Financial Services Industry Outlines Proposed Third-Party Risk Management Reforms to Federal Banking Agencies
May 22, 2026 / By ICBA
WASHINGTON, D.C. (May 22, 2026) — The Consumer Bankers Association (CBA), along with the American Fintech Council, Coalition for Financial Ecosystem Standards, and Independent Community Bankers of America, today released a new report outlining refined principles and proposed areas for reform to third-party risk management (TPRM) in the financial services industry.
The report comes as a result of a roundtable discussion CBA convened earlier this month with the Alliance for Innovative Regulation, which included experts from banks, leading technology providers including generative artificial intelligence (AI) and cloud service providers, industry associations, and current and former representatives of federal banking.
The report arrives at a pivotal moment for the U.S. banking system. Banks today operate within a fundamentally different vendor ecosystem than the one that shaped existing TPRM expectations — one characterized by hundreds or thousands of third-party relationships, rapidly evolving technology stacks, and structural dependence on a small number of hyperscale cloud providers and AI infrastructure developers that offer little meaningful opportunity for negotiation or substitution.
The rise of AI has accelerated this dynamic: unlike more deterministic systems, AI models are updated continuously, may behave differently across contexts, and resist the kind of static, point-in-time validation that existing supervisory frameworks were designed around. The result is a widening gap between what current guidance envisions and what is operationally achievable — one that the report argues can only be closed by reorienting supervisory expectations around materiality, continuous monitoring, and operational resiliency, rather than documentation completeness at onboarding.
The organizations said this of the report:
“Bank technology stacks have fundamentally transformed, and supervisory expectations need to keep pace. The central question in third-party risk management can no longer be whether a bank can eliminate all risks at the outset of a vendor relationship; but increasingly, we’ll need to ask whether banks are able to identify, monitor, and contain risks in real time. The capabilities to fully realize that vision are still maturing, but we look forward to working with regulators to chart a path toward a framework that is honest about where the industry and supervisory expectations are today, and ambitious about where both need to go.”
Key Recommendations
Banks across a range of institution sizes and business models generally support the principles-based structure of the guidance and do not believe large-scale revisions to the framework are necessary at this time. At the same time, the assessment and roundtable discussions revealed a growing disconnect between the assumptions underlying the current supervisory framework and the operational realities of today’s banking and technology environment. Below are the key recommendations in the report that are the result of the aforementioned convening:
Preserve the Interagency Guidance’s principles-based structure and maintain sufficiently detailed expectations regarding diligence, governance, and contracting practices;
Reinforce through examiner training, supervisory calibration, and appeals processes that TPRM reviews should remain risk-based, materiality-focused, and tailored to the nature of the relationship being examined;
Recognize and accommodate the practical limitations banks face when dealing with concentrated or market-dominant vendors, including hyperscale cloud and AI providers, and avoid criticizing banks for failing to obtain information that is not commercially available;
Clarify that banks are responsible for assessing the adequacy of their direct vendors’ TPRM programs and ensuring that risk-management expectations appropriately cascade downstream, but are not expected to directly supervise every fourth- or nth-party relationship;
Encourage the responsible use of AI and related technologies to support TPRM functions and supervisory consistency, while making clear that AI-assisted processes remain subject to proportionate governance and human oversight expectations; and
Support public-private standards-setting and certification initiatives that could help streamline vendor due diligence and improve consistency across institutions and regulators.
Dive Deeper
To read the full report, click here.
About the Consumer Bankers Association
The Consumer Bankers Association represents America’s leading retail banks. We promote policies to create a stronger industry and economy. Established in 1919, CBA’s corporate member institutions account for 1.7 million jobs in America, extend roughly $4 trillion in consumer loans and provide $275 billion in small business loans annually. Follow us on Twitter @consumerbankers.
About the American Fintech Council
A standards-based organization, the American Fintech Council (AFC) is the largest and most diverse trade association representing financial technology (fintech) companies and innovative banks. On behalf of over 150 member companies and partners, AFC promotes a transparent, inclusive, and customer-centric financial system by supporting responsible innovation in financial services and encouraging sound public policy. AFC members foster competition in consumer finance and pioneer products to better serve underserved consumer segments and geographies.
About the Coalition for Financial Ecosystem Standards
The Coalition for Financial Ecosystem Standards (CFES) is an industry-led initiative housed within FS Vector, a financial services regulatory strategy and advisory firm. CFES develops operating standards and risk management frameworks for innovators within the financial services, including fintechs and sponsor banks. CFES also advances policy positions supporting a more modern supervisory and examination framework that reflects the increasingly technology-driven nature of banking infrastructure.
About the Independent Community Bankers of America
The Independent Community Bankers of America® has one mission: to create and promote an environment where community banks flourish. We power the potential of the nation’s community banks through effective advocacy, education, and innovation. As local and trusted sources of credit, America’s community banks leverage their relationship-based business model and innovative offerings to channel deposits into the neighborhoods they serve, creating jobs, fostering economic prosperity, and fueling their customers’ financial goals and dreams. For more information, visit ICBA’s website at icba.org.
Press Contacts:
Weston Loyd
Consumer Bankers Association
Wloyd@consumerbankers.com
Clyde Group
American Fintech Council
afc@clyde.us
Alexis Griffin
Coalition for Financial Ecosystem Standards
fsvector@calibercorporate.com
Nicole Swann
Independent Community Bankers of America
Nicole.Swann@icba.org
Subscribe now
Sign up for the Independent Banker newsletter to receive twice-monthly emails about new issues and must-read content you might have missed.
Sponsored Content
Featured Webinars
Join ICBA Community
Interested in discussing this and other topics? Network with and learn from your peers with the app designed for community bankers.
Subscribe Today
Sign up for Independent Banker eNews to receive twice-monthly emails that alert you when a new issue drops and highlight must-read content you might have missed.
News Watch Today
Join the Conversation with ICBA Community
ICBA Community is an online platform led by community bankers to foster connections, collaborations, and discussions on industry news, best practices, and regulations, while promoting networking, mentorship, and member feedback to guide future initiatives.
Join the Community Example Text
