Updated June 20, 2019
Technology Service Providers for Banks
Surveys suggest that convenience is the primary reason why
continuous oversight of vendors to ensure that appropriate
consumers select a bank or credit union. Features such as
security measures are maintained.
mobile and online banking have become an important
contributor to consumer satisfaction. As more banking
The regulators periodically update guidance pertaining to
transactions are conducted digitally, financial institutions
vendors. For example, the Federal Deposit Insurance
that lack in-house expertise are increasingly relying upon
Company (FDIC) emphasized in a 2008 Financial
third-party vendors, specifically technology service
Institutions Letter (
Guidance for Managing Third-Party
providers (TSPs). TSPs develop the software and customer
Risk) that a financial institution’s management is ultimately
interfaces for customer account and payment services as
responsible for risks arising when activities are conducted
well as maintain the digital technology.
through third-party relationships. In October 2012, the
Federal Financial Institutions Council (FFIEC) issued a
As reliance on TSPs grows, regulators are scrutinizing how
revised
Supervision of Technology Service Providers
banks manage their
operational risks, the risk of loss
booklet; the Federal Reserve System, the FDIC, and the
having to do with failed internal controls, people, and
Office of the Comptroller of the Currency concurrently
systems, or from external events (as defined by the Basel
issued new
Administrative Guidelines for the
Committee on Bank Supervision). Rising operational risks,
Implementation of the Interagency Program for the
specifically in the form of cyber risks (e.g., unauthorized
Supervision of Technology Service Providers. In April
access to customer data), have compelled regulators to
2014, the FDIC re-issued suggested guidelines for bank
scrutinize security programs aimed at mitigating operational
directors to consider when outsourcing essential banking
risk. Cyber-related disruptions can potentially weaken
functions to TSPs. The National Credit Administration
public trust and confidence in the financial system, thus
(NCUA), the primary regulator for the credit union system,
increasing the potential of a systemic risk panic (i.e., run on
shares similar concerns. (See “Additional Resources”
bank) event. Consequently, managing cyber-related risks
below.)
(relative to other types of financial risks) and the associated
costs have grown in importance.
Concerns Related to TSP Relationships
The Office of Inspector General at the FDIC (OIG-FDIC)
Regulatory Background
frequently audits the FDIC’s oversight process for
Banking regulators have a broad set of authorities to
identifying and monitoring TSPs used by FDIC-supervised
supervise vendors, such as TSPs, that have contractual
institutions and for prioritizing examination coverage. In
relationships with banks. In addition, using vendors does
the 2017 audit, the OIG-FDIC reviewed 48 contracts
not reduce an institution’s responsibility to ensure that
negotiated between TSPs and 19 banking firms and
actions are performed in a safe and sound manner.
underscored the following concerns.
Activities conducted through a TSP must meet the same
regulatory requirements as if they were performed by the
Some contracts lacked provisions that would
supervised depository institution itself.
contractually require TSPs to implement appropriate
measures to meet objectives stated in the Interagency
Two laws are of interest: the Bank Service Company Act
Guidelines (e.g., protecting against unauthorized access
(BSCA; P.L.87-856) and the Gramm-Leach-Bliley Act
to or use of sensitive nonpublic personal information).
(GLBA; P.L. 106-102). The BSCA provides federal
depository institution regulators with authority to examine
Some contracts lacked provisions that would establish
and regulate TSPs that provide services to banks, including
business continuity plans, or provisions specifying how
check and deposit sorting and posting, preparation of
quickly operating systems would be restored after a
statements, notices, bookkeeping, and accounting. Section
cyber-related disruption. Some contracts had limited
501 of GLBA requires federal depository regulatory
information and assurance that TSPs would have
agencies (as well as the Federal Trade Commission) to
sufficient recovery capabilities if their systems were
establish appropriate standards for financial institutions to
compromised.
ensure the security and confidentiality of customer
information. In 2001, the prudential depository regulators
Some contracts lacked provisions that would require
issued interagency guidelines requiring banks to establish
TSPs to provide incident response reports after an
information security programs that, among other things,
adverse incident. OIG-FDIC stated that banks should be
regularly assess the risks to consumer information (in
notified when incidents, such as unauthorized access or
paper, electronic, or other form) and implement appropriate
misuse of customer information stored in a TSP’s data
policies, procedures, testing, and training to mitigate risks
system, occur; the actions taken; the response times; and
that could cause substantial harm and inconvenience to
controls taken to prevent further adverse incidents.
customers. The guidance requires banks to provide
https://crsreports.congress.gov
Technology Service Providers for Banks
The TSPs drafted most of the contracts reviewed by the
on TSP contracts will likely increase the costs for some
OIG-FDIC. As a result, some contracts’ terms may not
of the small depository institutions to close existing
have been clearly defined, making it difficult to
technology gaps.
understand the rights and responsibilities of both parties.
