Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Vendor Risk Requirements for Non-Bank Lenders

4 min read
Featured Image

Read the financial news on any given day, and you’ll see story after story about non-bank lenders and fintech companies rapidly enlarging their piece of the lending pie. While alternative lending companies have existed for decades, they are now considered a viable option in the financial services market. Today, non-bank lenders are successfully competing against traditional banks and have even dominated specific product markets like mortgages. Interestingly, those same conventional financial institutions are relying on non-bank lenders to provide better and more tech-friendly offerings to their customers. More than ever, non-bank lenders are front and center.

Critics of the alt-lending sector will often contend that non-bank lenders’ regulations are minimal, giving them a distinct advantage. With fewer restrictions, one could assume the risks associated with alternative lenders are significant compared to those of a traditional bank. There are plenty of opinions related to this issue. However, for practical purposes, I’ll narrow my focus on the specific risks associated with non-bank lenders and third-party risk management.

Two Common Questions Related to the Issue

1. Are there any requirements for non-bank lenders to practice third-party risk management?

The answer to this first question is most definitely yes. Non-bank lenders and fintech firms may find themselves just beyond the OCC and FDIC’s direct supervision; however, they are still accountable for managing the risk associated with their third parties. But, who is holding them accountable and what are the requirements?

The answers lie in consumer protection laws. Alternative lenders seek to offer their products and services directly or indirectly to consumers, so they are held accountable by regulators such as the CFPB.

The Consumer Financial Protection Bureau (CFPB), the regulating body born out of the Dodd-Frank Act of 2010, is intended to protect consumers from risky or abusive financial products. The bureau is empowered to regulate companies that sell financial products to consumers and enforce laws against consumer finance discrimination.

The CFPB, a regulator of both bank and non-bank lenders, states, “Using outside vendors can pose additional risks. A service provider unfamiliar with consumer financial protection laws, or has weak internal controls, can harm consumers.”

While the CFPB’s guidance isn’t as detailed as the OCC’s, it still aligns with basic third-party risk management principles. Let’s take a look at the steps in the CFPB’s guidance:

      • Due diligence: Verify that the service provider understands and is capable of complying with the law by requesting and reviewing the provider’s policies, procedures, internal controls and training materials; this also ensures that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities.

      • Compliance: Include clear expectations about compliance in the contract with the service provider, as well as appropriate and enforceable consequences  for violating any compliance-related responsibilities.

      • Monitoring: Establish internal controls and ongoing monitoring to determine whether the service provider is complying with the law.

      • Resolution: Taking prompt action to fully address any problems identified through the monitoring process.

While not mentioned explicitly in the concise guidance, it makes sense that a thorough assessment of the potential risk precedes and dictates any effective due diligence process. Identifying and assessing risk is the bedrock of any sound third-party risk management program.

2. Are non-bank lenders expected to manage third-party risks with the same rigor as a traditional bank?

In a roundabout way, yes. Reasonably prescriptive guidance from organizations such as the OCC and the FDIC serves as the foundation for many bank third-party risk management programs. Still, these organizations don’t necessarily govern the non-bank lending sector directly. However, traditional banking organizations must hold their partners and vendors to the same regulatory standards for which they are accountable. This would include their relationships with non-bank lenders and fintech firms. Per OCC Bulletin 2013-29: “The OCC generally has the authority to examine and to regulate the functions or operations performed or provided by third parties to the same extent as if they were performed by the bank itself, on its own premises.” Considering that the bank and the third party can be held liable for non-compliance, many banks now require their partners to have third-party risk management programs that would stand up to scrutiny from regulators such as the OCC and FDIC.

At a minimum, the non-bank lender is always responsible for ensuring that their vendor(s) understands and can comply with the law. This should be accomplished through the application of third-party risk management fundamentals such as:

     • Risk Assessment
     • Due Diligence
     • Contracting
     • Ongoing Monitoring

When a non-bank lender works directly with a regulated bank, either as a vendor or a partner, the alternative lender should attempt to comply with regulations governing traditional banks. So yes, non-bank lenders may need to demonstrate the same rigor in their third-party risk management programs as their bank partners.

As a closing thought, as non-bank lenders continue to grow their market share and enter new partnerships with traditional banking institutions, the potential to harm the consumer (or investor) also increases. And inevitably, so will regulatory attention, resulting perhaps in new regulatory requirements for how non-bank lenders and fintech firms must manage their third-party risk.

Are you meeting your regulators expectations for vendor management? Download the infographic. 

changing vendor management expectations fintech

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo