# Request for Information Regarding Community Banks' Engagement With Core Service Providers and Other Essential Third-Party Service Providers
**AGENCY:**
Office of the Comptroller of the Currency (OCC), Treasury.
**ACTION:**
Request for information and comment.
**SUMMARY:**
The OCC is issuing a request for information (RFI) on community bank engagement with their core service providers and other essential third-party service providers. The RFI seeks to better understand how challenges community banks face with such service providers affect these banks' abilities to remain competitive in a rapidly evolving marketplace, as well as what actions the OCC can take to address any of these challenges.
**DATES:**
Comments must be received by January 27, 2026.
**ADDRESSES:**
Commenters are encouraged to submit comments through the Federal eRulemaking Portal. Please use the title “Request for Information Regarding Community Banks' Engagement with Core Service Providers and Other Essential Third-Party Service Providers” to facilitate the organization and distribution of the comments. You may submit comments by any of the following methods:
• *Federal eRulemaking Portal—Regulations.gov:*
Go to *https://regulations.gov/.* Enter Docket ID “OCC-2025-0537” in the Search Box and click “Search.” Public comments can be submitted via the “Comment” box below the displayed document information or by clicking on the document title and then clicking the “Comment” box on the top-left side of the screen. For help with submitting effective comments, please click on “Commenter's Checklist.” For assistance with the *Regulations.gov* site, please call 1-866-498-2945 (toll free) Monday-Friday, 9 a.m.-5 p.m. EST, or email *[email protected].*
• *Mail:* Chief Counsel's Office, Attention: Comment Processing, Office of the Comptroller of the Currency, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
• *Hand Delivery/Courier:* 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
*Instructions:* You must include “OCC” as the agency name and Docket ID “OCC-2025-0537” in your comment. In general, the OCC will enter all comments received into the docket and publish the comments on the *Regulations.gov* website without change, including any business or personal information provided such as name and address information, email addresses, or phone numbers. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not include any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure.
You may review comments and other related materials that pertain to this action by the following method:
• *Viewing Comments Electronically—Regulations.gov:*
Go to *https://regulations.gov/.* Enter Docket ID “OCC-2025-0537” in the Search Box and click “Search.” Click on the “Dockets” tab and then the document's title. After clicking the document's title, click the “Browse All Comments” tab. Comments can be viewed and filtered by clicking on the “Sort By” drop-down on the right side of the screen or the “Refine Comments Results” options on the left side of the screen. Supporting materials can be viewed by clicking on the “Browse Documents” tab. Click on the “Sort By” drop-down on the right side of the screen or the “Refine Results” options on the left side of the screen checking the “Supporting & Related Material” checkbox. For assistance with the *Regulations.gov* site, please call 1-866-498-2945 (toll free) Monday-Friday, 9 a.m.-5 p.m. EST, or email *[email protected].*
The docket may be viewed after the close of the comment period in the same manner as during the comment period.
**FOR FURTHER INFORMATION CONTACT:**
Daniel Amodeo, Counsel and Graham Bannon, Counsel, Chief Counsel's Office, 202-649-5490. If you are deaf, hard of hearing, or have a speech disability, please dial 7-1-1 to access telecommunications relay services.
**SUPPLEMENTARY INFORMATION:**
**I. Introduction**
Community banks [^1] have an outsized impact on lending and are vital to the strength of the U.S. economy. The OCC has committed to prioritizing reforms targeted at reducing the supervisory and regulatory burden for community banks and exploring efforts to tailor our regulation and supervisory frameworks to better fit their business models and unique risks—better positioning these banks to support their communities and drive economic growth. Many community banks are dependent on third parties to operate effectively and competitively in an increasingly online marketplace. This includes those third parties that provide the comprehensive back-end applications and infrastructure that support the operation and essential functions of one or more of the bank's lines of business, including, for example, through the provision of transaction processing, account management, payments processing, customer relationship management, compliance and reporting, online banking, and other material functions (core service providers). It also includes those third parties who provide other essential functions supporting those core functions, including cloud processing, cloud storage, artificial intelligence, and compliance tools.
[^1] The term “banks” as used in this RFI means national banks and Federal savings associations.
The OCC is aware that continued consolidation in the core service provider and other essential third-party service provider markets can result in reduced competitive pressure to provide innovative and effective solutions for community banks; reduced negotiating power for many community banks vis-à-vis their core service providers, resulting in potentially burdensome contractual provisions and bundled products that raise fees; and a sense that many community banks do not believe that their core service providers and other essential third-party service providers are partners committed to their long-term success. According to one survey, for example, the three largest core service providers served more than 70% of depository institutions in 2022, with the largest core service provider alone serving 42% of depository institutions. [^2] At the same time, the OCC is aware that many of these same banks believe these potentially anti-competitive forces are preventing them from taking full advantage of the rapid pace of innovation in the financial technology marketplace, leaving them exposed to changing consumer expectations they may not be able to meet. Polling by community bank trade groups continues to show high levels of dissatisfaction with core service providers—one recent poll showed that, on a scale of 1 to 5, respondent depository institutions reported an overall satisfaction level of 3.19 and rated the effectiveness of their core service providers at 2.78, with certain of the largest core service providers and their products consistently receiving lower scores than many of their smaller peers. [^3] While financial technology firms, new core service provider entrants, and bank-developed core services have attempted to break into the market and address these concerns, the increasingly high capital costs associated with switching core service providers or other essential third-party service providers or developing technological solutions in-house prevent many community banks benefiting from these developments.
[^2]*See* Julian Alcazar, et al., Federal Reserve Bank of Kansas City, Payments System Research Briefing, “Market Structure of Core Banking Services Providers” (Mar. 27, 2024), available at: *https://www.kansascityfed.org/documents/10072/PaymentsSystemResearchBriefing24AlcazarBairdCronenwethHayashiIsaacson0327.pdf.*
[^3]*See* American Bankers Association, “2024 ABA Core Platforms Survey: All Core Platform Providers Are Not the Same” (Feb. 2025), available at: *https://www.aba.com/-/media/documents/reference-and-guides/2024-core-platform-survey.pdf?rev=f282f2c8fa1048dc8ab157ff8d9855ac.*
The OCC seeks public comment on community banks' engagement with their core service providers and other essential third-party service providers, especially as it relates to community banks' ability to remain competitive in a rapidly evolving marketplace. The OCC also welcomes comment on any aspect of other third-party service provider activities, relationships, or supervisory or regulatory burdens insofar as they relate to core service providers and other essential third-party service providers. This includes whether and to what extent any of the agency's supervisory guidance or regulatory requirements may exacerbate the concerns described in this RFI or otherwise impose undue burdens on community banks in managing their relationships with their core service providers and other essential third-party service providers. [^4] This RFI is designed to supplement the agency's understanding of the challenges community banks face in their relationships with these service providers and help the agency develop a roadmap for supervisory and regulatory actions to consider these concerns.
[^4] Including, for example, the *Interagency Guidance on Third-Party Relationships: Risk Management. See* 88 FR 37920 (June 9, 2023) (TPRM Guidance).
**II. Background**
This RFI stems from commenters' concerns noted in response to the OCC's May 12, 2025, Request for Information Regarding Community Bank Digitalization. [^5] The OCC received 22 comments from community banks, industry groups, technology providers, and other interested parties. Although focused on the use of technology to change a business model, provide new revenue and value-producing opportunities, or automate business processes, the agency also received numerous and varied comments on community banks' relationships with their core service providers and other essential third-party service providers. Some of these commenters expressed concerns about predominant market reliance on the largest core service providers, resulting in reduced bargaining power and difficulty integrating new technology with legacy platforms for community banks. [^6]
[^5] 90 FR 20212 (May 12, 2025).