Although contracts negotiated between larger banks and
Additional Resources
TSPs typically contain more detailed provisions, the
Office of Inspector General—FDIC,
Technology Service
OIG-FDIC still noted inconsistencies in operational
Provider Contracts with FDIC-Supervised Institutions,
risk-mitigation procedures and expectations.
Office of Audits and Evaluations, Report No. EVAL-17-
004, February 2017.
The OIG-FDIC noted that 41 of the 48 contracts it
reviewed allowed TSPs to use subcontractors, further
Office of Inspector General—NCUA,
Audit of the NCUA
increasing compliance, operational, and reputational
Information Technology Examination Program’s Oversight
risks. In June 2008, however, the FDIC stated that
of Credit Union Cybersecurity Programs, Report No OIG-
contracts should prohibit TSPs from subcontracting
17-08, September 28, 2017.
unless the same due diligence standards used to select
the TSP are met by subcontractors. The OIG-FDIC did
Interagency Guidelines Establishing Standards for
not find sufficient evidence that comprehensive due
Safeguarding Customer Information, 12 C.F.R. Part 364,
diligence was performed by some banking firms.
February 2001, at https://ithandbook.ffiec.gov/media/
resources/3530/occ-
Coordination Among Regulators
12cfr30_ap_b_inter_guid_estab_stand_safe_info.pdf.
Collaboration among financial regulators may facilitate
detection of potential financial risks. Federal, state, and
Interagency Guidelines Establishing Standards for
self-regulatory organizations have entered into information-
Safeguarding Customer Information, Federal Reserve
sharing agreements to facilitate oversight responsibilities
System Examiner Guidance, at
and coordinate compliance challenges. U.S. federal
https://www.federalreserve.gov/boarddocs/srletters/2001/
financial regulators on the Financial Stability Oversight
sr0115a1.pdf.
Council share information to detect systemic risks to the
U.S. financial system. H.R. 241, the Bank Service
International Convergence of Capital Measurement and
Company Examination Coordination Act of 2019, would
Capital Standards: A Revised Framework Comprehensive
clarify the authority of state regulators to examine certain
Version, Basel Committee on Banking Supervision, June
TSPs in coordination with federal regulators. The bill
2006, at https://www.bis.org/publ/bcbs128.pdf.
would also provide for information sharing between state
and federal regulators with respect to TSPs in an attempt to
FDIC,
Guidance for Managing Third-Party Risk, FIL-44-
facilitate the detection of operational risks related to cyber
2008, June 6, 2008.
disruptions.
FDIC,
Technology Outsourcing: Informational Tools for
Challenges for Financial Institutions
Community Bankers, FIL-13-2014, April 7, 2014.
While regulators continue to express concerns that banks
may face operational risks as a result of their relationships
Government Accountability Office,
Better Information
with TSPs, enhanced compliance standards may pose
Sharing Among Financial Services Regulators Could
challenges for banks, particularly for community banks and
Improve Protections for Consumers,” GAO-04-882R, June
small credit unions.
29, 2004, at https://www.gao.gov/products/GAO-04-882R.
It may be costly for institutions to conduct appropriate
Government Accountability Office,
Financial Technology:
diligence when selecting TSPs or to structure contracts
Additional Steps by Regulators Could Better Protect
that adequately protect against possible TSP risks.
Consumers and Aid Regulatory Oversight,” GAO-18-254,
Smaller banks may also lack the resources to monitor
March 2018, at https://www.gao.gov/assets/700/
contract compliance to insure that the TSPs are adhering
691290.pdf.
to GLBA and other regulatory requirements.
NCUA,
Evaluating Third Party Relationships, Letter No.:
Although the industry consists of many TSPs, only a
07-CU-13, December 2007.
few large TSPs currently provide the majority of digital
products to the financial industry. The market power of
Penny Crosman, “
Can Big Four Core Banking Vendors
the large TSP firms potentially could lead to high prices
Oligopoly Be Broken?” American Banker, October 7, 2013.
for TSP services, which small institutions may be less
able to pay than larger institutions.
Andy Peters, “
Why Fewer Consumers Are Switching
Banks,” American Banker, April 25, 2019, at
Given lower transaction volumes and costly digital
https://www.americanbanker.com/news/why-fewer-
services, some industry observers report that community
consumers-are-switching-banks.
banks have adopted digital processing technology at
slower rates relative to larger banking and fintech firms,
Darryl E. Getter, Specialist in Financial Economics
possibly inhibiting their ability to compete in various
niche product markets. Additional requirements placed
IF10935
https://crsreports.congress.gov
Technology Service Providers for Banks
Disclaimer This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10935 · VERSION 4 · UPDATED