B
Banking Vendor Standards Council
The Founding Dossier
Working draft · for discussion
Not legal advice · May 2026
An industry solution to an industry problem

One assessment.
Every bank.

A proposed non-profit, multi-stakeholder body that develops uniform banking-specific compliance standards for technology vendors, administers a tiered certification, maintains a public registry, and pursues regulatory recognition. A universal passport in place of hundreds of duplicative questionnaires.

1 founding white paper 3 working papers 2 interactive tools 8 framework domains
Five core functionstap a frame to explorenavigate the dossier below
The case, in brief

A broken due-diligence system

American banks depend on outside technology providers more deeply than at any point in their history. The system for evaluating those providers has not kept pace. It is fragmented, duplicative, and structurally unable to surface the concentrated risk a shared vendor creates across hundreds of institutions at once.

30%
of breaches in 2024 involved a third party, double the prior year
Verizon DBIR 2025
$6.08M
average financial-services breach cost in 2025, well above the cross-industry mean
IBM Cost of a Data Breach 2025
74+
U.S. institutions hit by a single vendor breach in 2025, up to 1.35M individuals exposed
Marquis incident filings

The arithmetic of duplication

The core inefficiency is multiplicative. Every bank assesses every material vendor on its own, so the system performs roughly banks times vendors assessments per cycle, most of them redundant reviews of the same controls at the same providers. Certification makes the problem additive: each vendor is assessed once against the BTCF by an accredited firm, and every bank consults the registry. Toggle the two states below. The drawn network is a sample; the arithmetic is the point.

One picture · two regimes
20
Assessments per cycle · today
0banks × vendors
Assessments per cycle · with BVSC
0one per vendor + 0 registry consultations
At national scale the collapse is starker. Roughly 4,400 insured institutions against a certified universe of 200 material vendors implies on the order of 880,000 bank-side assessments per cycle today, against 200 certifications plus registry consultations that take minutes, not months. Dashed lines are consultations of the public registry, not assessments.

Six structural failures

FAILURE 01

No uniform baseline

SOC 2, ISO 27001, and PCI DSS address general IT controls, not BSA/AML passthrough, model-risk governance, or FFIEC examination expectations. A bank cannot rely on them to satisfy interagency TPRM guidance.

FAILURE 02

Duplicative burden

One core processor answers hundreds of idiosyncratic questionnaires a year. No mechanism lets a bank formally accept an external certification in lieu of its own assessment.

FAILURE 03

Community banks disadvantaged

Large institutions staff dedicated vendor-risk teams. Community banks rely on the same high-risk vendors without equivalent resources, an inequity embedded in the dual banking system.

FAILURE 04

Provider onboarding lag

A different complex assessment at every bank creates an onboarding lag that can threaten a smaller technology service provider's viability before revenue begins.

FAILURE 05

Invisible concentration

When one provider serves hundreds of banks, a single failure is systemic. No domestic framework flags this at the vendor level until it detonates.

FAILURE 06

Emerging categories unaddressed

AI underwriting, BNPL, stablecoin infrastructure, and agentic tools present risks legacy frameworks and the 2026 model-risk guidance were not designed to evaluate.

Marquis is not an outlier. It is the pattern.

A single vendor failure cascading across many institutions is a recurring structural event, not a freak occurrence. Four incidents span three years and three sectors. None was preventable by any one customer acting alone.

MOVEitBanking, direct · May–Oct 2023
60+ U.S. banks · 2,700+ orgs worldwide

Most affected banks never ran MOVEit. They were breached through a tech partner, or a partner's subcontractor, three and four parties deep.No bank can audit its way to safety when the vulnerable code sits four vendors downstream.

ICBC FSSystemic infrastructure · Nov 2023
U.S. Treasury clearing disrupted

A ransomware attack on one bank's U.S. arm severed its Treasury-clearing connection, forcing settlement onto a USB stick carried through Manhattan. The entry point was a single unpatched vendor appliance.One vendor's unpatched server became a stress test for the world's deepest sovereign-debt market.

MarquisBanking, direct · Aug 2025
74+ institutions · up to 1.35M individuals

A vendor serving community banks and credit unions was breached, exposing SSNs, TINs, and account-level data. The affected institutions were the constituency least able to conduct deep independent diligence.The institutions least able to vet a shared vendor are the ones most exposed when it fails.

CDK GlobalAdjacent, a preview · Jun 2024
~15,000 dealerships · $1B+ in three weeks

Not a bank vendor, but the structure is identical: one provider, an entire industry's operations, an always-on integration path.Substitute "core processor" for "dealer-management system" and the banking scenario writes itself.

Why this moment

DORA

Critical providers designated

On 18 November 2025 the European Supervisory Authorities published the first list of 19 designated Critical ICT Third-Party Providers. A U.S. processor serving European banks complies; the same provider serving 5,000 U.S. community banks faces no equivalent obligation.

AI CARVE-OUT

The model-risk vacuum

The April 2026 interagency Model Risk guidance rescinded SR 11-7 and stated that generative and agentic AI are not within its scope, inviting a future RFI. No domestic framework governs vendor-deployed AI in banking. BVSC claims and monitors the domain from the outset, then sequences the binding standard last, by design, so it sets the baseline once the field has settled rather than freezing it early.

DEREGULATION

A tailwind, not a headwind

As agencies step back from granular third-party oversight, they create the vacuum a credible industry-government standard is designed to fill. A standard co-built with regulators is how the system stays safe while the prescriptive touch lightens.

The argument in five steps

The market has failed

No body sets banking-specific compliance standards for technology vendors, issues a certification banks can credit against interagency guidance, or makes concentrated vendor risk visible before it detonates. The recent cascades are the pattern, not the anomaly.

The moment is right

DORA has begun designating critical ICT providers for direct oversight, while the 2026 U.S. model-risk guidance explicitly carved AI out of scope. There is regulatory air cover for an industry-developed standard to lead.

The model is proven, and so is its ceiling

PCI SSC, FFIEC, the CSBS Nationwide Cooperative Agreement, IEEE SA, and NACHA each solved an analogous problem. CFES proves the live demand for this body and the ceiling a purely private one hits: with no regulator at the table, it can only produce an advisory report, never a credential carrying supervisory weight.

The design is honest

Certification is a baseline, not a discharge of bank responsibility, the posture both U.S. and EU supervisors already expect. Reciprocity without examiner credit is explicitly a partial solution, so the regulatory-engagement work is load-bearing and treated as such.

The objections have shaped the structure

Antitrust safeguards, state-regulator representation, a committed AI and agentic-AI module sequenced after the mature domains, cross-jurisdictional mapping, and a published residual-limitations list are not afterthoughts. They are responses to the sharpest objections, built in from the outset.

The cost of inaction is not the absence of a standard. It is the continuation of a fragmented system in which systemic vendor risk remains invisible to regulators, duplicative diligence consumes bank resources, and community banks bear disproportionate exposure to risks they cannot independently assess.

BVSC Founding Rationale
What BVSC is, and how it governs itself

The Council

A non-profit, membership-funded, industry-governed standard-setting organization, structured as a 501(c)(6) trade association, incorporated in Delaware with operating presence in Washington, D.C. It is legally independent from any government agency, bank, or technology company, and functions as the governance layer where existing payment, messaging, architecture, and data standards meet bank risk-management obligations.

Five core functions

FUNCTION 01

Publish uniform standards

Develop and maintain the Banking Technology Compliance Framework, built on FFIEC, NIST CSF 2.0, and interagency TPRM guidance, with modules legacy frameworks omit: model-risk governance, AI and agentic-AI transparency, AML passthrough, and consumer-compliance pass-through.

FUNCTION 02

Issue the universal passport

Administer a tiered certification through which vendors are assessed by accredited independent audit firms and issued a publicly searchable certificate member banks credit as a due-diligence baseline.

FUNCTION 03

Maintain a public registry

A searchable registry showing certification tier, scope, last review date, and material conditions, consulted before independent diligence and referenceable by examiners.

FUNCTION 04

Accredit assessment firms

Certify and oversee a network of Qualified Security Assessment Organizations, mirroring the PCI SSC's QSA model and firewalled from standard-setting.

FUNCTION 05

Pursue regulatory recognition

Engage the FFIEC member agencies, FinCEN, and state banking departments to negotiate examiner reference to BVSC certification. This is the load-bearing element of the entire thesis, and the single most important execution risk.

Board composition

The board draws on the IEEE SA one-entity-one-vote principle, with one structural anchor: banks hold at least half of every decision-making body, in all circumstances. The institutions that carry the risk, answer to examiners, and rely on the certification hold the majority of seats. But adoption requires a two-thirds supermajority, so a bank majority cannot impose a standard on the technology service providers it assesses without cross-bloc support, and the non-bank blocs together retain a collective check. The illustrative floor below is twelve voting directors: six banks, three independents, and three technology service providers.

≥6 voting

Bankers

Large, regional, and community-bank representation across every asset tier, including the ABA and ICBA. A structural majority: never fewer than half the board.

3 voting

Independents

Technologists, academics, and former bank supervisors with no commercial stake in certification outcomes. The neutral ballast, and the channel through which supervisory judgment enters the vote.

3 voting

Technology service providers

The constituency assessed against the standard, held as a structural minority so no standard passes on the votes of the regulated alone.

Non-voting: a technical advisory panel of accredited assessors informs the board on assessment practice without voting on the standard they apply, and four regulatory observers, the FDIC, Federal Reserve, OCC, and CSBS, attend every layer without a vote. Current supervisors observe rather than vote on a private standard; former supervisors among the independents carry that judgment into the ballot.

Board leadership: two models

Who holds the gavel shapes agenda control, and the evidence base shows chair affiliation measurably influences outcomes. Two models are on the table. The founding cohort chooses one in the bylaws.

Model A · Co-chairs

Neutral shared gavel

Two co-chairs share the chair. The non-bank chair is seated from the independents, so neither a commercial bank nor a commercial provider leads alone and the gavel stays with a neutral party.

Co-chairBank bloc
Co-chairIndependent bloc · neutral
Model B · Chair & vice-chair

Bank chair, provider vice-chair

A single chair drawn from the bank bloc, paired with a vice-chair drawn from the technology service providers. Leadership sits with the two commercial constituencies that build and rely on the standard, checked by the two-thirds adoption rule and the independents' balance-of-power vote.

ChairBank bloc
Vice-chairTechnology service provider bloc

Test the balance yourself

The strongest finding in the standards literature is also the simplest: a body fails the moment one constituency can quietly dominate it. BVSC's answer is a bank majority paired with a supermajority adoption rule. Adjust the seat counts and watch what the arithmetic guarantees, and what it forbids. Banks cannot be dragged below half, by design.

Balance simulator · illustrative
50% · bank majority floor
How to read it. The minus button on Banks is disabled once the bank bloc sits at exactly half the board; the floor is enforced, not merely checked. Adoption needs two-thirds of the seated board, so banks at 50% still need at least one other bloc to carry a standard, while the non-bank blocs together can always muster the votes to block one.

A majority, tiered across every bank size

A bank majority means little if it speaks with one voice. The community bank on a shared core and the G-SIB running its own vendor-risk shop face the same providers with wildly different resources, so the bank seats are apportioned across six FDIC-style asset tiers, each guaranteed at least one seat. The floor below seats one director per tier; as the bank bloc expands above the floor, added seats tilt toward the smaller institutions that carry the most concentrated shared-vendor exposure with the least capacity to assess it alone.

Bank-bloc seats by asset tier · illustrative
Every tier is represented. No asset band is spoken for by another; a $900M community bank and a G-SIB each hold their own seat at the floor. Allocation is a founding-cohort decision, shown here as an illustrative floor of one seat per tier, not a fixed rule.

Membership tiers

TierEligibilityAnnual duesGovernance rights
FoundersG-SIBs and leading technology platform providers$50,000Permanent board-seat eligibility; veto on technical-roadmap milestones; working-group co-chair access
GeneralMid-tier banks and Series C+ technology service providers$15,000Full voting on working-group outputs; board-election eligible; full registry access
AssociateCommunity banks and seed / Series A technology service providers$3,000Working-group participation; standard templates; advisory input on drafts
AffiliateRegulators, academics, law firms$1,000Advisory status; research and bulletins; no voting rights

Antitrust safeguards

FRAND commitment

Early disclosure of essential patents and binding fair, reasonable, and non-discriminatory licensing, enforced by the independent board.

