From American Banker’s February 3 article, Banks say core provider power needs to be checked:
“In comment letters responding to the OCC's recent request for information last month, groups largely argued that a small group of core providers dominate the market for critical back-end bank infrastructure. That concentration, the Independent Community Bankers of America said in its letter, allows vendors to impose rigid contracts and disincentivize banks from migrating or switching providers. And regulators continue to hold banks accountable for downstream operational and compliance risks.”
Community banks understand risk. After all, managing it is part of the job, and nowhere is that truer than with third-party relationships. Today’s banks rely heavily on core processors and a growing ecosystem of technology partners to support mission-critical functions—from payments and account processing to fraud detection, cloud infrastructure, compliance reporting, and digital banking. Oversight of those relationships is essential to safety, soundness, and consumer protection.
But layered on top of already complex technology environments is a third-party risk management burden that many community banks believe has grown heavier—and less predictable—than necessary.
In comments submitted to the OCC by Kari Neckel, ICBA Vice President of Payments & Technology, the community banking community makes it clear that while institutions support strong risk management expectations, unclear and inconsistently applied supervisory standards are making innovation slower, more expensive, and more complicated than it should be.
Putting the brakes on innovation
Third-party risk management is supposed to be risk-based. In practice, however, many community banks report that examiner expectations do not always scale based on size and scope, nor are they based on a truly critical view of the vendor relationship.
As noted in Neckel’s letter, banks increasingly feel “compelled to apply exhaustive due diligence processes across nearly all vendors, even when the technology in question supports a limited function or poses relatively low risk.” The result is a “one-size-fits-all” approach that consumes significant time and resources, both of which are valuable commodities for a local bank.
Neckel underscored this concern, noting that community banks often face duplicative and resource-intensive reviews that divert staff away from growth-supporting tasks, such as marketing and customer engagement. The burden falls especially hard on community institutions, which generally operate without robust compliance teams or staff members who have specialized technology risk experience.
The irony is that these processes don’t always reduce risk. Instead, they slow decision-making, delay implementation timelines, and raise the cost of adopting new tools; sometimes to the point where banks decide the effort simply isn’t worth it.
Higher scrutiny can be discouraging
One of the most common frustrations voiced by community banks is that newer or more innovative technology providers, fintechs in particular, often attract heightened scrutiny regardless of their actual risk profile.
Legacy vendors, even those running on older architectures, may be perceived as “known quantities.” Newer providers offering modern, cloud-based or API-driven solutions, on the other hand, can trigger deeper examination simply because they are unfamiliar. Over time, that bias can lock community banks into outdated systems and make it harder to compete with larger institutions and nonbank competitors.
ICBA’s letter highlights this dynamic, warning that such bias discourages banks from pursuing recent tech innovations. When the supervisory path is clearer for established vendors, even if their technology is less innovative, banks may default to what feels safest from an examination standpoint, and not what best serves their customers and operations.
AI: Opportunity meets uncertainty
Artificial intelligence puts the challenges faced by community banks into even sharper focus. AI offers real promise, with its ability to enhance fraud detection, improve transaction monitoring, streamline operations, and ratchet up customer engagement. But few community banks have the scale, data, or specialized expertise to build AI tools internally making partnerships with third-party providers the only practical path forward.
At the same time, AI partnerships raise new questions for banks, regulators, and legislators. How should existing vendor risk frameworks apply to machine-learning models? What level of model transparency is required? As ICBA pointed out, the lack of clear, timely guidance leaves banks unsure how to proceed. Neckel emphasizes the point that uncertainty around AI oversight leads institutions to delay adoption; not because the technology is unsafe, but because the supervisory expectations are unclear. The result is caution where there could be progress, and hesitation where there could be successful implementation.
Duplication drives cost
Another major theme in the ICBA letter is duplication. Community banks are often required to independently assess vendors that are already subject to regulatory oversight. That means reviewing cybersecurity controls, financial condition, compliance practices, business continuity, and operational resilience, sometimes repeatedly across multiple banks using the same provider.
As the letter noted, this duplication does not necessarily improve risk outcomes, but it does increase costs. Smaller banks feel this pressure most acutely, as third-party risk management expenses represent a much larger share of their overall budgets. Over time, these costs crowd out investment in customer experience, digital capabilities, and community engagement; the very areas on which banks must focus on to compete and grow.
Clarity, consistency, and collaboration
Importantly, community banks are not asking for less oversight. They are asking for better oversight. Across the industry, banks have called for clearer, more consistent application of third-party risk expectations. Principles-based guidance works, but only when banks can see how those principles are applied in real-world scenarios.
ICBA’s letter specifically points to the value of practical tools such as FAQs, supervisory highlights, and interpretive guidance that explain examiner expectations for emerging technologies like AI. When banks understand the rules of the road, they can proceed down that road with greater confidence.
There is also growing support for shared due diligence models, where regulators leverage their authority to examine service providers and make relevant findings available to banks through secure channels. Reducing duplication would lower costs, improve efficiency, and allow banks to focus on governance and strategic oversight rather than repetitive paperwork.
Creating space for responsible innovation and implementation
Community bankers aren’t looking to take reckless risks. What they want is room to innovate. Targeted tools such as limited-scope regulatory sandboxes, clearer guidance on fintech partnerships/investments, and stronger coordination among regulators could help build that path forward to responsible adoption and integration, and to leverage technologies while managing risk. As Neckel notes, when banks feel confident that good-faith efforts to adopt new technology won’t result in unpredictable supervisory consequences, they are far more likely to invest in those technologies.
Moving Forward
Community banks play a critical role in local economies, and their ability to compete increasingly depends on technology. Today’s challenges aren’t about a lack of desire or strategic vision; they’re about navigating a concentrated vendor market, managing regulatory uncertainty, and absorbing costs that scale unevenly across institutions.
With clearer expectations, reduced duplication, and more collaborative oversight, community banks can transform operations responsibly and do what they do best: serve customers, support small businesses, and strengthen their communities. After all, innovation shouldn’t be this hard.
Bank Marketing Center
We’re Bank Marketing Center, the leading subscription-based, automated marketing platform designed especially for community banks. We are presently helping the marketers at over 300 financial institutions craft and distribute topical, compelling marketing communication that builds trust in their brand, deepen customer relationships, and grow revenue.
We do this by automating the essential marketing functions banks rely upon; content creation, social media scheduling and monitoring, digital asset management, compliance routing, and more.
We also believe in sharing what we know and learn. Whether it’s insights on the latest AI tools, tips for attracting and retaining top talent, a webinar on operational efficiency, or what experts are saying about the future of banking, we’re committed to helping community banks thrive.
Want to learn more about what we do for bank marketers to help them succeed? You can start by visiting bankmarketingcenter.com. Then, feel free to contact me directly by phone at 678-528-6688 or via email at nreynolds@bankmarketingcenter.com. As always, I welcome your thoughts.