[^6] In addition to comments on core service providers and other third-party service providers, the OCC also received comments broadly along the lines of the following two themes:
• *Resource Constraints:* Commenters noted community banks' difficulties in attracting and retaining sufficient staff with the requisite skills to undertake modernizing digitalization projects, as well as budget limitations and concerns around managing existing technology debt.
• *Regulatory Clarity:* Commenters suggested various ways that the agency could improve regulatory clarity to reduce burden on community banks, including that the agency consider establishing sandboxes, pilot programs, or safe harbors related to digitalization activities; engage in public-private dialogues and knowledge exchanges; and issue no-action letters, reinstitute certain FAQs, revise existing guidance (in particular, the TPRM Guidance), or publish range-of-practice or lessons-learned documents expressing observations on leading and lagging practices.
The OCC continues to review these comments to identify and craft responsive actions to support community banks' digitalization efforts.
To better understand these comments and create a detailed record to support potential agency action, the OCC conducted informal outreach with various community banks. Broadly speaking, these community banks identified the following concerns with certain core service providers and other essential third-party service providers that they had either experienced or else were concerned could limit their bank's ability to remain competitive:
• insufficient investment in innovation to ensure services are keeping pace with market developments and perceived long development timelines for new services;
• use of dated programming languages leading to difficulties integrating the services of acquired companies into a comprehensive, unified package and posing interoperability with other third-party service providers;
• limitations on the use of unaffiliated third parties;
• limitations on, and fees related to, accessing and leveraging bank-owned data, including in a format that is comprehensive and compatible with modern operating systems;
• use of non-disclosure agreements that impede the free flow of information on core service providers' pricing, services, and contract terms;
• bundling of unnecessary supplemental services leading to increased fees (though some banks also acknowledged that lengthened terms may result in lower prices);
• costs and limitations surrounding service terminations and core conversions (though some banks noted that termination fees may be somewhat offset by buyouts from rival core service providers), together with increased contract term lengths; and
• overly lengthy and confusing billing practices requiring significant manhours to catch repeated billing errors.
Several community banks also noted positive relationships with certain specific core service providers. These community banks noted that such core service providers treat the arrangement as a long-term relationship, allow and encourage their customer banks to submit requests as to desired new services, provide application program interfaces (APIs) with limited restrictions that allow unaffiliated third-party service providers to seamlessly plug into the core service provider's platform, and maintain data in up-to-date formats.
Community banks that participated in these listening sessions almost unanimously voiced concerns about the ability of their core service providers to supply community banks, on a timely basis, with the products, services, and solutions they need to remain competitive in a rapidly evolving marketplace, particularly with regard to the growing stablecoin and crypto-asset markets and to changes to the banking industry that may accompany recent and ongoing developments in artificial intelligence.
The OCC also notes that the Financial Stability Oversight Council has also repeatedly noted similar concerns and has supported the Federal banking agencies and other agencies addressing the risks that core service providers and other essential third-party service providers pose to financial institutions that could spread and undermine financial stability. [^7]
[^7]*See, e.g.,* Financial Stability Oversight Council, *2024 Annual Report* (Dec. 6, 2024) at 88 (“Smaller firms, such as community banks and credit unions, may have lesser negotiating power to obtain certain contractual rights, fewer resources and ability to conduct due diligence on and monitor a service provider's practices ( *e.g.,* information security, internal controls, assurance testing), and lesser ability to terminate and substitute services in case of operational challenges. And yet, due to their relatively small size, these institutions are increasingly relying on third parties for essential lending, compliance, technology, and operational-related matters. Regulators and market participants alike can have low visibility into the use of common third-party service providers by financial institutions, or even the geographic location for the delivery of services. This opacity can make it difficult to prepare for, and rapidly evaluate the impact of, a cyber incident or other disruption at a third-party service provider or in a geographic location (such as a regional outage).”).
