- Key insight: Many comment letters received by the Office of the Comptroller of the Currency called for regulators to more evenly share the burden of third-party oversight between banks and third-party service providers and provide more transparency into core service performance.
- Supporting quote: "Community banks face growing challenges in modernizing technology and remaining competitive due to legacy core system limitations, high integration and conversion costs, vendor concentration, and uncertainty in supervisory expectations, rather than a lack of willingness or capacity to innovate." — Kari Neckel, Vice President, Payments & Technology, Independent Community Bankers of America.
- Forward look: Regulators will now review the comments and incorporate them into any necessary reforms.
Banks and their trade organizations recently urged the Office of the Comptroller of the Currency to reevaluate third-party risk management rules given what they say is a highly concentrated market for core service providers.
In comment letters responding to the OCC's
"Community banks face growing challenges in modernizing technology and remaining competitive due to legacy core system limitations, high integration and conversion costs, vendor concentration, and uncertainty in supervisory expectations, rather than a lack of willingness or capacity to innovate," Kari Neckel, ICBA's Vice President Payments & Technology, wrote in the group's comment letter to the OCC.
ICBA said sharing due diligence of vendors with regulators, more accessible supervisory information on core providers and uniform examiner expectations could "reduce duplication, lower compliance costs, and improve community banks' ability to negotiate and manage third-party relationships."
Banks have long expressed concern about their lack of market power with regard to core service vendors, the largest three of which serve more than 70% of banks and around half of credit unions,
Comptroller of the Currency Jonathan Gould in November
The American Fintech Council, which represents more than 150 tech-oriented banks and financial services platforms, also flagged concentration, vendor lock-in and a lack of interoperability between providers. Community banks in particular, they say, are limited to a small number of vendors, which can hamper attempts to scale new products.
"While multiple vendors may exist in theory, only a narrow subset possess the scale, functionality, regulatory familiarity, and institutional track record necessary to serve as a bank's primary core processor," said AFC Chief Policy Officer Ian Moloney in the group's comment letter. "As a result, banks, particularly those seeking to pursue innovative activities or business models, operate within a market that does not properly meet their needs."
Slow modernization among core providers is particularly a drag on fintech-enabled services, according to AFC. The group urged the OCC to better align supervisory expectations with banks' effective market power over vendors.
The American Bankers Association's
"Community banks increasingly rely on third-party service providers to deliver AI-enabled tools," ABA wrote, adding that banks must manage operational and compliance risks "while competing with non-bank financial service providers that are not supervised as closely as banks."
One way OCC could accomplish this is through a greater regulatory focus on service providers themselves according to ABA. The group urged regulators to explore expanding direct examinations of vendors and publishing more information about core performance, including outages.
ABA also urged regulators to develop publicly available AI risk management protocols to establish consensus-based due diligence standards for third-party providers.
"We recommend that the OCC and other regulators support and participate in a new, market-based initiative" ABA said. "The goals of this initiative should be to establish AI standards that address issues such as model design, training data, data security, model validation and explainability, bias testing, performance monitoring, and other elements of safe and compliant AI use."
ICBA took a more examiner-focused approach, arguing more for fair application of regulations than outright changes. While principles-based third-party supervision is sound in theory, ICBA said examiners often apply it prescriptively, holding community banks to standards designed for much larger institutions with more leverage over vendors and resources available to comply.
"Community banks report that supervisory expectations for third-party due diligence are often unclear or applied inconsistently, and that partnering with fintechs or newer technology firms attracts heightened examiner attention compared to relationships with established, legacy providers," ICBA's letter said. "As a result, community banks frequently feel compelled to apply exhaustive due diligence processes regardless of the risk profile or criticality of the technology involved, diverting scarce resources and delaying implementation timelines."
While opposing new mandates or price controls on cores, ICBA urged the OCC to reduce regulatory friction through clearer supervisory expectations, shareable due-diligence tools, more access to regulator-reviewed information on vendors, and mechanisms such as FAQs or regulatory sandboxes.
In late January, ICBA announced that ICI Consulting had been selected as a Preferred Services Provider to help community banks assess vendor offerings and negotiate favorable contract terms.
"As community banks rely increasingly on third-party solutions for essential bank services, it is critical that these offerings are well vetted and align with the bank's strategic goals and priorities," ICBA Senior Vice President, Innovation Operations Adam Mahone said in a statement announcing ICI's selection. "We're pleased to work with ICI as our newest PSP and believe our community bank members will value this opportunity to achieve meaningful cost savings through ICI's experienced core and AI negotiation consultants."
Fiserv, one of the largest core service providers, responded to bank concerns in its
"This concentrated level of federal and state regulatory oversight and annual supervisory examinations is virtually unmatched across the financial services sector," Fiserv wrote. "We recognize the serious nature of the banks' concerns … [and] we are addressing them through investments in technology and personnel and an intense focus on operational performance and client service… Many of these customer service improvement initiatives [began] well before the RFI was released."
Fiserv framed its scale as an asset, allowing it to spread development costs across thousands of institutions, lowering the cost individual banks face and helping community banks to deliver "big bank" digital capabilities without building individual systems. The company cited billions in annual technology investment, and declining per-account pricing as evidence the market is functioning correctly.
Fiserv specifically cautioned against creating a public complaint registry for core service providers, arguing they could expose confidential business information and distort competition.
"Fiserv does not believe that community banks would be well served by the creation of a publicly searchable complaints database," the company wrote. "This outcome would undermine fair competition, disincentivize open and candid dialogue between banks and their technology partners, and ultimately distort the marketplace dynamics that the OCC seeks to protect."