Pro-competitive purpose

Every collaborative activity memorializes a rationale; pricing, output, and market-division topics are prohibited in all forums.

Open participation

Any entity with relevant expertise may contribute; no Founder may block a competitor's participation.

Royalty-free standard

The BTCF is published royalty-free; certification registration fees and annual license-renewal fees cover assessment and registry operations, not access to the standard.

Operational roadmap

What success looks like

HorizonTarget
Year 3 · Adoption100+ certified vendors, including 5+ Tier III core processors and 3+ hyperscale cloud providers, enough to make registry consultation an institutional default.
Year 3 · ReciprocitySigned commitments from institutions representing 60% of U.S. banking assets, across all four FDIC institution-size tiers.
Year 5 · RecognitionFFIEC member agencies and at least 25 state banking departments formally reference BVSC certification within published TPRM examination procedures.
Year 5 · BurdenMedian vendor due-diligence cycle time among member banks reduced at least 50% relative to the 2026 pre-BVSC baseline.

These are objectives, not forecasts. Regulatory-recognition outcomes depend on agency action BVSC cannot guarantee, which is precisely why the proposal treats regulatory engagement as the central execution risk.

The standard, the passport, and where it fits

The Framework

The Banking Technology Compliance Framework is a modular, tiered standard that maps to existing regulatory expectations while adding banking-specific requirements general frameworks omit. It does not replace ISO 27001, NIST CSF 2.0, or the Shared Assessments SIG. It translates them into an assessable, banking-specific standard.

The eight BTCF domains

DomainRegulatory basisModule
Cybersecurity & Operational Resilience
Access control, encryption, incident response, continuity, fourth-party oversight
NIST CSF 2.0 · FFIEC IT Handbook · SP 800-161r1Core
Data Governance & Privacy
Classification, NPI handling, residency, subcontractor data flows
GLBA Safeguards · NYDFS Part 500Core
AML / BSA Compliance Capability
Vendor-side monitoring, CDD, SAR, FinCEN reporting
FinCEN Program Rule · FFIEC BSA/AML ManualCore
AI & Agentic-AI Governance
Validation independence, explainability, human-in-the-loop, prompt-injection resilience, agentic authorization boundaries
FIL-15-2026 carve-out · forthcoming RFI · EU AI ActSequenced last
Model Risk & Validation
Inventory, materiality tiering, validation rigor, ongoing monitoring
2026 Interagency MRM · prior SR 11-7 precedentCore
Financial & Operational Stability
Financial-health disclosure, key-person risk, exit planning, concentration reporting
Interagency TPRM Guidance 2023Core
Consumer Compliance Pass-Through
Pricing, underwriting, collections for consumer-facing applications
UDAAP · Fair Lending · ECOA · Reg BCore
Real-Time Compliance Monitoring API
Machine-readable risk-signal feeds for continuous monitoring
DORA (precedent) · FFIEC IT HandbookPhase 3

The AI and Agentic-AI module is a committed, co-equal pillar, but it is sequenced last by design. The mature, well-precedented domains are standardized first; standardizing a fast-moving field too early risks locking in inferior technology and crowding out innovation, the timing problem the evidence base flags directly. BVSC holds the AI module open as a watching brief and standardizes it only once practices settle. Standards update on a two-year cycle with a minimum 60-day public comment period.

The universal passport: three tiers

Beneath the three tiers sits one fundamental question the assessment answers first: can this provider actually do what it claims? Before any control is tested, BVSC evaluates whether the partner has the requisite expertise and experience in its board and leadership team to deliver what it says it can. A control framework measures what a provider has built; the foundational capability gate measures whether the people running it are equipped to keep it standing. A provider that cannot clear the gate does not proceed to control testing.

TIER I

Foundational

The base gate for every provider: an assessment of board and leadership expertise and experience against the provider's stated capabilities, plus self-assessment against BTCF core, BVSC-reviewed documentation, and annual attestation renewal.

Capability and leadership review; basic registry profile; annual staff attestation review.

TIER II

Certified

Mid-risk vendors with data or system access. Full BTCF assessment by accredited QSAO, on-site or remote control testing, biennial reassessment with annual monitoring.

Full registry listing; eligible for gap-analysis recognition by member banks.

TIER III

Critical

Core processors and systemic providers. Full BTCF plus all modules, annual reassessment, continuous monitoring, concentration-risk disclosure required.

Full listing with findings disclosure; regulatory-observer notification for material findings.

Reciprocity, and its limits

Certification has value only if banks actually credit it. BVSC pursues a formal mutual-recognition framework: a signed commitment by member banks to accept a valid Tier II or Tier III certification as a baseline, conducting only institution-specific gap analysis on top.

Reciprocity without examiner credit is approximately a 60-percent solution. A bank can use BVSC certification as a baseline, but must still document its reliance and conduct institution-specific gap analysis. The full prize requires the formal regulatory-engagement work.

On the honest limits of reciprocity

The stress test: when a certified vendor fails

A certification regime is judged by its first crisis, not by its first certificate. Some vendor holding a valid BVSC certificate will eventually suffer a material incident, and the design has to assume it from the outset. The precedent is instructive: Heartland Payment Systems had been validated PCI-compliant before its 2008 breach, and Target had passed a PCI assessment weeks before its 2013 compromise. The lesson is not that certification failed. It is that a point-in-time assessment was asked to carry a weight it never claimed, and the regime had no pre-committed answer for the moment the gap showed. BVSC writes that answer into the framework before the first certificate is issued.

Flag first, investigate second

On a material incident at a certified vendor, the registry entry carries an incident flag and moves to under-review status within 72 hours, and every member bank listed as reliant is notified through the registry. The map function, not a press cycle, is how reliant institutions learn their exposure.

Separate control failure from assessment failure

An independent post-incident review answers one question: did controls drift after a sound assessment, or did the QSAO miss what was there? The second finding triggers a parallel accreditation review of the assessing firm, up to suspension. Assessor accountability is what keeps the passport from inflating.

