You may find our commenting on actions of the New York State Department of Financial Services (NYSDFS) unusual since virtually none of our clients are subject to regulation by the NYSDFS. However, our clients should find useful the NYSDFS guidance on managing risks related to third-party service providers issued on October 21, 2025 (the Guidance). The Guidance does not impose new requirements or obligations on New York regulated institutions, but it does complement the existing regulations and guidance issued by federal banking regulators, clarifies regulatory requirements, and recommends industry best practices to mitigate common risks associated with third-party service providers (TPSPs), which institutions not regulated by the NYSDFS should find helpful. The NYSDFS issued the Guidance after identifying the need for more robust diligence, contractual provisions, monitoring and oversight, and TPSP risk management and procedures, especially when critical cybersecurity compliance obligations are outsourced to TPSPs. The NYSDFS notes that exposure to threats continues to grow as financial institutions increasingly rely on cloud computing, file transfer systems, artificial intelligence (AI), and fintech solutions. Continue reading >