Financial institutions are becoming increasingly reliant on third-party firms to provide technology-focused services like payment processing, cloud storage, risk management, and more. But what if one of these firms fails – or experiences a cyberattack? How could that impact the broader financial system?

A new working paper from Federal Reserve Bank of Boston, Chicago, and Dallas staff members examines how regulators are addressing the potential financial system vulnerabilities inherent with a growing dependence on tech-focused third-party service providers.

Third-party service providers have helped drive innovation in financial institutions for decades: from introducing the computer software that replaced handwritten ledgers to providing real-time financial data 24/7, the paper co-authors said. Today, banks and other institutions use thousands of technology-focused service providers to execute their business activities.

“As these tech-based services continue to evolve, it’s important to stay attuned to potential vulnerabilities that could impact the banking system – including those related to operational or cybersecurity issues,” said co-author Kenechukwu Anadu, a vice president in the Boston Fed’s Supervision, Regulation & Credit department.

Case study: What happens to banks when their tech-focused service provider is hacked?

The paper is titled, “Technology Providers and Financial Stability: Overview of Risks and Regulatory Frameworks.” Anadu co-authored the paper with Boston Fed colleague Falk Bräuning, Chicago Fed colleagues Gene Amromin, Rebecca Chmielewski, Patty Cowperthwait, Cindy Hull, Brett Solimine, and Emma Weiss, and Dallas Fed colleagues Amy Chapel, Meeoak Cho, Lorenzo Garza, and Sam Schulhofer-Wohl.

The co-authors analyzed how a cyberattack impacted a firm that provides payments services to banks. Their case study is based on another paper titled, “Cyberattacks and Financial Stability: Evidence from a Natural Experiment.”

Once the attack was discovered, the firm took its computers offline to mitigate further damage. However, that meant their bank clients couldn’t process payments, leading to cash shortages.

Some of the affected financial institutions then met their liquidity needs by using the Federal Reserve’s “discount window” – a facility that allows banks to pledge certain collateral in exchange for cash.

The co-authors highlight three key findings from the case study analysis:

• The interconnectedness of third-party service providers is a key source of vulnerability across the financial system.
• Risks related to third-party service providers can quickly create liquidity issues for banks, which can have ripple effects on the broader financial system.
• Ongoing maintenance and planning by both third-party service providers and the financial firms that use them are critical for improving resilience and preventing “spillover” effects.

Regulatory frameworks aim to address potential stability risks

The co-authors examined frameworks that the United States, United Kingdom, and European Union are using – or plan to use – to address the potential stability risks related to third-party tech service providers. They looked at both “micro-prudential” and “macro-prudential” regulatory frameworks.

Micro-prudential frameworks focus on the “safety and soundness” of specific banks and other financial institutions, while macro-prudential frameworks focus on the stability of the entire financial system.

The authors write that in the U.S., regulation of third-party service providers aims primarily to ensure their products are safe and resilient, but there’s limited “direct visibility” into their daily activities and potential risks.

It’s different in the U.K., where a 2023 law allows the government to designate certain third-party service providers as “critical.” Financial regulators can then gather information from them, conduct investigations, and enforce rules.

Similarly, the E.U.’s Digital Operational Resilience Act from 2023 lists specific criteria for designating third-party service providers as critical. It also includes requirements for incident management and reporting, information sharing, resilience testing, and more.

“Further research is needed to better understand financial system vulnerabilities arising from (third-party service providers) and potential implications for oversight of these firms,” the authors write.

The Boston, Chicago, and Dallas Feds will hold a workshop on this topic on Oct. 16, 2025. Learn more about the event and read the full paper on bostonfed.org.