Publish the findings into the standard

A redacted post-incident report enters the BTCF revision record, and the control gap it exposes is addressed in the next published cycle. Every failure makes the standard harder to fail the same way twice, which is the property no bank-by-bank questionnaire regime has ever had.

Remediate or revoke on a published ladder

Cure period, re-assessment, restoration or revocation, each step visible in the registry as it happens. A bank's reliance file updates itself, because the registry states are the ladder.

Never let the certificate become the defense

Certification is evidence of diligence at a point in time. It is not a warranty of vendor performance, not a substitute for the bank's own risk management, and not a liability shield. That is the posture the sharpest critics in the 2020 docket demanded, and conceding it up front is what makes the rest of the protocol credible.

What the certificate asserts
  • The vendor's controls met the BTCF at the assessment date, verified by an accredited independent firm.
  • Continuous attestation obligations are current and material changes have been reported.
  • The scope, tier, conditions, and expiry are exactly what the public registry entry says they are.
What it never asserts
  • That the vendor cannot be breached, or that controls have not drifted since assessment.
  • That a reliant bank has discharged its third-party risk obligations under interagency guidance.
  • That certification shields the vendor, the assessor, or the bank from supervisory or legal consequence.

PCI survived Heartland because the card networks could compel participation regardless of the embarrassment. BVSC has no compulsion lever, so its crisis protocol has to be written before the first certificate, not after the first breach.

Design principle · certification integrity

Where BVSC fits, and how it differs

The financial sector already has a robust ecosystem of standards bodies. BVSC does not replace them. It occupies a distinct governance layer none addresses: the risk-management and compliance interface between banks and their technology partners. The most instructive comparison is the Coalition for Financial Ecosystem Standards (CFES), the proof of demand and the proof of the ceiling a purely private body hits.

CapabilityBVSCCFESHITRUSTTruSightShared A.
Banking / vendor-specific control setYesPartialNoPartialNo
Pass/fail certification (not advisory)YesNoYesNoNo
Public certification registryYesNoYesNoNo
Binding bank-side reciprocityYesNoNoPartialNo
AI & agentic-AI governance moduleYesNoPartialNoNo
Multi-stakeholder voting governanceYesNoNoNoPartial
State-regulator (CSBS) at the tableYesNoNoNoNo
Regulator observers in governanceYesNoNoNoNo
Active regulatory-recognition pathwayYesPartialNoNoNo

The single design choice that lets BVSC offer a defined pass/fail certification with supervisory weight, rather than CFES's necessarily hedged maturity report, is the presence of government in its governance. The maturity model is what an organization builds when no regulator will stand behind a bright line. The bright line is what regulatory participation buys.

The 2020 FDIC precedent

BVSC is not a novel idea, and that is its strongest evidence. In July 2020 the FDIC issued a formal request for information (RIN 3064-ZA18) asking the precise question BVSC answers: should a public-private body set standards and run a voluntary certification for the models and third-party technologies banks rely on? Forty-five comment letters responded. The docket is the closest thing to a market test this concept has, and the live, interactive analysis of all 45 letters is in the Certification RFI tab.

LESSON 01

Demand is real, but conditional

Industry broadly welcomed the concept, but tied approval to a real reliance mechanism, the participation of every banking agency, and protection against cost, capture, and duplication.

LESSON 02

Reliance is the hinge

Every position reduced to one question: does a certification mean anything at the examination table? Without supervisory reliance, certification is a cost with no offsetting benefit, and the industry said so plainly.

LESSON 03

The opposition is serious

AFR, the NCLC, and Professor Odinet argued a reliance safe harbor would become a fair-lending liability shield and an abdication of the FDIC's own supervisory duty. These are the objections a credible proposal must answer.

The unexpected common ground: neither camp trusted a purely industry-run body. Industry wanted every federal banking agency as an active contributor; opponents wanted the regulator to build its own capacity. For opposite reasons, both insisted the regulator must not stand back. BVSC's governance is the synthesis of that shared instinct.

Three companion papers

Working Papers

Each working paper takes up one of the sharpest objections to the founding proposal and answers it in detail: jurisdictional duplication, the role of AI in assessment, and the organizational design that keeps the body credible to a regulator.

WP No. 1

The DORA–BTCF Crosswalk

Answers the objection that a U.S. vendor-certification regime would simply add another compliance layer on top of the EU's Digital Operational Resilience Act, by mapping the BTCF control by control against DORA's third-party-risk provisions.

The headline result

A single, well-designed BTCF assessment can be engineered to produce documentation that directly evidences a substantial majority of the enumerated DORA obligations a vendor faces, leaving only a defined residual set that is genuinely EU-specific. Each mapped obligation gets one of four coverage ratings.

DIRECT

A BTCF control produces documentation that directly evidences the DORA obligation. Most of the Article 28 principles and the Article 30 contractual core.

PARTIAL

The control evidences the substance, but an EU-specific formality or counterparty step remains. Register of Information fields, notification steps.

STRUCTURAL

The BTCF mirrors the concept, but the DORA mechanism is a supervisory act no certification can perform. Tier III is modeled on Article 31 but cannot confer it.

RESIDUAL

Genuinely EU-specific, outside any U.S. framework. The EU-subsidiary requirement for designated providers; participation in ESA oversight.

Representative crosswalk rows
BTCF control objectiveDORA articleCoverage
DORA-conformant master service agreement templateArt. 30(1)–(2)Direct
Business continuity with tested recovery objectivesArt. 30(3)(c)Direct
Fourth-party / subcontractor oversight and chain mappingArt. 28(1), 30(5) RTSDirect
Register of Information data fields (provider-supplied)Art. 28(3)Partial
Threat-led penetration testing participationArt. 26–27Partial
BTCF Tier III "Critical" designationArt. 31Structural
EU-subsidiary establishment for designated CTPPsArt. 31Residual
The design principle that holds it together

Assess templates, not transactions. Rather than reviewing each of a vendor's contracts against DORA's Article 30 checklist, a BTCF control assesses whether the vendor maintains a standard MSA template containing all the required clauses. One template assessment replaces hundreds of contract reviews, and that single choice produces most of the Direct ratings.

WP No. 2

AI-Assisted Qualified Assessor Review

How machine assistance can supplement expert judgment in BTCF certification, with SOC 2 review as the worked example. The thesis is narrow: AI handles the mechanical layer; the human retains every consequential judgment.