**III. Questions**
The OCC notes that it is vital for U.S. economic security that community banks be able to remain competitive in a rapidly evolving marketplace. As such, the OCC is seeking further information on any barriers community banks face in remaining competitive and any responsive actions that the agency could take. The agency also reminds core service providers and other essential third-party service providers that certain services they perform for a bank are subject to regulation and examination by the agency to the same extent as if such services were being performed by a client bank itself on its own premises. [^8]
[^8]*See* 12 U.S.C. 1867(c). Additionally, the OCC is concerned about the reported prevalence of billing errors, as well as the use of overly-complicated and lengthy billing statements that require considerable bank resources to understand and review. Billing for a service is an inherent component of performing a bank service and may be subject to supervision and regulation. The agency also notes that billing errors may expose core service providers to contractual liability and could constitute a violation of law.
The OCC seeks input from community banks, industry groups, service providers, and other interested parties regarding the challenges and barriers in all aspects of community banks' relationships with their core service providers and other essential third-party service providers. These may include challenges and barriers related to:
• contract negotiations;
• the scope and burden of applicable fees;
• billing practices and concerns;
• oversight of core service providers and other third-party service providers;
• the ability to terminate relationships with core service providers in breach of contracts, including service-level agreements;
• any burdens limiting banks' ability to undertake core conversions that are beyond those inherent in such a process;
• the extent to which interoperability between core service providers and other third-party service providers may facilitate or inhibit innovations necessary for community banks to remain competitive in a rapidly evolving marketplace;
• supervisory expectations and guidance, including the Third Party Risk Management (TPRM) Guidance, or regulatory requirements; and
• potential actions the OCC could take to address these concerns and other relevant topics.
In addition, we invite the relevant stakeholder to respond to the following specific questions:
**Innovation**
1. What challenges have community banks faced, or do they expect to face, in relation to their core service providers and other essential third-party service providers in implementing innovative solutions or accessing services necessary for community banks to remain competitive in a rapidly evolving marketplace? What are examples where a bank believes its service providers have been able or unable to provide innovative solutions and adaptations, and what lessons can be learned from such experiences?
2. What challenges have community banks faced, or do they expect to face, in relation to their core service providers and other essential third-party service providers in responding to the growing stablecoin and crypto-asset markets? How might the OCC address those concerns through regulatory and supervisory authority? How might the exercise of OCC regulatory or supervisory authority complicate challenges community banks face in this area?
3. What challenges have community banks faced, or do they expect to face, in relation to their core service providers and other essential third-party service providers in responding to developments in artificial intelligence? How might the OCC address those concerns through regulatory and supervisory authority? How might the exercise of OCC regulatory or supervisory authority complicate challenges community banks face in this area?
4. What challenges do community banks face in verifying the feasibility and effectiveness of innovative solutions offered or marketed by core service providers and other essential third-party service providers, or otherwise achieving visibility into such solutions? How do community banks ensure that the innovative solutions offered by these service providers truly meet their operational and strategic needs?
5. What challenges do community banks face in ensuring the availability and quality of post-implementation support from core service providers and other essential third-party service providers?
6. What challenges do community banks face in assessing the scalability and flexibility of core service providers' and other essential third-party service providers' solutions to ensure they can grow with the bank's needs?
7. What challenges do community banks face when they decide to extract and leverage their data maintained by providers for modernized technology solutions? Are there any steps that the OCC could take to help ease or incentivize the process? For example, are community banks concerned that they may face increased regulatory scrutiny if they seek to convert their data? Alternatively, are there specific examples of regulatory relief, safe-harbors, or tailoring that the OCC could provide that may help community banks offset the capital costs of doing so?
8. Are there specific tools or training that the OCC could provide or facilitate to assist community bankers in developing their technological expertise to better manage innovation, whether internally or in managing their core service provider or other essential third-party service provider relationships?
9. Are there actions that the OCC could or should take to facilitate community banks in developing their own technology solutions? For example, are there actions that the OCC should consider to encourage and enable community banks to pursue joint ventures or to invest in subsidiaries for the purpose of developing their own innovative technology solutions?
10. What have been community banks' experiences and challenges concerning the ability to connect different third-party or in-house solutions with their core service provider? What barriers do community banks face when trying to establish API requests between core service providers and other service providers? How might the OCC address these barriers?
