🌊FINRA Is Watching. Are You?

One of the longest-running questions in TPRM is not new at all: what actually happens between assessments? Traditional programs have relied on point-in-time questionnaires for years, even though risk has never operated on an annual schedule and vendors certainly do not. That space between reviews has always existed. We are just getting more honest about it now. 

What changed: Instead of repeatedly asking vendors to re-answer the same questions in different tools and formats, organizations are increasingly looking to connect to evidence that already exists. Trust centers, shared artifacts, and validated documentation are being reused, refreshed, and monitored over time. The conversation is slowly shifting from “start over” to “what has actually changed since the last time we looked?” 

What didn’t change: Teams still need assessments. For a long time, programs have relied on refresh cycles, interim attestations, and follow-up questions to manage the gap between reviews. The intent has always been to understand risk between point-in-time evaluations. 

What it means: This is not about eliminating assessments. It is about making them more informed, more targeted, and far less disruptive for everyone involved. As TPRM programs continue to mature, the ones that gain traction are the ones that reduce friction, close visibility gaps, and treat trust as something that is continuously demonstrated, not periodically requested. Today, technology can help teams connect existing data, monitor risk between assessments, and quickly identify what has changed in documentation, without repeatedly rereading the same information. 

Translation: Fewer surprise pop quizzes. More ongoing progress checks. 

Note: The question is really on if and how you are using these tools to your advantage to fill the void. So, stay tuned as we have an event coming up in May to help share best practices and to have peer organizations talk to each other. 

Question: Where do you see this heading next? Let us know through a quick poll!

At the start of the year, FINRA published its 2026 Regulatory Oversight Report, highlighting ongoing regulatory priorities across areas such as cybersecurity, operational resilience, and emerging technologies. Within the report, FINRA continues to call out third-party risk and vendor oversight as a critical area of focus, reflecting firms’ increasing reliance on external providers to support key business functions. 

What changed: FINRA emphasizes that third-party incidents, including cyberattacks and service outages are becoming more frequent and impactful. The report highlights the growing dependence on vendors supporting mission-critical systems and the need for stronger oversight as these relationships expand. 

What didn’t change: Outsourcing does not shift regulatory responsibility. FINRA reiterates that firms remain fully accountable for supervision, controls, and compliance related to third-party relationships, regardless of whether services are performed internally or by external vendors. 

What it means: FINRA outlines effective practices that include conducting initial and ongoing due diligence, maintaining a comprehensive inventory of third-party services and data access, monitoring vendors for vulnerabilities and incidents, and ensuring appropriate contractual and incident response controls are in place. 

Translation: Third-party risk management is not a one-time onboarding exercise. Firms are expected to demonstrate ongoing oversight, monitoring, and governance throughout the vendor lifecycle. 

Question: How do you think firms are evolving their TPRM programs to meet these expectations? Let us know through a quick poll!

When you register for our in-person Risk Tide Labs- New York, you’re getting more than a seat, you’re getting a complete, hands-on training experience, including:

Fewer than 20 seats remain, secure your spot before they’re gone.⬇️