What Insurance Should Banks Require From Their Vendors?

Banks should require vendors to carry general liability, and for any vendor that touches customer data or funds, cyber liability and technology errors and omissions coverage, plus a crime or fidelity bond where the vendor handles money. Limits scale with the vendor risk tier: a core processor or fintech partner is held to far higher limits than a landscaping contractor. Regulatory guidance on third-party relationships expects banks to assess and monitor that insurance, so the requirement is not just a contract term, it is a control examiners look for.

The hard part is not writing the requirement. It is matching the right coverage to the right vendor and proving, on demand, that every vendor still meets it. This guide walks through the coverages a financial institution should require, how to tier them, and how to keep the evidence current.

What insurance do banks require from vendors?

At a minimum, banks require commercial general liability from nearly every vendor, with the institution named as additional insured for vendors whose work creates third-party exposure. From there the requirements branch by what the vendor does. A technology vendor adds cyber and professional liability. A vendor handling cash adds a crime bond and auto liability. A contractor on bank premises adds workers compensation and umbrella coverage. The point is that one generic checklist does not fit a vendor portfolio that ranges from a core processor to a window cleaner.

Because the stakes differ so much, most institutions group vendors into risk tiers and write coverage requirements per tier. That tiering is also what federal guidance on managing third-party relationships expects, so it serves compliance and practicality at the same time.

Why do banks need cyber liability insurance from technology vendors?

Banks need cyber liability insurance from technology vendors because a vendor that stores, transmits or processes customer information can cause a data breach the institution is ultimately answerable for. Cyber liability coverage funds breach response, notification, regulatory defense and third-party claims arising from that vendor incident, so the cost lands on the party that caused it. General liability almost always excludes data breach, which is why a separate cyber requirement is essential for any data-handling vendor.

For critical technology and fintech partners, pair cyber liability with technology errors and omissions coverage, which responds when the vendor service itself fails or performs negligently. The two cover different failure modes, and a bank exposed to both should require both.

What is technology errors and omissions insurance?

Technology errors and omissions, or tech E&O, is professional liability for technology companies. It covers financial loss a client suffers because the vendor software or service failed, contained an error, or did not perform as promised. For a bank relying on a payments platform, a loan-origination system or a data provider, tech E&O is the coverage that responds when the product breaks in a way that causes the institution a loss, separate from any data breach.

Many technology vendors carry a combined cyber and tech E&O policy. When you review the certificate, confirm both exposures are actually covered and read the limit for each, because a single shared limit can be lower than it looks once a claim hits both parts.

What is a crime or fidelity bond and which vendors need it?

A crime or fidelity bond covers theft, fraud and dishonest acts by a vendor employees. Banks require it from any vendor that handles cash, processes payments, has access to accounts, or works inside systems that move money: armored carriers, cash-handling and ATM services, payment processors, and some collections and servicing firms. The bond protects the institution from internal theft at the vendor that general liability and cyber policies do not address.

The required bond amount should reflect how much money the vendor can touch. A small change in scope, such as a vendor gaining access to a new payment system, can change the bond requirement, which is one more reason vendor insurance needs ongoing review rather than a one-time onboarding check.

How much insurance should a bank require from a vendor?

Required limits depend on the vendor risk tier and the exposure it creates, not a single number. Critical vendors that process customer data or large dollar volumes often carry seven and eight figure limits across primary and excess layers. Standard, low-risk vendors may need only baseline general liability. The figure that matters is the one your vendor management policy and contract set for that tier, because that is the obligation you are enforcing on the certificate.

Whatever limits you set, read the certificate against them carefully. A vendor can show a healthy primary limit and still fall short of a required combined limit once excess layers are accounted for, and high-limit requirements are exactly where a manual review tends to slip.

How do banks verify and monitor vendor insurance?

Banks verify vendor insurance by collecting a certificate of insurance from each vendor and checking the coverages, limits, additional insured wording and dates against the requirement for that vendor tier. The discipline is the same as certificate of insurance verification in any industry: confirm the right coverage is in force, at the right limit, and current. The difference for a bank is the volume and the cyber and professional coverages that have to be confirmed, not assumed.

Monitoring is where a one-time check fails. A policy on a critical vendor can be cancelled or non-renewed between annual reviews, leaving the institution exposed until the next look. That is why examiners expect continuous monitoring, and why COI tracking for financial institutions reads each certificate, checks it against the requirements for that vendor tier, and flags expirations and gaps as they appear. Branch and facility contractors are tracked the same way as subcontractor COIs for contractors, and pulling every vendor certificate into one place is what certificate of insurance management software is built to do.

Fitting insurance verification into vendor onboarding

Verifying coverage is one step in a larger third-party onboarding workflow. Many institutions collect a vendor W-9, SOC report and licenses by extracting them with AI document data extraction, send the master service agreement out for signature with online document e-signing, and manage what they pay those vendors through accounts payable automation. Keeping the insurance check automated keeps it from being the step that holds up onboarding a vendor the business is waiting on.

The bottom line

Banks should require general liability from nearly every vendor, add cyber and technology E&O for anyone touching customer data, and require a crime bond from vendors that handle money, with limits set by risk tier. The requirement is only as good as the proof behind it, so verify each certificate at onboarding and monitor it continuously. Across a full vendor portfolio, automating that work is the difference between evidencing vendor insurance for an exam in minutes and reconstructing it from email under pressure.