The division of labor

Assign each task to AI, to the human, or to a supervised collaboration, based on whether it is rule-governed or judgment-bound. AI owns the mechanical layer outright; a narrow band is shared; every consequential judgment and the signature is human only.

TaskOwnerRationale
Completeness & structure checkAI leadsDeterministic presence test; AI does not skip sections under time pressure.
Exception extraction & structuringAI leadsHigh-volume reading; produces a complete, sourced exception register.
Control-to-criteria-to-BTCF mappingSharedAI proposes the mapping; the assessor confirms it cell by cell.
Carve-out / subservice detectionSharedAI flags every carved-out org; the assessor decides which matter.
Scope-adequacy determinationHuman onlyWhether the scope matches the real relationship is professional judgment.
Banking-specific sufficiencyHuman onlyThe central BTCF judgment a generic SOC 2 never addressed.
Certification decision & sign-offHuman onlyThe accredited assessor of record owns and signs the conclusion. Never delegated.
Where AI fails, and how BVSC contains it

Confident fabrication

Every AI assertion must cite its source location. Unsourced conclusions are rejected by design; a single fabricated citation fails the tool's accreditation.

Judgment masquerading as extraction

The tool is structurally barred from emitting scope-adequacy, materiality, or sufficiency conclusions. Those fields are absent from its output schema.

Prompt injection via the report

The ingested report is untrusted input. The tool runs with OWASP-consistent injection defenses and is itself governed as a model under the BTCF.

Automation complacency

The workflow forces active human decision on every judgment field; a provenance audit trail records who decided what, for any peer reviewer or examiner.

The test of the workflow is a single question a peer reviewer should answer from the record alone: did a human, not a tool, make every judgment that mattered? Practitioner reporting puts the efficiency gain near an order of magnitude, 300 to 500 hours down to 110 to 170.

The human-in-the-loop standard
WP No. 3

Organizational Structure & Working-Group Architecture

An FDX-style operating structure: a small full-time staff that runs the institution, with the real standard-development work carried by industry-led, dual-chaired working groups, adapted so regulators sit at the table where FDX keeps them out.

Five layers, mirroring the Financial Data Exchange
LayerRole
Board of DirectorsBanks hold ≥50% in all circumstances; illustrative floor of ≥6 bankers (across all asset tiers), 3 independents, 3 technology service providers (voting); technical advisory panel and four regulatory observers (non-voting).
Executive Steering CommitteeActs between quarterly board meetings; board chair(s), bloc representatives, and senior staff (non-voting).
Standards Review CommitteeTechnical oversight and version alignment across all working groups; owns the two-year revision cycle.
Certification Oversight CommitteeQSAO accreditation, registry integrity, appeals. The body FDX lacks, walled off from standard-setting.
Domain Working GroupsOne per BTCF specialty area, dual-chaired by a bank and a vendor technical lead, with regulator observers.
Task ForcesTime-limited, cross-cutting work chartered by a working group or the board; dissolve on delivery.
How balance is maintained

FDX balances financial against non-financial institutions and keeps regulators out. BVSC gives banks a structural majority and seats every prudential supervisor as an observer. Banks hold at least half the board because they carry the risk and answer to examiners, but adoption takes a two-thirds supermajority, so a bank majority still needs cross-bloc support to carry a standard. The technology service providers are a structural minority so no standard passes on the votes of the regulated alone; independents are the neutral ballast; and one-entity-one-vote within each bloc prevents a large member dominating by sending more people.

Current regulators watch; former supervisors vote. That is the difference between a useful technical standard and a standard a supervisor can rely on.

The adaptation, in one sentence

The full slate, with named candidates for every board and working-group seat, is in the Org Structure tab.

The academic and empirical foundation

The Evidence

BVSC's design is not improvised. The scholarly literature on standard-setting organizations, read against real financial-sector precedents, converges on a single prescription: a balanced, multi-stakeholder body with tiered-but-equal voting, consensus decision-making with open public comment, a royalty-free core IP policy, and transparent due process. Those are the same attributes the CFPB codified for recognition under Section 1033, and the ones this proposal is built to.

Balance of interests is the master variable. No single group, large banks, community banks, or vendors, should be able to carry a standard alone.

Fiedler, Larrain & Prüfer (2023) · Simcoe · ANSI · CFPB 1033
WELFARE PEAKS AT BALANCE BVSC aims here VENDOR-LED hold-up, rents BALANCED peak welfare BANK-LED innovators exit DEGREE OF DOWNSTREAM (BANK) CONTROL → WELFARE · PARTICIPATION
The inverted-U. Fiedler, Larrain and Prüfer (2023) find welfare peaks when control is shared, not when either side dominates. BVSC's no-bloc-majority rule aims the board at the top of the curve.

What the literature prescribes, and where BVSC answers

Theme 01 · The master variable

Balance of interests

Finding

Fiedler, Larrain and Prüfer1 model shared SSO control and find an inverted-U: some downstream (bank) power curbs vendor hold-up, but too much deters the innovators a standard needs. ANSI2 and the CFPB3 both bar any single interest from dominating.

Precedent

FDX seats data providers and third parties equally, with reserved non-commercial seats. PCI SSC, where the card brands hold a permanent Executive Committee above the consensus process, is the textbook capture case.

In BVSC

Three voting blocs with banks holding a structural majority (≥50% in all circumstances), a two-thirds adoption rule so banks still need cross-bloc support to carry a standard, technology service providers held as a structural minority, and regulators present only as non-voting observers.

Theme 02 · Membership

Tiers without pay-to-play

Finding

Practitioners value a broad membership base, equal votes, low cost, and free implementation (Wiegmann et al.)4, and large and small members pull in opposite directions (Fiedler et al.)1.

Precedent

MISMO dropped tiered membership in 2017 to kill pay-to-play and runs one-member-one-vote. Nacha reserves rule votes for Direct Members whose dues run tens of thousands a year.

In BVSC

Tiered dues so community banks and small vendors can afford a seat, but votes decoupled from fees, one organization one vote within its category, and the standard free to implement.

