Search
00
GBAF Logo
trophy
Top StoriesInterviewsBusinessFinanceBankingTechnologyInvestingTradingVideosAwardsMagazinesHeadlinesTrends

Subscribe to our newsletter

Get the latest news and updates from our team.

Global Banking & Finance Review®

Global Banking & Finance Review® - Subscribe to our newsletter

Company

    GBAF Logo
    • About Us
    • Profile
    • Privacy & Cookie Policy
    • Terms of Use
    • Contact Us
    • Advertising
    • Submit Post
    • Latest News
    • Research Reports
    • Press Release
    • Awards▾
      • About the Awards
      • Awards TimeTable
      • Submit Nominations
      • Testimonials
      • Media Room
      • Award Winners
      • FAQ
    • Magazines▾
      • Global Banking & Finance Review Magazine Issue 79
      • Global Banking & Finance Review Magazine Issue 78
      • Global Banking & Finance Review Magazine Issue 77
      • Global Banking & Finance Review Magazine Issue 76
      • Global Banking & Finance Review Magazine Issue 75
      • Global Banking & Finance Review Magazine Issue 73
      • Global Banking & Finance Review Magazine Issue 71
      • Global Banking & Finance Review Magazine Issue 70
      • Global Banking & Finance Review Magazine Issue 69
      • Global Banking & Finance Review Magazine Issue 66
    Top StoriesInterviewsBusinessFinanceBankingTechnologyInvestingTradingVideosAwardsMagazinesHeadlinesTrends

    Global Banking & Finance Review® is a leading financial portal and online magazine offering News, Analysis, Opinion, Reviews, Interviews & Videos from the world of Banking, Finance, Business, Trading, Technology, Investing, Brokerage, Foreign Exchange, Tax & Legal, Islamic Finance, Asset & Wealth Management.
    Copyright © 2010-2026 GBAF Publications Ltd - All Rights Reserved. | Sitemap | Tags | Developed By eCorpIT

    Editorial & Advertiser disclosure

    Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

    Home > Business > New Developments in Third Party Service Provider Guidance
    Business

    New Developments in Third Party Service Provider Guidance

    Published by Gbaf News

    Posted on May 9, 2019

    6 min read

    Last updated: January 21, 2026

    An informative graphic representing the risks and regulations surrounding third-party service providers in the banking sector, reflecting the latest guidance updates from financial authorities.
    Illustration of third-party service provider risks in financial services - Global Banking & Finance Review
    Why waste money on news and opinion when you can access them for free?

    Take advantage of our newsletter subscription and stay informed on the go!

    Subscribe

    Tags:Cyber-attacksData securitymobile payment applicationsrisk management

    By Jennifer Monty Rieker, Ulmer & Berne LLP

    Jennifer Monty Rieker, Ulmer & Berne LLP

    Jennifer Monty Rieker, Ulmer & Berne LLP

    Cyber threats, data security, the emergence of Fintech, and increased scrutiny of service providers remain at the top of the list of concerns for banks and financial institutions.  While internal processes and procedures provide risk management for companies, the use of third party service providers continues to present a risk in the face of new technology and emerging businesses.

    Outside Service Providers

    US Financial institutions are subject to strict regulations. Whether regulated by the Office of the Comptroller of the Currency (“OCC”), Consumer Financial Protection Bureau (“CFPB”), or the Federal Deposit Insurance Corporation (“FDIC”), third-party relationships are subject to scrutiny.

    Third-party service relationships are business arrangements between financial institutions and another entity.  These relationships can be codified through contract or through course of business. The emergence of relationships with financial technology (Fintech) companies is subject to third-party servicer scrutiny. Fintech originated as companies that assisted financial institutions with the back end of operations. Now, Fintech has become a critical component to financial institutions, offering services from mobile payment applications to money transfers.

    As these services affect critical operations of financial institution the risk involved with using them can be high. The OCC, CFPB, and FDIC have all authored guidance on managing the risk of third-party service providers. Earlier this year, the OCC updated its prior third-party servicer guidance to address issues related to Fintech and cybersecurity.

    Risk Management

    Financial institutions are tasked with developing appropriate risk management processes that are commensurate with the risk level and complexity of their third-party relationships.  The OCC initially developed guidance using a cyclical approach to due diligence. As part of the process, a company using a third-party service provider should engage in a five-step inquiry:

    Planning – Before engaging a third-party service provider, a company should have a clear plan which details how to manage the relationship. When a third-party provides a critical service, more detailed planning is necessary.

    Due Diligence and Selection— Due diligence is required before selecting a third-party service provider. As part of the due diligence process, a company’s strategies and goals should be reviewed to ensure that they are in line with the company’s strategies and goals.  The service provider should also be evaluated for the strength of their legal and regulatory compliance programs.  Assessing the financial condition will help evaluate the risk related to financial stability. Information security and management of information systems are vital components that must be reviewed, as well as the use of subcontractors. Other items to consider are insurance coverage and other business relationships or commitments which may impact service.

