What Happened

Today, the Consumer Bankers Association (CBA), American Fintech Council (AFC), the Coalition for Financial Ecosystem Standards (CFES), and the Independent Community Bankers of America (ICBA) released a new report outlining refined principles and proposed reforms to third party risk management (“TPRM”) guidance and supervisory expectations in the financial services industry. The joint report stems from a roundtable CBA convened earlier this month with the Alliance for Innovative Regulation, bringing together experts from banks, leading technology providers — including generative artificial intelligence (“AI”) and cloud service providers — industry associations, and current and former federal banking officials.

The joint report arrives at a pivotal moment for the U.S. banking system. Depositories today operate within a fundamentally different vendor ecosystem than the one that shaped existing third party risk management expectations — one characterized by hundreds or thousands of third-party relationships, rapidly evolving technology stacks, and structural dependence on a small number of key cloud providers and AI infrastructure developers.

Advancements in AI have accelerated this dynamic. Unlike more deterministic systems, generative AI models are updated continuously, may behave differently across contexts, and resist the type of static, point-in-time validation that existing supervisory frameworks were designed around. The result is a widening gap between what current guidance envisions and what is operationally achievable — one that the joint report explains can only be closed by reorienting supervisory expectations around materiality, continuous monitoring, and operational resiliency rather than documentation completeness at onboarding.

What We're Saying

The trade associations authoring the joint report explain:

“Bank technology stacks have fundamentally transformed, and supervisory expectations need to keep pace. The central question in third-party risk management can no longer be whether a bank can eliminate all risks at the outset of a vendor relationship; increasingly, we must ask whether banks are able to identify, monitor, and contain risks in real time. The capabilities to fully realize that vision are still maturing, but we look forward to working with regulators to chart a path toward a framework that is honest about where the industry and supervisory expectations are today, and ambitious about where both need to go.”

Why It Matters

The modern economy runs on interconnected, API-driven business models — and banking is no exception. Those relationships are what allow banks to offer consumers cutting-edge tools, maintain the operational stability customers depend on, and build the cybersecurity infrastructure no single institution could develop alone. But the supervisory framework governing how banks oversee those relationships was built for a world in which banks ran their own data centers and managed a handful of known vendors — and that mismatch is increasingly getting in the way.

At CBA’s roundtable, depositories, fintechs, and other service providers across a range of institution sizes and business models generally expressed support for the principles-based structure of the existing interagency guidance and did not call for large-scale revisions to the framework. At the same time, the symposium discussions revealed a growing disconnect between the assumptions underlying regulators’ current supervisory framework and the operational realities of today’s banking and technology environment.

The resulting joint report highlights that current TPRM expectations were developed for a different era of banking technology and vendor relationships. Today’s operating environment is defined by increasingly complex technology stacks, concentrated service-provider markets, and rapidly evolving AI systems that do not fit neatly within traditional supervisory models.

Without recalibration, institutions may face growing challenges balancing supervisory expectations with operational realities, particularly when dealing with large cloud providers and AI developers where contractual leverage and visibility may be limited.

Key Recommendations

The report outlines several recommendations designed to modernize supervisory expectations while preserving the core principles of sound risk management:

• Preserve the interagency guidance’s principles-based structure while maintaining sufficiently detailed expectations regarding diligence, governance, and contracting practices;

• Reinforce through examiner training, supervisory calibration, and appeals processes that third party risk management reviews should remain risk-based, materiality-focused, and tailored to the nature of the relationship being examined;

• Recognize and accommodate the practical limitations banks face when dealing with concentrated or market-dominant vendors, including hyperscale cloud and AI providers, and avoid criticizing banks for failing to obtain information that is not commercially available;

• Clarify that banks are responsible for assessing the adequacy of their direct vendors’ third party risk management programs and ensuring that risk-management expectations appropriately cascade downstream, but are not expected to directly supervise every fourth- or nth-party relationship;

• Encourage the responsible use of AI and related technologies to support third party risk management functions and supervisory consistency, while making clear that AI-assisted processes remain subject to proportionate governance and human oversight expectations; and

• Support public-private standards-setting and certification initiatives that could help streamline vendor due diligence and improve consistency across institutions and regulators.

Our Thought Bubble

CBA believes the current third party risk management framework remains fundamentally sound but requires recalibration to better reflect today’s operational and technological realities.

As banks increasingly rely on complex vendor ecosystems and AI-enabled technologies, supervisory approaches should remain focused on materiality, operational resiliency, and continuous risk monitoring rather than static documentation exercises alone.

CBA supports maintaining strong governance and accountability standards while ensuring expectations remain practical, risk-based, and appropriately tailored to evolving technologies and market structures. We particularly welcome standard-setting and certification efforts. And over the longer-term, we encourage regulators to support the evolution of continuous monitoring capabilities; to look to the Bank Service Company Act as a tool for direct regulator engagement with service providers; and to consider reforms to confidential supervisory information to reflect the challenges of modern third party risk management.

Looking Ahead

CBA will continue engaging with regulators, member institutions, technology providers, and other stakeholders regarding the future of third-party risk management supervision and oversight.

CBA also will continue advocating for supervisory approaches that preserve safety and soundness while supporting innovation, operational resiliency, and responsible adoption of emerging technologies.

To read the full report, click HERE.

‍