The Compliance Principle That Vendor Incidents Keep Testing
When a third-party vendor that handles your customer information experiences a breach, the instinctive response is to treat it as the vendor's problem. The regulatory reality is different: FCRA compliance and GLBA compliance obligations do not transfer to vendors. They remain with the financial institution regardless of where in the ecosystem a failure occurs.
This principle — that outsourcing a function does not outsource the compliance obligation that governs it — is the foundation of the FTC Safeguards Rule's vendor oversight requirements, and it is the lens through which regulators evaluate how institutions respond to third-party incidents. Understanding it before an incident occurs is how institutions avoid being caught on the wrong side of an examination finding.
For lending institutions on Salesforce, embedding vendor oversight documentation and monitoring into the COMPLY workflow — rather than managing it through separate manual processes — is how this obligation becomes operationally sustainable. Schedule a Compliance Discussion to review your current vendor risk program against Safeguards Rule requirements.
What the Safeguards Rule Actually Requires of Lenders
The FTC Safeguards Rule (16 CFR Part 314), as significantly strengthened by the 2021 amendments, imposes specific vendor oversight obligations on covered financial institutions. These are not general guidelines — they are requirements:
| Requirement | What It Means in Practice |
| Vendor Selection | Select service providers with appropriate safeguards for customer information |
| Contractual Requirements | Require by contract that vendors implement and maintain appropriate safeguards |
| Ongoing Monitoring | Monitor vendor safeguards on an ongoing basis — not just at initial onboarding |
| Board Reporting | Report to the board of directors on the information security program annually, including vendor risk |
| Incident Response | Maintain a written incident response plan that addresses vendor-related security events |
| FTC Notification | Notify the FTC within 30 days of discovering a breach affecting 500 or more customers |
The combination of contractual requirements and ongoing monitoring is where most institutions' vendor programs fall short. Selecting a reputable vendor is not sufficient. The Safeguards Rule requires that the selection be documented, that security expectations be contractually specified, and that compliance with those expectations be actively monitored.
The FCRA Dimension: Permissible Purpose and Data Accuracy
FCRA's vendor risk implications are distinct from GLBA's — and equally important for lenders. When credit data is accessed, processed, or transmitted through third-party systems, FCRA's permissible purpose, accuracy, and data security requirements follow the data regardless of which system is handling it.
Specific FCRA vendor risk obligations include:
Permissible Purpose Documentation. When credit data flows through vendor systems, the institution must be able to document that permissible purpose existed for every data access, even when that access was facilitated by a vendor system rather than the institution's own infrastructure.
Accuracy Obligations. Lenders that furnish data to credit bureaus remain responsible for the accuracy of that data even when the furnishing is handled through a vendor or middleware system. Data integrity failures in vendor systems can create FCRA accuracy liability for the institution.
Data Security. The FCRA does not specify security controls in the same way the Safeguards Rule does — but FCRA's disposal rule and the broader consumer protection framework create data security obligations that extend to vendor-handled credit data.
The Real-World Vendor Risk Exposure: Lessons from Major Breaches
The major third-party breaches of 2023–2025 — including the National Public Data breach, which exposed 2.9 billion records — provided a practical test of institutional vendor risk programs. The common compliance gaps that surfaced:
Vague contract language. Institutions with "industry-standard security" contract language could not point to specific security requirements that NPD had committed to — and could not demonstrate that their oversight had verified compliance with those requirements.
Incomplete vendor inventory. Some institutions were uncertain whether NPD held their customers' data because they lacked a current, complete inventory of all vendors and subprocessors handling customer information.
Notification timeline gaps. Institutions whose incident response plans predated the FTC's May 2024 30-day notification requirement had not updated their plans to reflect the new timeline — creating potential compliance gaps at exactly the moment the plans were needed.
Encryption verification. The NPD breach involved data that was not encrypted at rest. Institutions whose vendor contracts did not specify encryption requirements — and whose ongoing oversight had not verified encryption implementation — had limited basis for asserting adequate vendor oversight.
Building a Vendor Risk Program That Holds Under Examination
An examination-ready vendor risk program for lenders addresses each element of the Safeguards Rule's vendor oversight requirement with specific, documented evidence:
Vendor inventory. A current, maintained list of all vendors and subprocessors that handle customer information, including the categories of data each holds and the security requirements applicable to each relationship.
Contract specificity. Vendor agreements that specify encryption standards, access controls, incident notification timelines, and security assessment rights — not general language about maintaining "appropriate" or "industry-standard" security.
Periodic due diligence. Documented evidence of periodic security reviews for vendors handling significant customer information — including review of vendor SOC 2 reports, security questionnaires, or direct assessment results.
Incident response integration. Incident response plans that specifically address vendor-related security events, including the FTC's 30-day notification timeline from the date of discovery.
Board reporting. Annual documentation that the board of directors received and reviewed information security program status, including the state of vendor risk management.
What This Means for Your Institution
Third-party vendor risk is not an abstract compliance concept — it is a documented source of examination findings, enforcement actions, and financial exposure for lending institutions. The major breaches of 2023–2025 have provided a clear picture of what inadequate vendor oversight looks like in practice, and what regulators expect to see when they ask about vendor risk programs.
The institutions that manage this exposure most effectively are those that have built vendor oversight into their operational workflows — systematic rather than ad hoc, documented rather than assumed, and integrated into the technology platform rather than managed through standalone spreadsheets and periodic reminders.
Schedule a Compliance Discussion to review your institution's vendor risk management program against FTC Safeguards Rule requirements and current examination expectations.