Financial institutions historically and increasingly rely on third-party vendors for essential services making robust Third-Party Risk Management (TPRM) programs a baseline expectation.
While much of today’s risk discussion centers on cybersecurity and cloud infrastructure, the recent Capital One outage caused by a power failure at a vendor’s data center serves as a reminder that legacy risks, such as physical infrastructure failures, remain highly relevant.
The Capital One Incident: A Case Study in Third-Party Risk
On January 15, 2025, Capital One experienced a major service outage due to technical failures at Fidelity Information Services (FIS), a key technology vendor. The disruption, lasting several days, significantly impacted millions of customers by delaying direct deposits, disrupting payment processing, and limiting account access. This exposed weaknesses in operational resilience and vendor oversight, demonstrating how even non-cyber risks can have significant repercussions.
The Impact
- Delayed Direct Deposits: Many customers missed timely access to paychecks, affecting essential expenses like groceries, bills, and rent. Some reported relying on savings or skipping meals during the delay.
- Inability to Access Accounts: Customers faced account login issues and inaccurate balances on the Capital One app. Error messages blocked access to transactions or account statuses.
- Payment Processing Delays: Transfers, deposits, and payments were disrupted, causing financial strain for individuals and businesses. Businesses struggled to process payroll and pay vendors, risking reputational and financial consequences.
- Late Fees and Penalties: Customers incurred late fees and interest charges for missed payments. Concerns grew over potential credit score impacts if late payments were reported to credit bureaus.
- Lack of Communication: Insufficient updates from Capital One led to customer frustration, with social media highlighting dissatisfaction over unclear resolution timelines.
Who is Paying for Late Fees and Other Problems?
Capital One has committed to covering “all reasonable fees” caused by the outage, including late fees and penalties although FIS acknowledged the outage stemmed from a power failure at its data center. While FIS resolves the technical issues, Capital One is responsible for customer reimbursements, but what happens after that?
Reviewing contractual terms and insurance policies for similar situations should be on the to-do list this year.
Regulatory Considerations for Third-Party Risk Management
Financial institutions are required to uphold a multitude of strict cybersecurity controls, especially with respect to those which impact financial reporting and customer data, extending down through their vendor network. Some of these frameworks include:
FTC Guidance
Under the Gramm-Leach-Bliley Act (GLBA), the FTC mandates institutions to:
- Maintain a Comprehensive Information Security Program: Vendors must be incorporated into security programs to protect consumer information.
- Enforce Vendor Safeguards: Financial institutions must ensure vendors can meet security and operational standards, as required by the Safeguards Rule.CFPB Guidance
The CFPB emphasizes that financial institutions:
- Tailor Risk Management Programs: Oversight must match the complexity of services provided.
- Protect Consumers from Harm: Financial institutions are accountable for ensuring vendors comply with federal consumer financial laws.Interagency Guidance
Joint guidance from the Federal Reserve, OCC, and FDIC advises institutions to:
- Conduct Lifecycle Risk Management: Risk assessments should occur from vendor selection to termination.
- Monitor Performance Continuously: Regular evaluations of vendor operations, security, and compliance are required.
CFPB Enforcement Actions
The CFPB’s recent lawsuit against Capital One for underpaying interest on savings accounts, while unrelated to the outage directly, highlights regulatory scrutiny of financial institutions’ responsibilities to their customers.
Lessons from the Incident
These regulatory mandates highlight the necessity for financial institutions to integrate vendor oversight into their broader compliance strategy. The following lessons from the Capital One incident provide actionable guidance for improving TPRM maturity:
| Lesson Learned | Actionable Steps |
|---|---|
| Strengthen Vendor Risk Assessments | • Evaluate infrastructure stability, including redundancy and disaster recovery plans. • Regularly reassess vendors’ operational and financial stability. |
| Address Legacy Risks Alongside Cyber Threats | • Data center resilience, physical infrastructure, and power systems remain critical to business continuity. • Comprehensive risk management must address both modern cyber and traditional risks. |
| Enhance Incident Response | • Establish clear escalation protocols for vendor-related disruptions. • Communicate proactively with customers during incidents to manage expectations and preserve trust. |
| Align with Regulatory Expectations | • Integrate TPRM metrics into compliance reporting to demonstrate proactive oversight. • Ensure contracts detail vendor obligations for incident response, security practices, and compliance. |
| Contract and Insurance Review | • Understand responsibility / ownership in event of monetary loss during incident. |
Actionable Steps for Strengthening TPRM
- Automate Vendor Monitoring: Deploy tools to track vendor performance and detect early warning signs of potential failures.
- Refine Contracts with SLAs: Include financial penalties for non-performance, obligations for privacy compliance, and clear incident response procedures.
- Simulate Incident Scenarios: Regularly simulate vendor-related incident scenarios to improve resilience.
- Prioritize Regulatory Compliance: Align TPRM frameworks with FTC, CFPB, and interagency guidance, ensuring risk-based oversight for critical services.
Conclusion
The Capital One outage in January 2025 underscores the need for financial institutions to critically evaluate whether their TPRM programs are designed to meet regulatory expectations or genuinely mitigate operational and business risks. While cybersecurity and cloud-related concerns dominate discussions, this incident highlights that physical infrastructure failures, redundancy gaps, and non-cloud dependencies remain significant threats.
Financial institutions must reassess their vendor oversight strategies, ensuring risk assessments extend beyond cyber threats to include operational resilience, disaster recovery capabilities, and contractual clarity on liability and remediation. Regulatory scrutiny continues to increase, and institutions that fail to align vendor risk management with both compliance mandates and real-world threats will face heightened exposure to financial, legal, and reputational consequences.
A proactive TPRM approach that integrates automated vendor monitoring, robust incident response planning, and enforceable contractual obligations can help mitigate these risks. Vendor oversight starts with meeting regulatory demands but quickly becomes a discussion of operational stability and customer confidence when an incident occurs.