Theme 03 · Governance

Board and committee design

Finding

Simcoe5 frames the core task as winning adoption without hold-up, and warns that consensus-as-unanimity drives delay. Chair affiliation measurably shapes outcomes (Baron and Kanevskaia)6.

Precedent

MISMO elects governance committees to two-year terms with a six-year cap, and the drafting happens in open workgroups.

In BVSC

Leadership under one of two models — co-chairs (one bank, one independent) or a bank chair with a technology-service-provider vice-chair — two-year staggered terms, elected committees over open working groups, and chairs who disclose affiliations and recuse on conflicts.

Theme 04 · IP

Royalty-free core

Finding

FRAND is the modal regime (about 86.5% of SSOs in the Searle database)7, but royalty-free maximizes adoption in interoperability domains. Chiao, Lerner and Tirole8 find, against intuition, that less-strict IP rules track higher standard quality.

Precedent

FDX and the open-banking world are royalty-free. W3C switched to a royalty-free patent policy in 20049 after a developer backlash.

In BVSC

A royalty-free core with reciprocal grant-back and a disclosure-and-exclusion procedure on the W3C model, with a FRAND fallback reserved for any optional patent-encumbered module.

Theme 05 · Openness

Open process, members-only votes

Finding

Legitimacy is built across input, throughput, and output (Botzem and Dobusch)10. Open process earns credibility but slows as commercial stakes rise (Simcoe)5.

Precedent

Nacha lets anyone, member or not, submit ideas and comment on a request for comment. The CFPB's first recognition attribute is openness, explicitly including consumer and public-interest groups.

In BVSC

Public comment on every draft, published agendas and minutes, open idea submission, members-only final votes, and a published basis for each decision.

Theme 06 · Recognition

Competition and focal status

Finding

Firms forum-shop on membership base and rules (Wiegmann et al.; Lerner and Tirole)4,11. Recognition confers focal-point status and guards against fragmentation.

Precedent

The CFPB allows multiple recognized setters, which the Bank Policy Institute warns could fragment formats12. It recognized FDX first, in January 20253.

In BVSC

Pursue prudential-regulator recognition early, interoperate with MISMO, FDX, Nacha, X9, and ISO 20022 rather than overlap them, and occupy the open ground of bank-vendor and third-party-risk standards. See Agency Pathways.

Theme 07 · Innovation

Standardize the stable layer

Finding

Standards cut transaction costs and build trust, but setting them too early can lock in inferior technology (Blind; Farrell and Saloner)13,14.

Precedent

The recurring lesson across telecom and information-technology standards bodies, where premature lock-in is the standing risk.

In BVSC

Standardize the stable layer (interfaces, security baselines, risk and due-diligence taxonomies), leave fast-moving product features unstandardized, and use versioning and sunset clauses. See the standards calendar.

Theme 08 · Financing

Funding without conflict

Finding

Firms prefer low-cost participation and free implementation4, and revenue dependence on certification can pull against neutral standard-setting.

Precedent

Nacha runs on member dues, MISMO on dues and an innovation fee, PCI partly on certification and training revenue.

In BVSC

Scaled dues by size with the standard free to implement, plus recurring certification revenue from registration fees and annual license renewals, and reduced or free tiers for community banks and consumer groups. Certification governance stays ring-fenced from standard-setting, so no single revenue stream can skew the standard. See the Certification Oversight firewall.

Models and anti-models

THE ANTI-CAPTURE IDEAL

FDX, MISMO, Nacha

Equal or one-member-one-vote, royalty-free or open access, public comment, and at FDX reserved non-commercial seats. These are close to the bodies the literature would design, and BVSC borrows their structure directly.

THE CAUTIONARY TALE

PCI SSC

Five card brands hold a permanent Executive Committee that sits above the consensus process, and they separately run enforcement. That concentrates exactly the dominant-member power the literature and the CFPB warn against. BVSC seats no permanent founder committee above the vote, and walls certification off from standard-setting.

What the evidence recommends

REC 01

A balanced board, capped

Explicit interest categories, no category above roughly one-third of any decision body, two-year terms with a six-year cap, and consumer seats. If any category's effective control exceeds one-third in practice, restructure the allocation.

REC 02

Decouple fees from votes

Tiered dues, one organization one vote per category, free implementation. If community-bank voting share falls below a meaningful level, cut their fees further or add reserved seats.

REC 03

Royalty-free core IP

Reciprocal grant-back and a disclosure-and-exclusion procedure on the W3C model, with a FRAND fallback only for optional patent-encumbered modules.

REC 04

Open comment, published rationale

Mandatory comment periods and a published basis for conclusions, with members-only final votes.

REC 05

Standardize the stable layer

Freeze interfaces, security baselines, and risk taxonomies; leave product features open; version and sunset to preserve innovation.

REC 06

Pursue recognition early

Become the focal SSO to avoid fragmentation, and interoperate with adjacent bodies rather than overlap them.

REC 07

Ring-fence certification revenue

Keep certification governance and its revenue separate from standard-setting, so the body never has a financial stake in who passes. This is the single safeguard PCI lacks.

Open tensions, stated plainly

Innovation versus standardization

Standardizing too early can entrench inferior technology. BVSC's answer is to freeze only the stable layer and review on a published cycle, but where that line falls is a judgment call the board will have to keep making.

Strict IP is not automatically better

Chiao, Lerner and Tirole8 find that less-strict IP rules track higher standard quality. In interoperability the adoption gain from royalty-free usually wins, but BVSC should revisit the policy if patent-holding vendors decline to participate.

The regulatory anchor may shift

The CFPB's 1033 rule and its standard-setter recognition regime are under active litigation and reconsideration through 2025 and 20263. If formal recognition narrows, BVSC's fallback is voluntary alignment with interagency third-party-risk guidance, which is the OMB Circular A-119 route set out in Agency Pathways.

