Due Diligence and Ongoing Monitoring

I'm currently developing a vendor tiering structure within our third-party risk management (TPRM) system and would appreciate insight from others in the banking space.

Specifically, how are you tiering Banking-as-a-Service (BaaS) partners in relation to traditional bank vendors? Are BaaS partners included in your existing vendor tiers based on criticality (e.g., Tier 1 - Critical, Tier 2 - High Risk, etc.), or do you maintain a separate tiering structure specifically for BaaS relationships given their distinct oversight needs?

I'm trying to determine whether these partners should be integrated into the broader vendor tiering model or handled in a standalone structure. Any input or examples of your approach would be very helpful.

This message was posted by a user wishing to remain anonymous

We recently moved to integrate BaaS partners into our existing vendor tiering model, rather than siloing them into a separate structure. Initially, we considered a standalone approach for BaaS due to their unique risk profile and oversight needs. However, we found that separating BaaS from our broader tiering caused downstream challenges-particularly with maintaining consistency in risk assessment, reporting, and oversight across the enterprise.

Currently, we classify BaaS partners as Tier 2 for GLBA by default, but if a partner presents higher risk (e.g., due to greater data volumes or critical system access), we may elevate them to Tier 1 based on our standard risk criteria. Integrating BaaS partners into the established tiers ensures a consistent risk-based approach across all third-party relationships, making it easier to apply controls, monitor risk, and report on vendors holistically. We do maintain the ability to identify and track BaaS partners specifically, our system includes a BaaS flag or "button" for targeted reporting and oversight.