Executive Summary
Across 76 responses, most respondents acknowledged concrete impediments to using AI developed or provided by third parties and described risk-management practices to address them. Dominant challenges include vendor opacity and explainability gaps, data access and quality frictions, integration with legacy systems, and governance burdens. Institutions manage these risks through model risk management, rigorous due diligence, explainability tooling, continuous monitoring, and human oversight. The burden varies materially by size and complexity: smaller/community institutions face acute resource and data constraints, while prudentially regulated and more complex firms report heightened scrutiny and third-party AI/ML challenges.
Key takeaways:
- 89.47% Yes (68 of 76) indicated specific challenges or risk-management practices for third-party AI.
- Vendor opacity and explainability gaps impede due diligence and model risk management.
- Smaller/community institutions face resource limits and often rely on vendor attestations lacking independence.
- Connectivity failures, lengthy data-access negotiations, and data-quality issues slow adoption.
- Prudentially regulated and more complex institutions report greater challenges with third-party AI/ML.
- Regulatory ambiguity and legacy systems hinder integration and oversight.
- Institutions manage via MRM frameworks, testing/documentation, continuous monitoring, and human oversight.
- A lack of shared standards for explainability and governance leads to inconsistent practices.
Bottom line:
The hardest problems with third-party AI are transparency, data access/quality, and governance. Financial institutions mitigate these through risk-based third-party model governance, explainability and fairness testing, contractual controls, and human oversight—yet smaller/community institutions face steeper, more resource-intensive hurdles than larger, more complex peers.
The Question (Ref #10)
Please describe any particular challenges or impediments financial institutions face in using AI developed or provided by third parties and a description of how financial institutions manage the associated risks. Please provide detail on any challenges or impediments. How do those challenges or impediments vary by financial institution size and complexity?
Direct Response to the Catalog Question
Institutions struggle with vendor opacity and explainability, making it hard to understand model provenance, structure, and functionality for due diligence and MRM.
Data frictions—including connectivity failures, multi-year data-access negotiations, and data-quality/format issues—impede safe adoption of third-party AI.
Legacy system constraints and regulatory ambiguity further complicate integration, validation, and oversight of vendor solutions.
FIs manage risks through robust MRM: extensive testing/documentation, independent assessments where possible, continuous monitoring, and human-in-the-loop controls.
Challenges vary by size/complexity: smaller/community FIs lack expertise and data, often relying on vendor attestations that may lack independence; prudentially regulated/complex firms report heightened third-party AI/ML challenges.
Procurement and governance responses include contractual transparency requirements, fairness/explainability testing, and, for smaller FIs, proposals for centralized diligence/validation utilities.
By-the-numbers — Question 10
| Metric | Value |
|---|---|
| Total Yes | 68.0 |
| Total No | 8.0 |
| Total (Yes+No) | 76.0 |
| % Yes | 89.47% |
| % No | 10.53% |
| % of answers (coverage) | 100.0% |
Introduction
Question 10 asks for the specific challenges or impediments financial institutions face when using AI developed or provided by third parties and how they manage the associated risks, including how these challenges vary by institution size and complexity. The materials consistently point to opacity, data frictions, and governance burdens as core impediments, with mitigation anchored in risk-based model governance and third-party oversight.
Historic Lessons in the Evidence
Respondents emphasize that trust in third-party AI must be earned through transparency, rigorous documentation, and demonstrable predictiveness, robustness, and fairness. Over-reliance on vendor attestations is risky, particularly for smaller institutions; independent validation and human oversight help bridge capability gaps. Experience shows that explainability trade-offs and proprietary limits require structured governance and continuous monitoring to sustain accountability.
Recent Developments
Not observed in the provided materials.
The Challenge
Evaluating black-box vendor models under existing MRM and fair-lending expectations is difficult when access to model details is limited. Long data-sharing negotiations, uneven data quality, and legacy technology complicate onboarding and monitoring. Institutions must reconcile performance claims with explainability, fairness, and operational resilience, often under stricter expectations for prudentially regulated entities and with tighter resource constraints for community institutions.
Evolving Metrics
Respondents assess third-party AI using established MRM concepts and purpose-built criteria: demonstrate predictiveness, robustness, and fairness, apply explainability tools to support fair lending and governance, and conduct extensive testing and documentation with ongoing monitoring. Several note the absence of universal explainability standards and advocate scaling controls by risk and complexity.
A Framework Inspired by the Inputs
An implicit pattern emerges: use a risk-based third-party model lifecycle—pre-contract due diligence on data/model transparency; contractual requirements for documentation, audit rights, and data-access SLAs; independent validation where feasible; human-in-the-loop controls; continuous performance/fairness monitoring; and contingency plans. Smaller institutions augment gaps via shared frameworks/utilities and tighter vendor collaboration.
Case Study
A community lender adopts a third-party credit model but lacks internal AI expertise and large datasets. Procurement demands documentation and explainability demos, yet proprietary limits persist. The lender overlays MRM testing and fairness checks with explainability tools and human reviews but must rely partly on vendor attestations . To mitigate risk, it sets monitoring triggers and contingency procedures while exploring shared validation utilities to reduce burden.
Recommendations
- Require model provenance, documentation, and explainability demonstrations as contractual prerequisites for third-party AI.
- Implement risk-based third-party MRM with independent validation, continuous monitoring, and adverse-action readiness.
- Secure data-access SLAs and standardize data formats/lineage to reduce connectivity and data-quality risks.
- Avoid sole reliance on vendor attestations; require independent evidence of controls—especially for smaller/community institutions.
- Maintain human-in-the-loop oversight and define contingency/exit plans for vendor failures or model drift.
- Use shared utilities or centralized diligence/validation services to ease cost and expertise barriers.
- Train boards and executives on AI risks and responsibilities to close understanding gaps.
- Plan early for legacy integration and regulatory expectations through dependency mapping and supervisory engagement.
Conclusion
Most respondents agree that third-party AI introduces distinct impediments—opaque models, data frictions, legacy integration, and governance burdens—while also outlining practical risk-management controls. These challenges are not uniform: smaller/community institutions face sharper resource and data constraints, whereas prudentially regulated and more complex firms contend with heightened scrutiny. A risk-based third-party model governance approach—anchored in transparency, validation, explainability, and continuous monitoring—provides a viable path forward. Addressing size-based gaps through shared utilities and stronger contractual/data standards can materially reduce friction and risk.
This analysis will continue in our next publication. Don’t miss the next installment.
Follow us, stay informed, stay secure, and let’s navigate the risk landscape together.
