On November 24, 2025, the Office of the Comptroller of the Currency (OCC) released a request for information (RFI) on community banks’ engagement with their “core service providers” and other “essential third-party service providers”—specifically, providers of significant technology services to banks.
The traditional approach of the bank regulators has been to hold regulated institutions themselves responsible for overseeing their third-party vendors and managing associated risks. The RFI seeks information on challenges that smaller institutions may face in engaging with and overseeing significant technology service providers, and it points to potential interest in more extensive direct regulation of such offerings.
Both community banks and service providers may benefit from engaging with the OCC’s RFI process—and, given the scope of the RFI, larger institutions and state banks regulated by the Federal Reserve and FDIC may have perspectives to contribute as well. Comments in response to the RFI are due by January 27, 2026.
A summary of the RFI follows below.
The RFI defines “core service providers” as “third parties that provide the comprehensive back-end applications and infrastructure that support the operation and essential functions of one or more of the bank's lines of business.” This could include transaction processing, account management, payments processing, customer relationship management, compliance and reporting, online banking, or other material functions.
The RFI indicates that “other essential functions” provided by third parties are those that “support[] . . . core functions” and may include cloud processing, cloud storage, artificial intelligence, and “compliance tools.”
Taken together, these two categories could cover many significant technology service providers to community banks.
The RFI states that “[m]any community banks are dependent on third parties to operate effectively and competitively in an increasingly online marketplace.” It suggests that there has been “continued consolidation” among service providers, leading to “reduced competitive pressure” and “reduced negotiating power.” It suggests also that there are “potentially anti-competitive forces,” as well as cost-related factors, that hinder community bank choice among service providers.
The RFI indicates that these “concerns” were noted in responses to the OCC’s May 12, 2025 RFI on Community Bank Digitalization. It lists negative feedback with respect to service-providers received in response to that May RFI as well as during “informal outreach [to] various community banks.” At the same time, the RFI states that “[s]everal community banks also noted positive relationships with certain specific core service providers.”
The RFI contains 33 questions, grouped into the following categories: innovation; due diligence and transparency; reducing supervisory and regulatory burden; costs; billing statements and errors; and facilitating community bank and service provider dialogue. The questions reflect a focus on:
- Barriers to implementing innovative solutions and adapting to market changes, including with respect to the roll-out of stablecoin, crypto asset and AI technologies.
- Challenges to data portability, conversion, and interoperability.
- Options for the OCC to facilitate the sharing of information on provider performance and contractual terms, to facilitate both due diligence and contract negotiation by community banks.
- Areas where OCC supervision may have hindered the management and modernization of technology services to community banks.
- The cost of third-party technology services, and errors in billing practices.
- The extent to which service providers have “created legal risk or caused any violations of laws or regulations for the bank.”
The questions in the RFI contain a number of test balloon ideas, although it is unclear how committed the OCC is to any of these concepts. The ideas raised in the RFI generally point toward lessened regulation of community banks, including for example through “regulatory relief, safe-harbors, or tailoring” that could lower barriers to modernizing technology solutions. However, the RFI may presage more extensive OCC engagement with service providers. The RFI seeks views on the OCC facilitating the sharing of information on service providers, including via a “publicly searchable database related to banks’ experiences” with service providers, or certification of “whether service providers include fair contracting terms in their service agreements.”
The OCC and other bank regulators already examine significant service providers to banks, and the RFI seeks input on whether the OCC should share elements of service provider reports of examination (ROEs) with a broader range of OCC-regulated banks. The OCC’s ability to pursue other ideas raised for comment in the RFI is likely to become subject to debate, if the OCC pursues them.
The Bank Service Company Act of 1962 (BSCA) states that when certain services are performed by third parties for banks, “such performance shall be subject to regulation and examination” by the federal banking agencies “to the same extent as if such services were being performed by the depository institution itself on its own premises.” In addition, the Federal Deposit Insurance Act provides the banking agencies with enforcement jurisdiction over “independent contractor[s] . . . who knowingly or recklessly participate in” certain unlawful actions with respect to a depository institution.
The OCC will need to weigh whether its proposals constitute the “regulation and examination” of specific services being performed on behalf of a depository institution under the BSCA, or whether they constitute an attempt to regulate non-bank technology companies more broadly. It will also need to evaluate whether concerns with respect to competition in the provision of technology services to banks are within its remit, or whether engagement with other regulators is necessary to address any challenges with respect to competition in these markets.
If you have any questions concerning the material discussed in this client alert, please contact the members of our Financial Services practice.
Back
