- Key insight: A bank’s regulatory posture is no longer fully within its own control. When a critical vendor becomes subject to new supervisory expectations, the bank’s risk profile changes regardless of anything the bank itself has done.
- What’s at stake: Shared infrastructure creates a specific kind of risk that traditional supervision was not designed to see.
- Forward look: The regulatory perimeter of banking is not shrinking. It is extending to match the operating reality of how banks actually function.
For most of modern banking history, regulation focused on chartered institutions. The next phase will increasingly focus on the infrastructure those institutions cannot operate without.
Processing Content
The
Consider how a midsize bank actually operates today. Its core processing likely runs on one of a
None of this is inherently a problem. Shared infrastructure creates efficiency and access to capabilities most banks could not build alone. But it also creates a specific kind of risk that traditional supervision was not designed to see: the socialization of operational failure. When a single core banking vendor serves hundreds of community and regional banks, a disruption does not produce a bilateral contract dispute. It produces a correlated outage across a segment of the financial system. The failure belongs to no single charter, yet every institution on that platform absorbs the impact.
The same dynamic applies to payments infrastructure, fraud networks and identity verification platforms. These are not utility services in the traditional sense. They are active participants in the risk profile of every institution that depends on them. The question regulators now face is straightforward: If a technology provider can create or transmit systemic risk across the financial system, does that provider belong outside the regulatory perimeter?
Increasingly, the answer is no.
Recent regulatory activity reflects this conclusion. The European Union’s Digital Operational Resilience Act extends oversight to critical technology service providers serving financial institutions. In the United States, federal banking agencies have proposed frameworks for designating and examining systemically important technology service providers. The Bank of England’s operational resilience regime focuses on critical business services regardless of whether delivery is internal or third party. The direction is consistent across jurisdictions: The perimeter is expanding to include infrastructure, not just institutions.
The logic follows directly from the economics. Traditional third-party risk management frameworks treat vendor relationships as bilateral contracts governed by due diligence and service-level agreements. They are not designed for systemic concentration. A bank can conduct thorough vendor assessments and still face a failure it cannot detect or contain, because the risk sits at a layer of the stack no single institution controls. Entity-level tools do not fully address risks that emerge from shared dependencies. Supervisors are building new ones.
For banks, the practical consequences reach into areas most governance frameworks have not yet addressed. The most immediate is vendor concentration risk. Banks that rely heavily on a small number of critical providers may find those providers facing new examination requirements, reporting obligations and operational standards that change the economics of the relationship. Contracts negotiated in a lightly regulated environment may not survive a more heavily supervised one.
Architecture decisions are also becoming regulatory decisions. A bank’s choice of cloud provider, core platform and integration approach now carries implications for how supervisors assess its operational resilience. Multicloud strategies, portability requirements and exit planning are no longer purely technical considerations. They are governance questions, and risk committees that treat them as IT procurement topics are mispricing the exposure.
The competitive dimension is worth stating plainly. Large banks with the resources to build proprietary infrastructure or negotiate bespoke arrangements with technology providers are better positioned to absorb these new constraints. Smaller institutions, which depend more heavily on shared platforms, face a different reality: They are increasingly regulated not just directly by their supervisors, but indirectly through the compliance costs and operational requirements imposed on their vendors. Those costs will flow downstream through pricing, contract terms and reduced flexibility.
This is the point that deserves the most attention. A bank’s regulatory posture is no longer fully within its own control. When a critical vendor becomes subject to new supervisory expectations, the bank’s risk profile changes regardless of anything the bank itself has done. Indirect regulation of this kind is unfamiliar to most banking leaders and poorly captured by existing governance frameworks. Yet it is already happening.
The regulatory instinct here is correct. Oversight that ignores the infrastructure layer is oversight that ignores where the risk actually sits. But proportionality matters. If the compliance burden imposed on critical vendors is not scaled to their role and capacity, the predictable result is further market concentration, as smaller providers exit and the remaining platforms become even more systemically embedded. The policy goal and the policy risk point in the same direction.
The institutions that confront this question now will have more room to adapt. Those that treat infrastructure oversight as someone else’s concern may find that regulators have already decided otherwise.
The regulatory perimeter of banking is not shrinking. It is extending to match the operating reality of how banks actually function. For an industry built on chartered supervision, that is a structural shift, not a policy adjustment.