- OCC, Federal Reserve, and FDIC issued unified interagency guidance on third-party relationship risk management in 2023, establishing consistent regulatory expectations across US banking supervisors.
- Financial institutions must implement enhanced due diligence, ongoing monitoring, and termination protocols for all third-party vendors handling critical functions or sensitive data.
- Guidance applies immediately to banks of all sizes, with particular emphasis on technology providers, payment processors, and cloud service vendors that support core banking operations.
Coordinated Regulatory Framework Takes Shape
The Office of the Comptroller of the Currency (OCC), Federal Reserve, and Federal Deposit Insurance Corporation (FDIC) issued unified interagency guidance addressing third-party relationship risk management in Bulletin 2023-17. This coordinated approach signals heightened regulatory concern over the growing dependence of financial institutions on external vendors and service providers. Rather than issuing separate directives, the three primary US banking regulators aligned their expectations to create clarity and consistency for regulated entities managing complex vendor ecosystems. The guidance reflects post-pandemic recognition that supply chain vulnerabilities and vendor failure represent material risks to banking system stability.
The framework applies to all bank holding companies, national banks, and state member institutions, regardless of asset size. However, larger institutions with more complex third-party arrangements face proportionally stricter oversight demands. The regulators specifically flagged technology providers, payment processors, cloud infrastructure operators, and cybersecurity vendors as categories requiring elevated scrutiny.
Mandatory Due Diligence and Ongoing Monitoring Requirements
Under the new framework, financial institutions must conduct comprehensive initial due diligence before engaging third parties, with particular focus on operational resilience, financial stability, data security practices, and regulatory compliance history. Banks cannot rely on vendor self-certifications alone; documentation and verification are mandatory. The guidance requires assessment of vendor concentration risk—meaning banks must evaluate whether critical functions depend too heavily on a single provider, creating systemic vulnerability.
Ongoing monitoring is not optional. Banks must establish mechanisms to track vendor performance, conduct periodic reassessments, and maintain audit trails. The regulators explicitly expect institutions to review service-level agreements (SLAs), contractual termination rights, and data portability provisions. For vendors handling customer data or payment processing, banks must verify compliance with applicable data protection and cybersecurity standards on at least an annual basis.
“Banks cannot rely on vendor self-certifications alone; documentation and verification are mandatory under the new interagency framework.”
Termination Protocols and Business Continuity Demands
The guidance requires banks to maintain exit strategies and transition plans for all material third-party relationships. This includes documented procedures for orderly vendor termination, data retrieval, and operational handoff. Institutions must ensure continuity of critical services even if a vendor suddenly becomes unavailable due to bankruptcy, cyberattack, or regulatory action. Banks should test transition scenarios regularly, rather than assuming smooth vendor transitions will occur in practice.
Implications for Fintech and Emerging Tech Vendors
This framework creates elevated compliance barriers for fintech platforms, API aggregators, and emerging technology providers seeking banking partnerships. Established vendors with mature compliance programs face competitive advantage. Early-stage companies must now budget for regulatory due diligence responses, financial audits, and security certifications to win institutional banking contracts. The guidance effectively codifies prudential oversight into vendor selection, making regulatory alignment a commercial necessity.
This coordinated interagency stance closes loopholes that previously allowed banks to compartmentalize vendor risk across different regulatory jurisdictions. Fintech and cloud vendors now face standardized due diligence demands across OCC-, Federal Reserve-, and FDIC-supervised institutions. For investors in banking-adjacent technology, this signals a consolidation trend—vendors with strong compliance infrastructure will capture market share, while smaller players without regulatory maturity will struggle to scale beyond niche partnerships or face acquisition by larger, better-resourced competitors.
