A PYMNTS Company

NYDFS Warns Banks They Can’t Outsource Vendor Risk 

By  |  January 22, 2026

New guidance out of New York is putting banks and other regulated financial firms on notice: if a vendor touches your systems or data, regulators will expect you to manage that risk as if it were your own. The New York State Department of Financial Services (NYDFS) issued updated direction on third-party service provider risk in October 2025, signaling what examiners will focus on in upcoming reviews—and raising the bar for how institutions oversee everything from cloud providers to fintech partners and AI-enabled tools.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    That’s the central message in a new advisory-style post from Kaufman Rossin, which frames the NYDFS guidance as more than a compliance memo. The firm calls it a practical clarification of New York’s existing cybersecurity rules and, more importantly, a roadmap for what leadership teams should be doing now.

    One line in the post captures the regulator’s core expectation in plain terms: “you cannot outsource your risk management responsibilities, even if you outsource your operations.” In other words, hiring a vendor does not shift accountability away from the bank. The post adds that NYDFS has seen firms lean too heavily on third parties for cybersecurity duties, without sufficient oversight.

    Per Kaufman Rossin, NYDFS wants the issue owned at the top. The post says the guidance treats vendor risk as “a boardroom issue, not just an IT problem.” It expects senior leadership to understand the basics well enough to challenge decisions, not simply receive updates once a year. That can mean more frequent reporting, clearer accountability for vendor decisions, and board education that connects cyber risk to business risk.

    Related: NYDFS Bolsters Crypto Oversight with Dubai Regulator Veteran

    Next comes tighter screening before a contract is signed. Kaufman Rossin stresses that not all vendors carry the same level of risk. A vendor with deep system access should face more scrutiny than one with no data access. The post also urges institutions to verify what vendors claim. If a provider says it meets a security standard, the firm suggests asking for proof, such as an audit report or certification.

    Contracts are another focal point. The post highlights practical terms NYDFS expects firms to consider, including strong access controls, encryption, clear incident notification timelines, visibility into subcontractors, and audit rights. It also flags a newer pressure point: AI. If a vendor uses AI, the guidance calls for AI-specific contract language—especially around whether a firm’s data can be used to train models.

    Finally, Kaufman Rossin emphasizes that vendor oversight cannot stop after onboarding. It points to “continuous monitoring” tied to vendor risk level, plus planning for disruptions—what happens if a critical provider goes offline tomorrow. And it warns that offboarding can be riskier than onboarding, calling for clear steps to revoke access and confirm data is returned or securely deleted.

    What comes next, according to Kaufman, is straightforward: firms should expect NYDFS exams to test whether third-party oversight is real, repeatable, and led from the top, not handled as paperwork. The takeaway for bank executives is that this is the moment to pressure-test vendor inventories, refresh contracts (especially for AI use), and make sure monitoring and exit plans are documented and practiced before regulators ask to see them.