Federal Reserve Bank of Boston working paper assesses financial stability risks from technology third-party providers and compares US UK and EU oversight approaches

The Federal Reserve Bank of Boston published a working paper by staff from the Boston, Chicago, and Dallas Federal Reserve Banks examining how growing reliance on technology-focused third-party service providers could create financial stability vulnerabilities, including through operational outages and cyberattacks. The paper also reviews how regulators in the United States, United Kingdom, and European Union are addressing or planning to address these risks. Using a case study of a cyberattack on a payments services provider, the authors describe how the provider took systems offline after the attack was discovered, leaving client banks unable to process payments and creating cash shortages. Some affected institutions met liquidity needs through the Federal Reserve’s discount window. The analysis highlights that provider interconnectedness can transmit disruption across the system, that third-party incidents can quickly generate bank liquidity stress with broader ripple effects, and that ongoing maintenance and contingency planning by both providers and financial institutions are critical to limiting spillovers. On the regulatory side, the paper notes that US approaches primarily aim to ensure third-party products are safe and resilient but provide limited direct visibility into providers’ day-to-day activities; the UK’s 2023 law enables designation of certain providers as “critical” and allows regulators to obtain information, investigate, and enforce rules; and the EU’s 2023 Digital Operational Resilience Act sets criteria for designating critical providers and includes requirements such as incident management and reporting, information sharing, and resilience testing. The Boston, Chicago, and Dallas Federal Reserve Banks will hold a workshop on third-party technology providers and financial stability on Oct. 16, 2025.