The Consumer Bankers Association (CBA) was among several groups that released a new report that outlines the principles and proposed reforms to third-party risk management (TPRM) in the financial services industry.
CBA noted that the U.S. banking system currently operates within a different vendor ecosystem than the one that shaped existing TPRM expectations. The current environment is characterized by hundreds or thousands of third-party relationships, rapidly evolving technology stacks, and structural dependence on a small number of hyperscale cloud providers and AI infrastructure developers. The result is a widening gap between what current guidance envisions and what is operationally achievable.
The report — released by the CBA along with the American Fintech Council, Coalition for Financial Ecosystem Standards, and Independent Community Bankers of America — argues that the gap can only be closed by reorienting supervisory expectations around materiality, continuous monitoring, and operational resiliency, rather than documentation completeness at onboarding.
“Bank technology stacks have fundamentally transformed, and supervisory expectations need to keep pace. The central question in third-party risk management can no longer be whether a bank can eliminate all risks at the outset of a vendor relationship; but increasingly, we’ll need to ask whether banks are able to identify, monitor, and contain risks in real time. The capabilities to fully realize that vision are still maturing, but we look forward to working with regulators to chart a path toward a framework that is honest about where the industry and supervisory expectations are today, and ambitious about where both need to go,” the paper states.
The organizations made several key recommendations in the report. Specifically, they call for the following:
- Preserve the Interagency Guidance’s principles-based structure and maintain sufficiently detailed expectations regarding diligence, governance, and contracting practices;
- Reinforce through examiner training, supervisory calibration, and appeals processes that TPRM reviews should remain risk-based, materiality-focused, and tailored to the nature of the relationship being examined;
- Recognize and accommodate the practical limitations banks face when dealing with concentrated or market-dominant vendors, including hyperscale cloud and AI providers, and avoid criticizing banks for failing to obtain information that is not commercially available;
- Clarify that banks are responsible for assessing the adequacy of their direct vendors’ TPRM programs and ensuring that risk-management expectations appropriately cascade downstream, but are not expected to directly supervise every fourth- or nth-party relationship;
- Encourage the responsible use of AI and related technologies to support TPRM functions and supervisory consistency, while making clear that AI-assisted processes remain subject to proportionate governance and human oversight expectations; and
- Support public-private standards-setting and certification initiatives that could help streamline vendor due diligence and improve consistency across institutions and regulators.
The recommendations and report follow a roundtable discussion that CBA convened earlier this month with the Alliance for Innovative Regulation. The alliance included experts from banks, leading technology providers including generative artificial intelligence (AI) and cloud service providers, industry associations, and current and former representatives of federal banking.