11. What cyber security related challenges do community banks face in connection with service providers and API requests? How do those challenges impact the ability to scale business? How do core service providers enable community banks to provide secure services, including where the bank provides services through or in connection with a non-core service provider third-party? How might the OCC address these challenges or further support core service providers enabling the provision of secure services?
**Due Diligence & Transparency**
12. To what extent could some of the concerns voiced by community banks discussed in this RFI be addressed by the OCC establishing a publicly searchable database related to banks' experiences with core service providers and other essential third-party service providers, including, for example, as to complaints? For example, to what extent could the existence of such a database assist community banks in performing due diligence in selecting a core service provider or other essential third-party service provider that best meets their business needs? To what extent would such a database be likely to incentivize core service providers and other essential third-party service providers to increase transparency as to opaque pricing or contracting practices or to ensure billing accuracy?
13. To what extent could some of the concerns raised in this RFI be addressed by the OCC proactively sharing with community banks certain information on core service providers and other essential service providers, including on the terms of the services they perform? What information would community banks find helpful in the planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, or termination phases of the third-party risk management cycle? How should any publication be balanced against, and what steps should the agency consider regarding, the potential confidentiality of any such data or data security concerns ( *e.g.,* conditioning the provision of such data on non-disclosure agreements and the use of secure, read-only software)?
14. As an example of the above, to what extent would it assist community banks with contract negotiations if the OCC were to explore the feasibility of developing a “registry” system in which core service providers and other essential third-party service providers would be required to provide certain information to the OCC and if some or all of this information were then made available to community banks? For example, the registry system could be premised on such service providers ensuring, on a recurring basis, that their notifications to the OCC about service relationships with OCC-regulated banks remain current and include the terms of the performance of the associated services and the use of certain terms and conditions in contracts. What considerations should the OCC evaluate if it were to adopt this approach?
15. What should constitute fair contracting terms for core service provider and other essential third-party service provider contracts with community banks? How might the OCC help ensure that such service provider agreements provide equal access to financial services, including fair treatment of community banks as customers of service providers? Should the OCC explore the feasibility of certifying whether service providers include fair contracting terms in their service agreements? What considerations should the OCC evaluate if it were to adopt this approach?
16. What challenges do community banks face when seeking to assess the financial condition of potential core service providers and other essential third-party service providers? Is there nonpublic financial information community banks believe they need to evaluate the long-term viability of such service providers? Are community banks able to negotiate access to relevant financial information of such a service provider as part of the contract deliberation process? How might the OCC assist community banks in obtaining relevant financial information to make informed decisions about engaging such service providers?
17. Should the OCC consider exploring ways to make applicable core service provider and other essential third-party service provider reports of examination (ROEs) (or targeted information obtained from the ROEs) accessible to OCC-regulated banks as they are conducting their due diligence into such service providers, before a contract is executed? To what extent would providing community banks with access to the open portion of such historical ROEs or else the latest ROEs for applicable core service providers or other essential third-party service providers give banks additional insight into whether such service providers adequately meet the banks' needs before entering into a contractual relationship? How might the provision of such ROEs to community banks impact the service provider market and the availability of services for community banks? What steps should the agency consider regarding the confidentiality of any such data or data security concerns ( *e.g.,* conditioning the provision of such data on non-disclosure agreements and the use of secure, read-only software)? What other concerns should the agency consider in operationalizing such a process?
18. To what extent do community banks utilize the ROEs for core service providers or other essential third-party service providers with whom they have an ongoing contractual relationship as a data point in their ongoing monitoring of such service providers? Are there any challenges in using ROEs that the OCC should consider addressing ( *e.g.,* the frequency with which ROEs are issued or the content that is accessible for banks to review)? What other mechanisms should the OCC consider by which it could inform community banks about concerns related to specific core service providers or other essential third-party service providers?
