A focused course, tailored for you
The Bank Security Officer Vendor Exception Playbook
Decide vendor onboarding when the SOC 2 is qualified, the business has a deadline, and the OCC will read your notes.
The qualified SOC 2 Type 2 is on your desk, the business sponsor has a release date, and the file you write decides whether the relationship clears risk committee.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
Why this course
Security Officers at large regulated banks live in the gap between a SaaS vendor's audit opinion and a line of business that has already signed a statement of work. The SOC 2 has a qualified opinion on change management. The penetration test is twelve months old. The vendor's sub-processor list grew since the last review and now includes an offshore engineering team in a jurisdiction your data residency policy does not cleanly cover. The relationship manager wants a decision by Friday. The risk-committee deck is due the week after. The OCC examiner's next sweep will pull a sample of your third-party files and read the residual-risk rating, the compensating-control register, and the exception memo against the bank's own policy. The course is the file you write when all four of those things are true at once.
What you walk away with
- Write a residual-risk rating worksheet that survives an OCC sample.
- Build a compensating-control register that maps to FFIEC CAT domains.
- Draft an exception memo a Chief Risk Officer will sign without rework.
- Set re-review triggers tied to vendor change events, not calendar cycles.
- Hand internal audit an evidence pack they can read without a meeting.
The 12 modules
How this addresses your situation
Specific modules that map to what you said you are dealing with.
What you get with this course
- Twelve written modules in the Art of Service learning environment.
- Downloadable residual-risk rating worksheet, compensating-control register, exception memo, evidence-pack index, and termination-plan template.
- Worked examples on a qualified SOC 2 Type 2 walkthrough.
- Hand-built implementation playbook tailored to your role and book of work, delivered alongside course access.
What you will have in hand by Day 1, Week 1, Month 1
Hour 0: course access in the learning environment, all twelve modules unlocked.
Hour 24: hand-built implementation playbook delivered, tailored to the bank's third-party risk operating model and the specific vendor categories on your current queue.
Ongoing: downloadable templates and worked examples available for re-use on every subsequent vendor file.
Before and after
The qualified SOC 2 sits on your queue while you reconstruct the residual-risk rating from memory, draft a compensating-control list that internal audit will rewrite, and write an exception memo that comes back for a third revision.
The vendor file is a structured artefact. The residual-risk rating ties to evidence. The compensating-control register maps to FFIEC CAT and names a bank-side owner for each control. The exception memo gets signed on first read. The internal audit evidence pack reads in five minutes.
What happens if you do not address this
The next OCC sample pulls a vendor file with a qualified SOC 2, an exception memo without a re-review trigger, and a compensating-control register that names no bank-side owner. The examiner finding is not the vendor. It is the file.
Who it is for
Security Officer in a regulated US commercial bank, sitting between vendor management, third-party risk, and the lines of business that source SaaS and fintech relationships. Owns the security input to onboarding decisions, the compensating-control register for accepted exceptions, and the evidence pack handed to internal audit and federal examiners. Reads SOC 2 Type 2 reports critically, owns the policy mapping to FFIEC CAT and the OCC heightened standards, and writes the memo a Chief Risk Officer will sign.
How it arrives
Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.
Time investment. Three to four hours to read every module. Twenty minutes per template the first time you use it on a live vendor file, then five minutes per re-use.
Why $199 is the right number
The free FFIEC CAT documentation describes maturity but does not give you the residual-risk worksheet or the compensating-control register tied to it. The OCC bulletins describe expectations but do not give you the exception memo a Chief Risk Officer will sign. Vendor risk SaaS platforms automate the inbound questionnaire but do not write the file. This course writes the file.
FAQ
30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.