Financial Services Third-Party Programs Strain Under Growth
Articles Jake Lamb May 21, 2026
Many financial services organizations are struggling to keep pace with their growing number of vendors and rising regulatory expectations, according to Crowe’s 2025 Third-Party Risk Management Financial Services Benchmark Study. The complexity is forcing a shift toward automation, outsourcing, and more structured processes.
Most third-party risk management teams remain small and centralized, even as they oversee hundreds or thousands of third parties. Only 38% of organizations report having at least one dedicated third-party risk management professional per 100 vendors — a commonly cited benchmark. According to the study, that gap suggests staffing and resourcing have “largely plateaued,” pushing organizations to find efficiencies elsewhere.
Collaboration is another pain point. Many third-party risk management teams rely on other departments, such as information security, finance, and compliance, to assess risk. More than half of respondents say collaboration among these stakeholders and subject-matter experts is a major challenge for third-party programs. Without clear roles and escalation paths, this model can lead to inconsistent outcomes and duplicated work.
Somewhat ironically, organizations are increasingly outsourcing key activities to another third-party to help manage the workload. About 38% of the study’s respondents outsource at least part of their third-party risk management function, most often assessments and third-party oversight. This approach helps the function continue third-party monitoring without significantly increasing headcount.
At the same time, third-party processes are becoming more refined. Nearly two-thirds of organizations now assess vendors for artificial intelligence (AI) risk, signaling a shift toward treating AI as its own risk category.
Risk tiering practices are also evolving. According to the study, "more organizations rely on third-party-level risk tiering than engagement-level tiering,” using scoring models or weighted questionnaires to determine overall inherent risk ratings. In addition, 84% of respondents tailor assessments based on vendor-risk level, allowing teams to focus more effort on higher-risk outcomes.
Technology is expected to play a larger role in the future of third-party risk management in the financial services industry. While 71% of organizations have not yet adopted AI tools to directly support their third-party risk management function, nearly half plan to do so within three years. The study points out that AI adoption in financial services organizations tends to lag other industries, “due to regulatory oversight, data governance requirements, and model risk considerations.”
Looking ahead, most organizations expect third-party risk management budgets to grow, with investments focused on technology and expanding risk coverage.