Due Diligence, Transparency, and the Case for an OCC Provider Database
Throughout this series, a consistent theme has emerged: banks operate at a severe information disadvantage relative to their core service providers (CSPs). Pricing is opaque. Contract terms are non-negotiable. Performance data is scarce. Financial conditions are often unknowable,  and the due diligence process that regulators expect banks to conduct is resource-intensive, duplicative, and stacked against institutions that lack the scale to demand transparency. The OCC’s Request for Information (RFI) devotes seven questions to this problem, more than any other topic and proposes several bold ideas to address it, including a publicly searchable database, a provider registry, fair contracting certification, and expanded access to reports of examination. In this seventh installment, I assess whether these proposals can deliver the transparency community banks need.
The Information Problem. Banks are expected to conduct thorough due diligence on their providers across the entire third-party risk management lifecycle — planning, selection, contract negotiation, ongoing monitoring, and termination. In theory, this is sound risk management. In practice, the information required to do it well is largely inaccessible. Non-disclosure agreements restrict banks from sharing pricing or performance data with peers. Contract terms are presented on a take-it-or-leave-it basis, and banks have no benchmark to know whether those terms are fair. Reports of examinations, which contain the regulator’s own assessment of provider risk management and operational resilience, are available only to banks with existing contractual relationships and even then, access is limited and often delayed.
The result is that banks make some of their most consequential business decisions choosing and retaining the provider that underpins their entire operation with incomplete information. Smaller banks, which cannot afford external consultants or dedicated vendor management teams, are hit hardest. In a market where three CSPs serve over 70% of depository institutions, this information asymmetry does not just disadvantage individual banks. It reinforces the structural concentration that limits competition and innovation across the sector.
The OCC RFI’s most consequential proposal is a publicly searchable database of community bank experiences with CSPs and other essential providers, including complaints, performance metrics, and contract benchmarks. We believe this would be transformative. A well-designed database would give banks Comparative data they currently lack:
Banks could benchmark proposals against industry reality rather than accepting provider claims at face value. The reputational accountability alone in public visibility into complaint patterns and performance gaps would pressure providers to improve in ways that individual bank negotiations never could.
The companion proposal, a registry requiring providers to submit and update information on service terms, contract conditions, and relationship details would amplify these benefits. A mandatory, recurring disclosure requirement would create a dynamic repository that evolves with the market, giving banks real-time insight into how providers operate. In our experience advising community banks, access to this kind of data could reduce due diligence costs materially, strengthen contract negotiations, and expose outlier practices such as excessive deconversion fees or restrictive data access clauses that currently persist because they are invisible to the market.
The OCC’s RFI also asks whether the OCC should certify providers for fair contracting terms and whether examination reports should be accessible during pre-contract due diligence. Both ideas have merit but require careful calibration. Fair contracting certification where the regulator would evaluate whether provider agreements include transparent pricing, negotiable terms, reasonable exit clauses, data ownership rights, and enforceable SLAs could set a market standard. Providers that earn certification would signal trustworthiness and banks would gain confidence in their selections. The risk is that certification becomes a compliance exercise rather than a meaningful differentiator, or that it imposes costs on smaller providers that reduce market competition. Voluntary participation with clear, objective criteria would be the right starting point.
Expanded access to reports of examination (ROEs) is potentially even more valuable. ROEs contain the regulator’s assessment of a provider’s risk management, operational resilience, cybersecurity posture, and compliance, exactly the information banks need but cannot obtain independently. Providing access to open portions of ROEs or targeted summaries during due diligence would give community banks supervisory-grade insight before they commit. The elephant in the room is confidentiality. Providers may become guarded during examinations if findings are shared, and proprietary details must be protected. The solution is a controlled access model and non-disclosure agreements, secure read-only portals, and redacted summaries that preserve supervisory candor while delivering actionable intelligence to banks.
One dimension that deserves special attention is provider financial condition. Banks are expected to evaluate the long-term viability of their CSPs, but many some providers are privately held or private equity-backed, offering minimal financial disclosure. Banks cannot assess solvency, liquidity, or resilience to market disruption without audited financials, capital ratios, and going-concern assessments, data that providers routinely decline to share, citing confidentiality. In our experience, contract negotiations yield at best high-level summaries under NDA, insufficient for robust viability analysis. The regulator could bridge this gap by aggregating anonymized financial health indicators from its examinations, leverage ratios, profitability trends, governance assessments and making them available through the RFI’s proposed database or registry. This would not replace individual due diligence, but it would give banks a supervisory baseline they currently lack entirely.
The regulator’s transparency proposals represent the most promising ideas in the entire RFI. A provider database, a mandatory registry, fair contracting standards, and expanded ROE access would collectively dismantle the information asymmetry that has defined the community bank-CSP relationship for decades. None of these tools alone is sufficient, but together they would fundamentally change the negotiating dynamic by giving community banks the data-driven leverage they need to demand better terms, make smarter selections, and hold providers accountable. Implementation will require balancing transparency with confidentiality, proportionality with rigor, and ambition with practicality. But the direction is right, and the urgency is real.
CCG Catalyst helps banks navigate provider due diligence, contract negotiation, and ongoing performance management with data-driven strategies. Reach out to our team for tailored guidance. Stay tuned for the next installment in our series: Regulatory Burden, Supervisory Reform, And The True Cost Of Core Conversions.
