I did say I was up on a soap box. I agree with your statements about SLA's entirely.
As to the actual question -
I would think that the examiner would be interested in a formal assessment of the risk of continuing with that vendor under those terms.
What I mean by risk assessment is not just technical. It should include as assessment of what information that vendor has access to and what the possible damage to the institution would be if that vendor were to have an 'issue'.
You might want to create additional cover by formally communicating to the vendor that this is a requirement put on you by law and that you will not be renewing your contract with them if you are unable to incorporate the necessary language.
Ultimately if your assessment shows that the risk of continuing with them without this language in place is to high you may be forced to find another vendor and argue with them over the remainder of the contract.
Best move - write everything down in a comprehensive assessment of risk and be prepared for the discussion.
Sorry I can't give a better answer. Not an envious position to be in either way.