Stefan Peekel on How Regulatory Pressure Reshapes Vendor Risk Management at Banks
As global regulators sharpen their focus on third-party risk, financial institutions are being pushed to evolve from periodic vendor assessments to continuous oversight. We sat down with Stefan Peekel, Chief Growth Officer at Owlin, to discuss why this shift is happening, what it means for banks, and how explainable AI can help drive regulatory compliance in vendor risk management.
Why are regulators putting so much emphasis on continuous vendor monitoring?
“In short, because risk doesn’t wait until you do your next risk review. If you think about it, most banks have traditionally conducted point-in-time reviews, such as annual or bi-annual check-ins, to confirm that vendors remain compliant. But in today’s interconnected ecosystem, that’s simply too slow. Vendors evolve, markets shift, and new exposures can emerge overnight. Regulators have recognized that periodic due diligence leaves dangerous blind spots between reviews.”
Can you give us some examples of this regulatory shift?
“Definitely. We’re seeing it on both sides of the Atlantic. In the U.S., the Interagency Guidance on Third-Party Relationships clearly emphasizes that banks should continuously monitor third-party relationships, not just at onboarding. And their Guide for Community Banks spells it out even more directly: Ongoing monitoring helps management ensure vendors perform as required throughout the contract term.”
“In Europe, we’re seeing the same trend. The EBA’s 2025 Draft Guidelines on the Sound Management of Third-Party Risk emphasize the importance of monitoring throughout the entire lifecycle as a core pillar of sound risk management. The ECB’s new guidance on cloud outsourcing also highlights that many institutions haven’t established proper controls for risk monitoring of ICT vendors, which is a significant issue.
So across the board — OCC, Fed, EBA, ECB — the message is the same: vendor oversight must be continuous, risk-based, and data-driven. That’s a significant change for many institutions whose processes and systems were never built for it”.
How are banks responding to this new reality?
“From the 100 banks that we are currently working with, we are seeing that they are moving quickly. They’re rethinking how to maintain ongoing visibility into vendors’ operational, legal, and reputational standing without overwhelming their teams.
We just onboarded Owlin at a major European bank to continuously monitor its third-party portfolio. Within the first few months, the tool detected an emerging lawsuit against a service provider that had gone unnoticed by traditional systems.
It came from a small local newspaper. Without multilingual AI analysis, that signal might have been missed entirely until it became a real issue. For me, this example captures the core of the shift: continuous monitoring isn’t just about checking boxes, it’s about foresight.”
What makes continuous monitoring so challenging to implement?
“Banks often work with thousands of vendors across dozens of countries, and manually tracking all those relationships is impossible. Most people think automating the monitoring is the hardest part. But that’s not the case. Even with automated tools, teams can struggle to connect the dots. The real challenge is ensuring teams aren’t overwhelmed by alerts, but instead receive valuable, actionable insights.
Risk today hides in unstructured information: a lawsuit in Italy, a data-breach rumor in Brazil, or a customer protest in Singapore. At many banks, interpreting and connecting all this unstructured information still requires significant human effort.
With Owlin, you’ll gain broader, global visibility into your vendor ecosystem while spending less time sifting through signals. With risk scores, smart summaries, and event timelines, we deliver actionable risk intelligence, so teams can act faster, stay ahead of risks, and focus on mitigation rather than manual monitoring.
On average, we see that clients adopting our platform are reducing manual vendor load reviewing by 40%. Time they can now spend on actual risk mitigation.”
So is regulation accelerating innovation?
Absolutely. Regulation is becoming a catalyst. What used to be a compliance checkbox is now a strategic advantage. Continuous monitoring lets banks catch issues early, protect their customers, and build resilience into their operations.”
The smartest institutions are already integrating AI into their workflows to enhance external intelligence. Not just for risk avoidance, but for better business decisions. When you know earlier, you act faster.”
How does Owlin fit into this regulatory and operational shift?
“Owlin bridges the gap between what regulators expect and what teams can realistically deliver. Our Monitoring solution runs 24/7, scanning millions of data points for risk changes in vendor behavior. It automatically summarizes events, whether a sanction update, legal dispute, or adverse media article, and provides the source links so teams can verify and act.
Owlin’s API-first architecture also means banks can integrate these insights directly into their existing vendor management or compliance systems without overhauling workflows. We’re not replacing the process. We’re enriching it. Continuous visibility, delivered where decisions happen.”
What’s your message for financial institutions facing growing regulatory pressure?
“Don’t wait for the next risk review. Continuous monitoring isn’t just a regulatory checkbox; it has become the new standard of resilience. With explainable AI and real-time intelligence, banks can move from reacting to risks to anticipating them. That’s not just compliance. That’s good business.”
Sources
- Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency (2023). Interagency Guidance on Third-Party Relationships. https://www.federalreserve.gov/supervisionreg/srletters/sr2304a1.pdf?utm_source=chatgpt.com
- Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency (2023). Guide for Community Banks. https://www.occ.gov/news-issuances/bulletins/2024/bulletin-2024-11.html
- European Banking Authority (2023). EBA Draft Guidelines on the sound management of third-party risk. https://www.eba.europa.eu/sites/default/files/2025-07/33a0ee15-9601-4c2b-828e-1b09201a6e9f/CP%20on%20Draft%20Guidelines%20on%20sound%20management%20of%20third%20party%20risk.pdf
- European Central Bank (2025). ECB Guide on outsourcing cloud services to cloud service providers. https://www.bankingsupervision.europa.eu/ecb/pub/pdf/ssm.supervisory_guides202507.en.pdf
