Concern
The survey uncovered an alarming trend: 49% of financial institutions experienced a cyber incident tied to a third-party vendor in the past year. This stat reflects the broader vulnerability of financial firms that rely on vast networks of vendors, many of whom may not maintain adequate security protocols or undergo rigorous oversight.
While the majority of affected institutions (66%) were able to recover within 60 days, a concerning 8% reported recovery periods extending beyond 90 days. This highlights the operational and reputational risks tied to third-party breaches—and raises urgent questions about how quickly institutions can respond when vendor security fails.
As ransomware attacks and supply chain breaches become more prevalent, institutions are reassessing how they vet, monitor, and manage third-party partners. The threat landscape is only becoming more dangerous, and a reactive approach is no longer sufficient.
AI Emerges as a Top Risk Factor
The rise of artificial intelligence is changing the dynamics of third-party risk in real time. According to the 2025 Ncontracts survey, AI is now considered the second-highest area of concern among respondents when evaluating vendor risk, trailing only cybersecurity.
Institutions are taking proactive steps to mitigate this emerging risk. Many are incorporating specific language around AI usage into vendor contracts, while others have established new due diligence protocols to assess how vendors are deploying machine learning or generative AI technologies. This trend suggests that financial institutions are beginning to view AI not just as a potential innovation driver, but also as a powerful risk vector—especially when it comes to data handling, model transparency, and ethical governance.
As vendor AI adoption accelerates, the challenge will be to balance innovation with oversight. The most forward-thinking organizations are already building frameworks to evaluate not just how vendors use AI, but how those uses align with institutional policies, regulatory guidance, and customer expectations.
Strong ROI for Mature Programs
Despite the challenges, the majority of financial institutions see substantial value in their TPRM programs. In fact, 85% of respondents reported moderate to high return on investment, a powerful validation of the resources dedicated to these initiatives.
Institutions cited several key benefits from their TPRM investments, including:
- Enhanced cybersecurity posture
- More efficient vendor performance monitoring
- Improved compliance alignment
- Better cost control through streamlined vendor portfolios
This high level of ROI suggests that institutions that make strategic investments in people, processes, and technology are reaping operational rewards. In some cases, these benefits go beyond risk mitigation and are reshaping vendor relationships into long-term strategic partnerships that create mutual value.
The Rise of Hybrid TPRM Operating Models
A growing number of institutions—particularly those with larger asset sizes—are shifting toward hybrid TPRM models. In this structure, a centralized team manages the overall framework and sets governance standards, while individual departments or “vendor owners” are responsible for day-to-day monitoring and relationship management.
This approach allows for more flexibility without sacrificing consistency, which is essential as institutions take on more diverse and specialized vendors. It also ensures that subject matter experts within the organization remain closely involved in evaluating risk and performance metrics.
By adopting hybrid models, financial firms can scale their TPRM operations more effectively, especially as they expand their digital footprints and form new partnerships with fintechs, cloud providers, and niche service vendors.
Due Diligence: The Ongoing Bottleneck
Despite advancements in TPRM software and process optimization, due diligence remains a persistent challenge. Collecting, analyzing, and updating vendor documentation was named as one of the top bottlenecks across institutions.
The manual nature of this work, compounded by growing vendor lists and regulatory complexity, often leads to delays in onboarding new partners and hampers the ability to conduct timely risk assessments. This inefficiency can also strain relationships with vendors and limit organizational agility in fast-moving markets.
Technology adoption is helping alleviate some of the strain. An increasing number of institutions are leveraging TPRM software platforms to automate document collection, centralize reporting, and flag missing data. However, the path to full digital transformation remains uneven, especially among smaller institutions with limited IT budgets.
Looking Ahead: What Institutions Must Do Now
The 2025 Ncontracts Third-Party Risk Management Survey paints a vivid picture of an industry in transition. Financial institutions are managing a broader vendor ecosystem with fewer people and more risk exposure than ever before. To stay ahead of these challenges, Ncontracts recommends several key areas of focus:
- Refine TPRM Operating Models: Move toward hybrid structures that empower vendor owners while ensuring centralized oversight.
- Prioritize AI Risk Management: Develop AI-specific due diligence checklists and contractual clauses to address emerging ethical, operational, and data governance issues.
- Streamline Due Diligence Workflows: Invest in automation tools to reduce manual workloads and improve documentation accuracy.
- Align Oversight with Actual Risk: Avoid a one-size-fits-all approach by tailoring review frequency and scope to the actual risk level posed by each vendor.
- Track TPRM ROI: Monitor and report program outcomes regularly to demonstrate the strategic value of vendor risk management to boards and executives.
As the survey’s author and Ncontracts CEO Michael Berman notes, “This isn’t just about compliance anymore—robust vendor management is becoming a competitive differentiator. The institutions that modernize their approach and embrace technology will be the ones best positioned to transform vendor risk into strategic opportunity.”
To explore the full findings of the survey, download the 2025 Third-Party Risk Management Report at Ncontracts.com.
