The vendor questionnaire vs AI – Is your TPRM program ticking boxes or connecting the dots?

For years, most banks’ third-party risk management has revolved around a familiar ritual – the vendor questionnaire. Two hundred questions. Detailed control attestations. Security certifications. Financial disclosures. A risk rating is assigned. A file archived. Then silence – until next year. But in a world where third-party vendor risk can evolve in weeks, does this time-honoured, static, tick-the-box exercise still work, and is it necessary? Or are banks trying to fight today’s risks with yesterday’s processes?

The uncomfortable answer is – both. It’s necessary, but it’s nowhere near enough.

The problem: The vendor said everything was fine. Three months later, it wasn’t

Imagine this: It’s time for the annual vendor check‑in. You send over your trusty form. They send back a perfect response. Cybersecurity policies? Checked. Business continuity plans? Updated. Financial position? Stable. Compliance certifications? Current. The vendor review is completed, approved, and archived. Everyone feels good. Everyone feels safe. Life is peachy.

Then the warning signs start appearing – not in the questionnaire, but in the real world.

A wave of employee exits and grievances on LinkedIn or Glassdoor. Customers complaining publicly about service quality. A legal dispute. News of a regional operational disruption. A sudden uptick in negative sentiment online. Staff frustration over leadership churn. None of it shows up in the bank’s official third-party risk workflow until much later. But by then, the problem is no longer ‘emerging risk.’ It is a service disruption followed by operational and reputational damage control.

This is the uncomfortable reality many financial institutions face: vendor questionnaires capture what a vendor chooses to disclose at a moment in time. They do not capture what happens the day after submission, or whether the responses were totally accurate to begin with. Additionally, they rarely ingest the vast universe of unstructured data that often provides banks with crucial early warning signals. It’s a weakness many organizations feel firsthand, with nearly 45% reporting challenges in obtaining timely and accurate vendor documentation.

The 2% problem

Third-party risk teams today are facing a strange contradiction: expanding responsibility with restrictive capacity. More than 60% of organizations overseeing 300+ vendors do so with just one or two dedicated TPRM staff, even as budgets remain largely unchanged. It’s no surprise, then, that only 2% of financial institutions reassess vendor risk profiles every month, while the vast majority continue to rely on annual or ad-hoc reviews.

And the result of this stretched-thin monitoring model? According to a Gartner survey, vendor-related incidents have led to operational disruptions for nearly 85% of risk professionals. Two-thirds reported financial losses, a similar share faced heightened regulatory scrutiny, and more than half experienced reputational damage from the same. 

The consequences of the 2% problem - Recent examples

Recent third-party collapses have also underscored the consequences of this monitoring framework. When Synapse Financial Technologies filed for bankruptcy in 2024, many viewed it as a sudden shock. In reality, the warning signs had been accumulating for nearly a year. Multiple workforce reductions, deteriorating partner relationships, the loss of a major client, and rising customer complaints all pointed to growing instability. The problem wasn't that the signals didn't exist; it was that they were scattered across multiple data sources, making them easy to miss until the crisis was already underway. For a deeper look at the warning signals that preceded Synapse's failure, check out our prior blog on the topic.

Similarly, the collapse of Solid Financial Technologies in April 2025 was foreshadowed by a series of visible warning signs. Lawsuits, mounting regulatory scrutiny, strained banking relationships, and growing funding challenges had been accumulating for months before the bankruptcy filing. Yet when the company ultimately failed, partner banks and fintech customers still found themselves grappling with the operational and reputational repercussions of being tied to a failing partner.  

And then there’s Wirecard, perhaps the clearest reminder that third parties can intentionally manipulate financial reporting and that risk teams should monitor warning signs beyond what appears in official disclosures.

What ties these cases together is not simply vendor failure, but the inability of traditional TPRM monitoring models to detect and escalate early warning signals quickly enough. In a risk environment that evolves daily, annual reviews and static assessments leave institutions reacting to crises instead of anticipating them.

Changing the equation with AI-led monitoring

AI does not replace governance processes. It augments them. AI-led third-party monitoring systems can ingest massive volumes of structured and unstructured data. This includes news, legal filings, regulatory actions, financial disclosures, credit bureau reports, customer sentiment shifts, leadership controversies, and more. In doing so, AI systems help risk teams connect the dots across thousands of disparate signals. Crucially, they can do this at a scale and frequency that manual processes simply cannot match (especially when hundreds of third parties are being overseen by just one or two dedicated TPRM professionals).

Additionally, AI enables in-depth due diligence and verification. For example, if a vendor declares there is no material litigation pending, automated systems can scan court databases and regulatory records to cross-check that claim. If a vendor reports financial stability, AI can analyze financial statements, credit bureau data, and market sentiment to detect early stress indicators. And so on.

The result is a fundamental shift in how third-party risk is managed. Instead of static risk assessments conducted once a year, organizations gain verified, dynamic risk profiles that evolve as new information emerges. And rather than reserving ongoing scrutiny for a small subset of high-risk vendors, institutions can extend continuous monitoring across their entire third-party ecosystem.

The future is hybrid - Tick the box and connect the dots

The future of TPRM is hybrid. Questionnaires will likely continue to serve as an important governance and documentation function. But they should sit atop a continuous intelligence layer that operates in the background, scanning for early warning signs. In other words, you should be able to tick the box and connect the dots. This evolution is becoming increasingly important as regulators place greater emphasis on ongoing monitoring. Recent interagency guidance from the Federal Reserve, FDIC, and OCC explicitly states this. The guidance also highlights the need to monitor fourth- and fifth-party risks.

In this context, the 200-question spreadsheet is no longer the endpoint of vendor oversight. It’s the starting point. AI-led monitoring acts as an additional guardrail, helping banks move beyond periodic assessments and gain continuous visibility into risks across their entire third-party ecosystem.

Want to learn more? See how we helped a West Coast commercial bank strengthen its third-party risk management framework. Then schedule a demo to explore how your organization can achieve the same level of visibility and resilience.