Last updated on October 3, 2025
No, it is not allowed. The June 2023 Interagency Guidance on Third-Party Relationships, issued by the Federal Reserve, FDIC, and OCC, explicitly requires financial institutions to assess cybersecurity risks as part of their vendor due diligence. Institutions must evaluate the third party’s information security controls, incident response capabilities, and data protection measures. Failure to do so may result in regulatory penalties and increased exposure to cyber threats. The guidance underscores that cybersecurity is a critical component of operational resilience and must be integrated into all stages of third-party risk management.
https://www.federalreserve.gov/supervisionreg/srletters/SR2304.htm
6/6/2023