    Contract Negotiation—Included in contract negotiations should be clear expectations of the service that will be provided, along with benchmarks for such performance.  Delineating responsibility for maintaining records, permitting audits, and defining that the parties will comply with applicable laws and regulations are all part of the negotiation process.  In light of recent natural disasters, companies should include disaster readiness and business resumption and contingency plans. The parties should also agree as to the terms of default and the ability to terminate the relationship.  If a service provider is outside the United States, choice-of-law and jurisdictional provisions should be reviewed.

    Ongoing Monitoring—Throughout the course of the relationship, the parties should be continually evaluating performance. As part of the monitoring, there should be on-site visits, routine audits, and review of ongoing litigation.

    Termination—Relationships can terminate upon expiration of a contract, brining an activity in house, or breach of a contract. Relationships should be terminated pursuant to the contractual requirements and prior to termination, the planning process of the critical activity should have already begun.

    While this approach provides general guidance, the intricacies of working with Fintech and addressing cyber security warranted further review, resulting in updated guidance released earlier this year.

    Cyber Security

    As the risk of cyber-attacks increases, the OCC provided additional guidance to financial institutions to address cyber threats.  The OCC recommends that US financial institutions participate in information-sharing organizations to help them understand cyber threats, internally, as well as threats to third-party service providers they use.  Suggested forums included Financial Services Information Sharing and Analysis Center (FS-ISAC), the U.S. Computer Emergency Readiness Team (US-CERT), and InfraGard.  Further, US financial institutions were encouraged to share information related to cyber threats.

    Cyber-attacks on a third-party service provider create a unique issue in vendor management.  Depending on the information provided to a third-party service provider, appropriate due diligence must take place prior to sharing customer information.  Further, as part of the contract negotiation there must be terms addressing appropriate measures taken by the third party to prevent attacks/breaches, notification of attacks/breaches, and indemnification.

    Fintech

    What a financial institution engages a Fintech company to provide affects the risk management process. Fintech companies that provide critical services warrant higher review.  Previously, the OCC defined critical services as those that involve payments, clearing, settlements and information technology.  Essentially, any activity that could have a significant customer impact, requires significant investment to implement, or could have a major impact on operations if the third-party fails to meet expectations, are all critical services.

    As part of the due diligence process, US federal guidance recommends a review of the financial stability of a third-party servicer.  Included in such a review, a financial institution should review the company’s financial information.  However, as Fintech companies emerge, these companies often have limited financial histories.  Instead, as part of the due diligence process, a review of access to funds, funding sources, earnings, net cash flow, and expected growth can be analyzed.  As part of the cyclical process of vendor management review, there should be ongoing monitoring and auditing.  As the life cycle of vendor management continues, increased information may become available, and continual auditing of a Fintech’s financial health can help to minimize risk.

    Conclusion

    While risk cannot be completely avoided, following a risk management process can help reduce the level of risk.  Adhering to one of the guideline programs can assist companies, particularly as they navigate third-party relationships.

    More from Business

    Explore more articles in the Business category

    Image for Empire Lending helps SMEs secure capital faster, without bank delays
    Empire Lending helps SMEs secure capital faster, without bank delays
    Image for Why Leen Kawas is Prioritizing Strategic Leadership at Propel Bio Partners
    Why Leen Kawas is Prioritizing Strategic Leadership at Propel Bio Partners
    Image for How Commercial Lending Software Platforms Are Structured and Utilized
    How Commercial Lending Software Platforms Are Structured and Utilized
    Image for Oil Traders vs. Tech Startups: Surprising Lessons from Two High-Stakes Worlds | Said Addi
    Oil Traders vs. Tech Startups: Surprising Lessons from Two High-Stakes Worlds | Said Addi
    Image for Why More Mortgage Brokers Are Choosing to Join a Network
    Why More Mortgage Brokers Are Choosing to Join a Network
    Image for From Recession Survivor to Industry Pioneer: Ed Lewis's Data Revolution
    From Recession Survivor to Industry Pioneer: Ed Lewis's Data Revolution
    Image for From Optometry to Soul Vision: The Doctor Helping Entrepreneurs Lead With Purpose
    From Optometry to Soul Vision: The Doctor Helping Entrepreneurs Lead With Purpose
    Image for Global Rankings Revealed: Top PMO Certifications Worldwide
    Global Rankings Revealed: Top PMO Certifications Worldwide
    Image for World Premiere of Midnight in the War Room to be Hosted at Black Hat Vegas
    World Premiere of Midnight in the War Room to be Hosted at Black Hat Vegas
    Image for Role of Personal Accident Cover in 2-Wheeler Insurance for Owners and Riders
    Role of Personal Accident Cover in 2-Wheeler Insurance for Owners and Riders
    Image for The Young Rich Lister Who Also Teaches: How Aaron Sansoni Built a Brand Around Execution
    The Young Rich Lister Who Also Teaches: How Aaron Sansoni Built a Brand Around Execution
    Image for Q3 2025 Priority Leadership: Tom Priore and Tim O'Leary Balance Near-Term Challenges with Long-Term Strategic Wins
    Q3 2025 Priority Leadership: Tom Priore and Tim O'Leary Balance Near-Term Challenges with Long-Term Strategic Wins
    View All Business Posts
    Previous Business PostProgress and Challenges in Streamlining State Financial Services Licensing
    Next Business PostHanding power back to women