References

  1. Fiedler, Larrain & Prüfer (2023). Membership, governance, and lobbying in standard-setting organizations. Research Policy 52(6), 104761.
  2. ANSI. Essential Requirements: Due Process Criteria for American National Standards (no single interest category may dominate a consensus body).
  3. CFPB (2024–2025). Personal Financial Data Rights Rule (12 CFR Part 1033) and Industry Standard-Setting Rule; Decision and Order recognizing FDX, Jan. 8, 2025.
  4. Wiegmann, Eggers, de Vries & Blind (2022). Competing Standard-Setting Organizations: A Choice Experiment. Research Policy 51(2), 104427.
  5. Simcoe (2012; 2014). Standard Setting Committees, American Economic Review 102(1), 305–336; and Governing the Anticommons, Innovation Policy and the Economy 14, 99–128.
  6. Baron & Kanevskaia (2023). Wearing multiple hats: the role of working-group chairs' affiliation in standards development. Research Policy 52(9).
  7. Baron & Spulber (2018). Technology Standards and Standard Setting Organizations: Introduction to the Searle Center Database. J. Economics & Management Strategy 27(3), 462–503.
  8. Chiao, Lerner & Tirole (2007). The rules of standard-setting organizations: an empirical analysis. RAND J. Economics 38(4), 905–930.
  9. W3C (2004). W3C Patent Policy, 5 February 2004 (royalty-free).
  10. Botzem & Dobusch (2012). Standardization Cycles: A Process Perspective. Organization Studies 33(5–6), 737–762.
  11. Lerner & Tirole (2006). A Model of Forum Shopping. American Economic Review 96(4), 1091–1113.
  12. Bank Policy Institute. The CFPB's Section 1033 Rule Is Not an “Open Banking” Rule.
  13. Blind, Kenney, Leiponen & Simcoe (2023). Standards and innovation: a review and introduction to the special issue. Research Policy 52(8), 104830.
  14. Farrell & Saloner (1988). Coordination Through Committees and Markets. RAND J. Economics 19(2), 235–252.
Also consulted
  • Katz & Shapiro (1985); Rysman & Simcoe (2008); Bar & Leiponen (2014); Bekkers & Updegrove (2012); Baron, Contreras, Husovec & Larouche (2019); Blind, Petersen & Riillo (2017); Hovenkamp (2020).
  • Primary and organizational sources: FDX, MISMO, Nacha, PCI SSC, and ISO 20022 governance documents.

Precedent facts (PCI's executive committee, FDX recognition conditions, Nacha dues) are case evidence, not causal findings. The CFPB 1033 rule and its recognition regime are under active litigation and reconsideration as of 2025 to 2026, so the regulatory anchor may shift.

Interactive tool

Organization & Founding Slate Explorer

An interactive view of the proposed FDX-style organization and a recruitable slate of named candidates for every board and working-group seat. Tap any tier to expand its mandate; review the governance functions, standards calendar, and certification registry; filter the seats by layer, gettability, or search; and compare four models for how the federal banking agencies could be involved in standing the body up.

Candidate suggestions only. BVSC does not exist. Every individual named is a candidate based solely on public professional role and public standards or policy activity. No one named has any known affiliation with, knowledge of, or endorsement of BVSC. Titles change; re-verify before any use.
Banking Vendor Standards Council  ·  Organization Explorer

Structure & Founding Slate

An interactive view of the proposed FDX-style organization and its governance functions, a recruitable slate of named candidates for every board and working-group seat, and four models for how the federal banking agencies could be involved.

01

The Organization at a Glance

Six layers, mirroring the Financial Data Exchange: a governing board, an executive steering committee acting between board meetings, a lean full-time staff that runs the institution, two parallel oversight bodies, the domain working groups where the standard is built, and time-limited task forces. Tap any tier to expand its mandate.

02

Governance Functions

Structure is only half the institution. These are the recurring functions that keep the standard current and the certification trustworthy: the reporting structure at a glance, a published standards calendar with fixed review cycles, and a public certification registry with a defined record and lifecycle.

Reporting Structure

The same six layers as the Organization tab, drawn as a reporting tree. The board governs; the Executive Steering Committee acts between meetings; a lean staff runs the institution; two committees sit in parallel, with the Certification Oversight Committee firewalled off from standard-setting; the working groups build the standard; task forces handle cross-cutting work. The technical advisory panel and the four regulatory observers attend the board without a vote.

Board of Directors ≥12 voting · banks hold ≥50% · 2-year staggered terms Non-voting at the board Technical Advisory Panel (assessors) FDIC · Fed · OCC · CSBS observers Executive Steering Committee Acts between quarterly board meetings Full-Time Staff Runs the institution · ~8–12 roles at launch Standards Review Committee Technical coherence · version alignment Certification Oversight Cmte. Firewalled from standard-setting · QSAO accreditation · registry Domain Working Groups One per BTCF domain · dual-chaired Task Forces Time-limited · dissolve on delivery
Governing & steering Staff Standards line Certification firewall Where the standard is built
Where Certification Sits: Two Options

The certification function must never be controlled by the people who write the standard. There are two ways to guarantee that. The default rings it off inside BVSC; the alternative moves it out entirely into its own legal entity. The founding cohort chooses.

Option A · Default

Ring-fenced committee inside BVSC

Certification runs as the Certification Oversight Committee, a walled-off body within BVSC that owns QSAO accreditation and the registry, excludes anyone with a commercial interest in assessment outcomes, and clears every certification through central QA before it posts.

  • One institution to fund, staff, and pursue regulatory recognition.
  • Standard and certification share governance, so crosswalks and re-certification stay tightly in sync.
  • Independence rests on committee walls and conflict rules rather than on a separate corporate boundary.
Option B · Alternative

A separate certification entity

Certification spins out into its own organization, distinct from the standards body, on the model of a standards developer whose certification arm is a separately governed affiliate. BVSC writes the standard; the separate entity accredits assessors, issues certifications, and runs the registry under its own board.

  • Structural separation, not just procedural: the firewall is a corporate boundary a critic can see.
  • Insulates BVSC from the conflict and liability exposure of the pass/fail decision.
  • Costs more to stand up and requires an explicit coordination agreement to keep standard and certification aligned.
The Standards Calendar

Every part of the BTCF moves on a published schedule, so members, vendors, and examiners can plan against it. Reviews are staggered across domains so the whole framework never re-opens at once, and the board runs each cadence in the open.

Continuous
Living drafts

Working groups maintain working drafts, log issues, and stage proposed changes between formal cycles.

Annual
Errata & guidance

Minor clarifications, errata, and interpretive guidance publish once a year. Non-substantive fixes need no comment period; interpretive guidance carries a 30-day notice.