**Reducing Supervisory and Regulatory Burden**
19. To what extent do current supervisory practices, policies, or guidance or the agency's regulations present challenges or undue burdens to community banks in managing and overseeing their core service provider relationship or in undertaking a core conversion? For example, are there elements of either the TPRM Guidance [^9] or the OCC's Third-Party Risk Management: A Guide for Community Banks [^10] that community banks believe to be overly prescriptive or not sufficiently clarified as being a tool to help banks assess and manage risks through practices tailored to the degree of risk present, or that community banks have experienced examiners using in a prescriptive, non-risk-based manner? Alternatively, to what extent would community banks benefit from additional supervisory or regulatory clarity?
[^9] The OCC reiterates that the TPRM Guidance is intended to be a principles-based tool for banks to assess and manage their risks from third parties. It is not a prescriptive requirement and a bank's third-party risk management should be tailored to the bank's size, complexity, and risk profile and to the nature of its third-party relationships. *See also* 12 CFR part 4, subpart F (Use of Supervisory Guidance).
[^10] May 2024, available at: *https://www.occ.gov/news-issuances/news-releases/2024/pub-third-party-risk-management-guide-for-community-banks.pdf.*
20. To what extent has supervisory scrutiny prevented a community bank from undergoing a core conversion or in some other manner modernizing or leveraging data for innovative solutions, or materially increased the burden on a community bank going through such a process? Are there examples of supervisory or regulatory reform, tailoring, or safe harbors that could allow the agency to better facilitate core conversions or data ownership and modernization that a community bank believes is in the best interest of its business while not downplaying the safety and soundness risks inherent in such practices?
**Costs**
21. How has the cost of contracting with core service providers or other essential third-party service providers evolved over the last ten years? How have these changes impacted the ability of community banks to modernize operations? How can such service providers and community banks address challenges posed by rising costs? What role might the OCC be able to serve in addressing concerns and challenges posed by costs?
22. To what extent have costs prevented conversions or impacted the abilities of community banks to modernize operations? Are such costs imposed by service providers, related to internal factors ( *e.g.,* deficiencies in staffing resources or expertise), or due to supervisory or regulatory scrutiny or requirements? What role might the OCC be able to serve in addressing these concerns?
23. How would any of the policies contemplated in this RFI affect costs and the availability of services from core service providers and other essential third-party service providers?
24. What data should community banks, core service providers and other essential third-party service providers, or the OCC consider when evaluating such service providers' costs?
25. To what extent has a service provider's systems or operations created legal risk or caused any violations of laws or regulations for the bank?
**Billing Statements and Errors**
26. To what extent are community banks able to timely and effectively review billing statements from core service providers or other essential third-party service providers? What challenges do community banks face in reviewing these billing statements, including as to length and complexity? What resources do community banks need to dedicate to reviewing these billing statements?
27. To what extent have community banks experienced errors in core service providers' or other essential third-party service providers' billing statements? What is the average frequency and what are the average dollar values (including in absolute terms and as a percentage of the entire bill) of any such errors? What is the impact of such errors on the bank?
28. How might the OCC (together with the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation, as part of their joint service provider examinations) better reflect the prevalence of core service providers' or other essential third-party service providers' billing practices and errors in any applicable service providers' examination ratings?
29. To what extent would a database (discussed in Question 12 above) help address the prevalence of any such billing errors?
30. To what extent would guidance on core service provider and other essential third-party service provider billing and fee best practices and supervisory expectations help address the prevalence of any such billing errors?
31. What other actions should the OCC consider taking in addressing any prevalent billing errors?
**Facilitating Community Bank and Service Provider Dialogue**
32. Prior to the pandemic, the OCC held annual meetings with various core service provider and other essential third-party service provider executives. To what extent would reviving those annual meetings or otherwise establishing contact channels help facilitate the sharing of community bank concerns with such service providers?
33. What would be the benefits and challenges of the OCC facilitating community banks and other interested parties in establishing ad hoc or standing groups that could work towards planning and implementing private market solutions to any of the concerns addressed in this RFI?
Jonathan V. Gould,
Comptroller of the Currency.