The new banking standard – Cybersecurity and TPRM according to FINRA and OCC

An IT concern. A paper-pushing exercise. That’s how many financial firms once viewed cybersecurity and third-party risk management (TPRM). But that playbook no longer works. Regulators, led by FINRA and the OCC, have made it clear – cybersecurity and vendor oversight are not optional trends. Alongside AML, they are now foundational standards. And these regulators aren’t just issuing reports calling for stronger safeguards, they’re backing their expectations with real enforcement actions. In this blog, we examine recent FINRA and OCC advisories and enforcement cases that underscore their sharpened focus on such systemic risks.

Why now?

The heightened focus on cybersecurity and TPRM isn’t random — it is a response to the evolving risk landscape in the financial sector. As banks increasingly rely on third-party vendors and face more sophisticated cyberattacks, their exposure to vulnerabilities has grown significantly, and regulators aren’t taking that lightly. Here’s a data-driven snapshot of these escalating threats:

FINRA’s priorities – A continued focus on cybersecurity and third-party risks

As the above graphic illustrates, nearly every major bank has experienced data breaches, and three-quarters of financial firms report disruptions related to third-party vendors. FINRA’s 2025 Regulatory Oversight Report reinforces this trend, noting an uptick in cyber incidents affecting vendors tied to mission-critical systems. The article flags weak spots in banks’ vendor oversight, ranging from inadequate due diligence and poor data protection to blind spots around fourth-party risks. The regulatory body has warned that too many preventable incidents continue to occur even after exam findings, and firms should expect more enforcement actions tied to cyber and vendor oversight failures.

Recent FINRA disciplinary actions:

• In August 2025, FINRA sanctioned Rialto Markets, LLC for failing to maintain adequate supervisory systems to protect customer data. The firm’s procedures lacked basic controls like multi-factor authentication, audit logging, alerts for suspicious activity, and email forwarding rules. This gap allowed an unauthorized user to access a business email, exposing over 4,000 clients’ data and enabling a fraudulent transfer of $1 million. FINRA imposed a censure and $50,000 fine on the bank.

• In July 2025, FINRA sanctioned BTG Pactual US Capital for AML compliance failures. Interestingly, the firm relied on a third-party tool for automated post-transaction monitoring—but the tool was malfunctioning, missing certain outgoing wire transfers to high-risk geographic locations. Compounding the issue, the firm failed to review, escalate, or document alerts generated by the tool. Despite the vendor’s shortcomings, it was the bank that was fined $400,000, underscoring that firms remain responsible for ensuring the effectiveness of any outsourced technology.

• Another recent disciplinary action highlighting that outsourcing compliance does not shift responsibility involves Investment Placement Group. The firm was sanctioned and fined $225,000 last month for failing to properly supervise a third-party platform used to capture and archive employee communications. The vendor did not fully capture messages, leaving the firm unable to produce all communications in response to a FINRA request. 

OCC’s priorities: Operational resilience and cybersecurity

The OCC’s stance mirrors FINRA’s — with a sharper focus on operational resilience. In 2023, the OCC issued a joint inter-agency TPRM guidance that marked a clear shift in regulatory expectations. Earlier OCC-only guidances from 2013 and 2020 laid important groundwork but were often viewed as prescriptive and inconsistent with what the FDIC and Federal Reserve expected. The 2023 update changed that by unifying all three agencies under a single framework. More importantly, it pushed banks to adopt a risk-based, enterprise-wide approach across the full third-party lifecycle, moving beyond check-the-box reviews. It also explicitly addressed fourth- and fifth-party subcontractor risks for the first time.

This focus continues in the OCC’s 2025 Bank Supervision Operating Plan and 2025 Cybersecurity and Financial System Resilience Report, which place operational risk — especially cybersecurity, third-party risk, and IT lifecycle management — at the top of supervisory priorities, confirming that these risks remain non-negotiable for banks. Ironically, in April of this year, the OCC reported a significant cybersecurity breach that exposed around 150,000 of its emails, some of which included sensitive supervisory data, prompting a comprehensive review of its policies, systems, and controls for incident detection, prevention, and overall cybersecurity resilience.

Recent OCC disciplinary actions:

• In August 2020, the OCC imposed an $80 million civil monetary penalty on Capital One following a significant data breach that exposed the personal information of over 100 million individuals. This enforcement action marked the first substantial penalty by the OCC related to a data breach.

• In January 2024, the OCC issued a consent order against Blue Ridge Bank, citing significant deficiencies in its BSA/AML compliance and third-party risk management (TPRM) practices. This marked the bank’s second regulatory action in just 18 months. The order restricts the bank from expanding its fintech partnerships without prior OCC approval and mandates the creation of a formal TPRM program. 

• In December 2024, the OCC issued a comprehensive cease-and-desist order against USAA Federal Savings Bank, citing significant deficiencies in information technology management and third-party, affiliate, and shared services risk management, among other areas. The bank’s history of multiple data breaches highlights ongoing challenges in these domains. Previously, the OCC had imposed a $60 million civil money penalty on the bank.

Key lessons for banks and corporate credit risk teams

1. Cyber and third-party risks are now regulatory priorities: FINRA and the OCC have made it clear that cybersecurity and TPRM are no longer optional compliance areas — they are core to financial stability and supervisory expectations.

2. Outsourcing doesn’t outsource accountability: Multiple enforcement cases demonstrate that even when functions are outsourced to vendors, banks remain fully responsible for oversight, performance, and compliance outcomes.

3. Weak controls can quickly become costly: Enforcement actions and fines demonstrate that even preventable gaps (like lack of MFA, failed alert reviews, or incomplete message capture) can result in major penalties and reputational harm.

4. Operational resilience = credit resilience: Cyber and third-party disruptions can directly affect liquidity, customer trust, and portfolio performance. For credit risk teams, that means integrating operational risk insights into credit models and monitoring frameworks.

5. Regulators expect a lifecycle approach: The OCC’s 2023 inter-agency guidance emphasizes continuous risk management — from vendor onboarding to termination — including oversight of fourth- and fifth-party relationships.

6. Data-driven governance is essential: Regulators increasingly expect banks to demonstrate proactive monitoring, incident response testing, and the quantitative and qualitative tracking of cyber and vendor risks, not just policy documentation.

7. Resilience can’t be achieved through paperwork alone: FINRA’s message is simple – having policies isn’t the same as being protected. Firms need to prove their controls actually work, not just that they exist.

Building resilience with AQM + TRaiCE

At AQM + TRaiCE, we help banks meet these expectations. TRaiCE, our AI-enabled risk management platform, gives credit and risk teams real-time visibility into vendor performance, helping them spot issues early through enhanced due diligence and continuous monitoring. AQM complements this with proven cybersecurity testing solutions that uncover vulnerabilities across both your systems and your vendors’ digital ecosystems. Together, we help banks strengthen vendor oversight, build cyber resilience, and stay aligned with FINRA and OCC standards.

Ready to strengthen your bank’s cyber and vendor resilience? Reach out to us at info@traice.io or schedule a demo to learn how we help your bank stay ahead of risks and in line with regulatory standards.