As banks become increasingly reliant on third-party service providers, Federal Reserve Governor Michelle Bowman said bank regulators should “consider the appropriateness of shifting the regulatory burden from community banks to more efficiently focus directly on service providers.” Bowman noted that regulators have authority to do so under the Bank Service Company Act.
“In a world where third parties are providing far more of these services, it seems to me that these providers should bear more responsibility to ensure the outsourced activities are performed in a safe and sound manner,” Bowman said.
Bowman also discussed regulatory expectations regarding cyber risk management. “While we expect banks to be in touch with us when an event happens, cyber events should not be the first time a cyber-risk conversation occurs between a bank and its regulator,” she noted. “We look forward to working with you to assist in clarifying expectations, applying regulatory guidance or seeking feedback on cyber-risk management strategies. We encourage bank management teams to engage with regulatory points of contact whenever questions arise on cybersecurity matters just as with any other regulatory matter.”