Financial institutions are increasingly using third-party firms for technology services such as payment processing, cloud storage, and risk management. A new working paper by staff from the Federal Reserve Banks of Boston, Chicago, and Dallas reviews how regulators are addressing the risks that come with this reliance on tech-focused service providers.

According to the paper's co-authors, third-party providers have been key in driving innovation in financial institutions over several decades. Banks now use thousands of these providers to support their operations.

“As these tech-based services continue to evolve, it’s important to stay attuned to potential vulnerabilities that could impact the banking system – including those related to operational or cybersecurity issues,” said Kenechukwu Anadu, a vice president in the Boston Fed’s Supervision, Regulation & Credit department.

The paper, “Technology Providers and Financial Stability: Overview of Risks and Regulatory Frameworks,” was written by Anadu along with colleagues from the Boston Fed (Falk Bräuning), Chicago Fed (Gene Amromin, Rebecca Chmielewski, Patty Cowperthwait, Cindy Hull, Brett Solimine, Emma Weiss), and Dallas Fed (Amy Chapel, Meeoak Cho, Lorenzo Garza, Sam Schulhofer-Wohl).

The authors analyzed a case study based on another research paper that looked at a cyberattack affecting a firm providing payment services to banks. When the attack was discovered and computers were taken offline to prevent further damage, bank clients were unable to process payments and experienced cash shortages. Some affected banks used the Federal Reserve’s discount window—a facility allowing banks to exchange certain collateral for cash—to meet liquidity needs.

The report also examines regulatory frameworks in the United States, United Kingdom, and European Union for managing stability risks tied to third-party tech service providers. In the U.S., regulations focus mainly on ensuring products are safe and resilient but provide limited direct oversight into daily activities or potential risks of these providers. In contrast, a 2023 law in the U.K. allows regulators greater access by designating some service providers as “critical,” enabling investigations and enforcement actions. The E.U.’s Digital Operational Resilience Act from 2023 sets criteria for critical designation and requires incident management plans, information sharing practices, resilience testing among other measures.

“Further research is needed to better understand financial system vulnerabilities arising from (third-party service providers) and potential implications for oversight of these firms,” wrote the authors.

A workshop hosted by the Boston, Chicago, and Dallas Feds will address this topic on October 16, 2025. More details about the event and access to the full paper can be found at bostonfed.org.

For additional information or media inquiries regarding this research or related topics at the Boston Fed—including interviews with economists or leadership—contact their media relations team.