Banks and their trade groups are growing louder in their calls for stronger oversight of core service providers. Their central concern is clear: these vendors repeatedly fail to make timely system updates needed to meet changing regulatory requirements. As a result, banks bear the compliance burden for problems they did not create.
The Office of the Comptroller of the Currency (OCC) is now listening. After issuing a request for information in November 2025 on community banks’ engagement with core providers, OCC Comptroller Jonathan Gould acknowledged the strong response. “One of the things I’ve heard loud and clear are concerns about the relationship,” he said, pointing to the “very uneven” commercial dynamics between smaller banks and their service vendors.
The Growing Pressure on Core Providers
A Concentrated Market with Outsized Influence
Three companies — Fiserv, Fidelity National Information Services (FIS), and Jack Henry & Associates — dominate the core banking market. Nearly 20 other companies also provide such services across the U.S. However, the concentration of power among the top three gives these providers enormous leverage over their bank clients.
Small banks and credit unions depend on these vendors for far more than basic back-end functions. They rely on them for account management, deposit and loan processing, payment processing, and additional services critical to daily operations. This deep dependency creates an unequal relationship — one that OCC’s inquiry is now beginning to examine.
What Banks Actually Experience on the Ground
Dissatisfaction Runs Deep
Badri Sridhar, managing director in FTI Consulting’s financial services practice, works regularly with banks and nonbanks on regulatory compliance implementation. His observations are consistent across clients. He has yet to hear a single institution say it is genuinely satisfied with the service it receives — particularly when defects arise.
“I haven’t heard any client say, ‘I’m really happy with the service I’m getting,’ especially when they have defects,” Sridhar noted, citing the long lead times vendors take to resolve issues.
Moreover, the scale of impact makes these failures especially damaging. When a core provider has a compliance problem, it does not affect one bank. Instead, it can affect a large number of customers across multiple institutions simultaneously, triggering the need for widespread coding changes or system updates.
The Compliance Gap Core Providers Leave Behind
When Vendors Disagree with Regulators
One of the most troubling dynamics Sridhar describes is when core providers push back on identified compliance issues. He and his team have flagged noncompliant system behavior on multiple occasions. Each time, the core service provider’s compliance team disagreed with the assessment. Yet in every case, Sridhar’s team ultimately reached resolution — and won.
This pattern raises a serious concern. Banks that lack in-house expertise or outside consultants may simply accept the vendor’s position. They could, therefore, remain noncompliant without knowing it. Furthermore, this places smaller institutions at considerable regulatory risk through no fault of their own.
Custom Code Stacks Up — and So Do the Risks
The Hidden Danger of Legacy Workarounds
When core providers delay updates, banks face a difficult choice. They can either pay the vendor to make the changes or implement fixes in-house, provided they have a capable programming team. Many institutions choose the in-house route due to the high cost of vendor-led updates.
However, this approach creates a serious long-term problem. Custom code layers on top of existing core code. Then more custom code layers on top of that. Years pass, and the complexity compounds. Eventually, untangling the accumulated code becomes nearly impossible.
Additionally, many of these legacy systems run on COBOL — a coding language that requires specialized knowledge. Furthermore, the pool of professionals fluent in COBOL is shrinking steadily as experienced developers retire. This creates a ticking clock for institutions still relying on mainframe-based systems.
Can the OCC Hold Core Providers Accountable?
Regulatory Action Remains Uncertain
Gould confirmed that the OCC actively engages with major service providers, and all are subject to oversight by the OCC and other federal banking agencies. Nevertheless, Sridhar notes a significant gap between stated authority and actual enforcement.
“I’ve seen the OCC and other regulators come down on the banks,” he said. “But I have not necessarily seen that with the core service providers in practice.” He added that it will be worth watching whether any supervisory or enforcement actions actually follow from the current inquiry.
Additionally, assessing how often banks face consequences for problems rooted in their vendor’s system is nearly impossible. There is no public mechanism to make that determination. Sometimes, custom code added by the bank itself causes the issue. Other times, the vendor clearly bears responsibility but remains shielded from accountability.
Why Changing Core Systems Is So Difficult
The Hidden Cost of Migration
Even when a bank decides enough is enough, switching core providers is not simple. Migrating an entire code base to a new system takes months — sometimes years. For complex institutions with multiple products spread across different systems, the challenge multiplies further.
Sridhar even recounted a situation where a large bank switched to a newer system and ended up with more compliance problems than it had with the old one. Moreover, the full cost of migration extends beyond technology. It includes hiring system vendors, engaging consultants, and redirecting internal team resources for an extended period. Given these obstacles, many institutions choose to defer the effort in favor of more immediate priorities.
What Could Finally Drive Market Change
Two Catalysts on the Horizon
Sridhar identifies two potential drivers that could eventually shift the market dynamic. First, new and more nimble competitors could enter the space. The barrier to entry is currently very high — but if more agile players emerged, they could respond faster to update requests, resolve defects more efficiently, and make migration simpler. That would give banks meaningful alternatives.
Second, the retirement of COBOL-fluent developers may force the industry’s hand. At some point, institutions will simply lack the human resources to maintain legacy mainframe systems. When that threshold arrives, change will become unavoidable. Furthermore, the OCC itself should examine the pressures core providers face internally before issuing its conclusions, Sridhar suggests. Understanding those constraints could lead to more balanced and practical regulatory outcomes.
Conclusion: The Industry Needs a Better Deal
Banks — especially smaller community institutions — deserve core service providers that deliver timely, compliant, and responsive systems. Currently, the relationship is unequal. Vendors hold the leverage, compliance gaps persist, and banks absorb the regulatory fallout. The OCC’s inquiry is a meaningful step toward accountability. However, meaningful change will require enforcement, market competition, and a recognition that banks cannot continue to patch over systemic vendor failures alone.
