Financial Services Industry Outlines Proposed Third-Party Risk Management Reforms to Federal Banking Agencies

WASHINGTON, D.C. - The Consumer Bankers Association, along with the American Fintech Council, Coalition for Financial Ecosystem Standards, and Independent Community Bankers of America, today released a new report outlining refined principles and proposed areas for reform to third-party risk management (TPRM) in the financial services industry. The report comes as a result of a roundtable discussion CBA convened earlier this month with the Alliance for Innovative Regulation, which included experts from banks, leading technology providers including generative artificial intelligence (AI) and cloud service providers, industry associations, and current and former representatives of federal banking.

The report arrives at a pivotal moment for the U.S. banking system. Banks today operate within a fundamentally different vendor ecosystem than the one that shaped existing TPRM expectations - one characterized by hundreds or thousands of third-party relationships, rapidly evolving technology stacks, and structural dependence on a small number of hyperscale cloud providers and AI infrastructure developers that offer little meaningful opportunity for negotiation or substitution. The rise of AI has accelerated this dynamic: unlike more deterministic systems, AI models are updated continuously, may behave differently across contexts, and resist the kind of static, point-in-time validation that existing supervisory frameworks were designed around. The result is a widening gap between what current guidance envisions and what is operationally achievable - one that the report argues can only be closed by reorienting supervisory expectations around materiality, continuous monitoring, and operational resiliency, rather than documentation completeness at onboarding.

The organizations said this of the report:

"Bank technology stacks have fundamentally transformed, and supervisory expectations need to keep pace. The central question in third-party risk management can no longer be whether a bank can eliminate all risks at the outset of a vendor relationship; but increasingly, we'll need to ask whether banks are able to identify, monitor, and contain risks in real time. The capabilities to fully realize that vision are still maturing, but we look forward to working with regulators to chart a path toward a framework that is honest about where the industry and supervisory expectations are today, and ambitious about where both need to go."

Key Recommendations

Banks across a range of institution sizes and business models generally support the principles-based structure of the guidance and do not believe large-scale revisions to the framework are necessary at this time. At the same time, the assessment and roundtable discussions revealed a growing disconnect between the assumptions underlying the current supervisory framework and the operational realities of today's banking and technology environment. Below are the key recommendations in the report that are the result of the aforementioned convening:

1. Preserve the Interagency Guidance's principles-based structure and maintain sufficiently detailed expectations regarding diligence, governance, and contracting practices;
2. Reinforce through examiner training, supervisory calibration, and appeals processes that TPRM reviews should remain risk-based, materiality-focused, and tailored to the nature of the relationship being examined;
3. Recognize and accommodate the practical limitations banks face when dealing with concentrated or market-dominant vendors, including hyperscale cloud and AI providers, and avoid criticizing banks for failing to obtain information that is not commercially available;
4. Clarify that banks are responsible for assessing the adequacy of their direct vendors' TPRM programs and ensuring that risk-management expectations appropriately cascade downstream, but are not expected to directly supervise every fourth- or nth-party relationship;
5. Encourage the responsible use of AI and related technologies to support TPRM functions and supervisory consistency, while making clear that AI-assisted processes remain subject to proportionate governance and human oversight expectations; and
6. Support public-private standards-setting and certification initiatives that could help streamline vendor due diligence and improve consistency across institutions and regulators.

Dive Deeper

To read the full report, click HERE.