Every 2 years
Full domain review

Each domain gets a full review on a two-year cycle. Substantive changes require a minimum 60-day public comment period before the board adopts them.

Out of cycle
Triggered revision

A new rule, supervisory guidance, or a material incident can open an emergency revision: expedited 30-day comment, board ratification, then folded into the next regular cycle.

Every 3–5 years
Retrospective review

On the A-119 schedule, the board asks the harder questions: is the domain still needed, does it still map to current regulation, and should anything be retired.

Review Cohort A · odd years
  • Cybersecurity & Operational Resilience
  • AML/BSA Compliance Capability
  • Model Risk & Validation
  • Consumer Compliance Pass-Through
Review Cohort B · even years
  • Data Governance & Privacy
  • Financial & Operational Stability
  • Technical Interoperability / API
  • AI & Agentic-AI Governance (see note)

Domains split into two cohorts and review in alternating years, the same staggering principle as board terms, so the full framework never re-opens at once. The AI and Agentic-AI domain is sequenced last onto the roadmap by design, so an early standard does not lock in immature technology; once it enters, it runs on an accelerated annual review given how fast the technology and its supervision are moving.

The Certification Registry

The public, machine-readable record of who is certified, to what, by whom, and through when. It is the artifact an examiner or a bank's vendor-risk team actually checks, and the reason a certification can carry weight at the examination table.

Registry record · illustrative
VendorExample Core Systems, Inc.
Product / scopeDeposit & ledger platform
Domains certifiedCyber · Data Gov · Model Risk
TierIII · Critical
Assessing QSAOAccredited assessor firm
Issued / expires2026-Q3 / 2028-Q3
StatusActive
CrosswalkDORA · SOC 2 mapped
Integrity & cadence
  • Operated by the Certification Oversight Committee, walled off from standard-setting.
  • Every certification clears central BVSC QA review before it posts.
  • Re-certification tracks the standards calendar, so a vendor re-attests when its domains revise.
  • Published through a public API with no login wall, so banks and examiners can query it programmatically.
Active

Current and in good standing.

In Remediation

A finding is open; the vendor is under a corrective plan with a deadline. Shown publicly.

Suspended

Certification paused pending resolution of a material issue.

Expired

Lapsed; re-certification required to return to active.

Withdrawn

Ended voluntarily or for cause; kept in the public history.

Candidate suggestions only. BVSC does not exist. Every individual named is a candidate based solely on public professional role and public standards/policy activity — no one named has any known affiliation with, knowledge of, or endorsement of BVSC. Titles change; re-verify before any use, and have counsel and the individuals themselves vet any real outreach slate.

03

Seats & Candidates

Every board, working-group, and founding-vendor seat with named candidates where gettable people exist, and archetype profiles where naming a real person would be speculative. Filter by layer or gettability, or search by name, role, or domain.

Layer
Gettable
04

Federal Agency Pathways

There is no single way for the banking agencies to be involved in standing up BVSC. Four distinct models trade regulatory credibility against legal and political cost. Select a path to see how setup, hand-off, and the agencies' steady-state role differ, then compare all four at the bottom.

Two things frame all four paths. First, no banking-specific program yet lets the FDIC, OCC, or Fed formally rely on a private certification. Second, a government-wide framework for exactly this kind of reliance has existed since 1996: the National Technology Transfer and Advancement Act and OMB Circular A-119, which Path 4 is built on. The CFPB's 2024 Section 1033 regime, which recognized FDX in January 2025, shows a banking-adjacent regulator operationalizing the same idea. Across all of them, conformance is evidence of compliance, not a safe harbor.

·

Side by Side

DimensionPath 1 · Convene & Hand OffPath 2 · Agency-Run SubsidiaryPath 3 · Criteria & Step BackPath 4 · Voluntary Consensus (A-119)
Who leads setupAgencies convene, then exit controlInteragency / federally chartered parentIndustry, building to published criteriaIndustry, building to A-119 attributes
Long-term ownerIndependent industry 501(c)(6)Government / interagency parentIndependent industry 501(c)(6)Independent industry 501(c)(6)
Agencies' end roleStanding advisory council (non-voting)Parent and controllerAdvisory observer, or hands-offStatutory participant; may sit on board, incorporate by reference
Legal vehicleConvened, then spun outControlled subsidiary (MISMO / MBA model)Independent body meeting agency criteriaVCS body under the NTTAA / A-119 (existing framework)
FundingIndustry dues & certification feesParent-supplied plus feesIndustry dues & certification feesIndustry dues & fees; agencies may support
Recognition strengthStrongStrongest (approaches regulation)Conditional / criteria-basedEstablished / statutory framework
Capture riskBalancedHigh (government)LowLow
Speed to stand upModerateSlow; likely needs rulemakingIndustry-paced; recognition slowModerate; the framework already exists
Live U.S. precedentNIST convene-and-hand-off (Cybersecurity Framework)MISMO under the MBACFPB 1033 / FDX recognitionFederal reliance on ASTM, ANSI, NFPA; NIST conformity assessment
05

Recruitment Strategy & Sequencing

Who to approach first to build momentum, and how to keep the founding slate defensible against the "industry capture" critique.

Anchor neutrality first; recruit the proven standards-builders next; land one anchor vendor per category for signaling; fill technical leads from the FDX, CFES, NACHA, and Shared Assessments alumni pool who self-select for consensus work.

Banking Vendor Standards Council — Organization & Founding Slate Explorer. A discussion draft built from BVSC Working Paper No. 3, the founding recruitment research, a benchmarking review of MISMO, FDX, the CFPB 1033 regime, and peer standard-setting bodies, and OMB Circular A-119. Named individuals are candidate suggestions based on public roles only and have no affiliation with or knowledge of BVSC. Re-verify all titles; have counsel vet any outreach.

Interactive tool

The Certification Question

Forty-five public comment letters answered the FDIC's 2020 request for information on a standard-setting organization and voluntary certification program for fintech models and third-party providers. Nearly all of them turned on a single word: reliance. Explore the fault line, the nine-theme matrix, the full roster, and every commenter profile.

FDIC Docket RIN 3064-ZA18 Comment Period Closed 22 Sep 2020

The Certification Question

Forty-five public comment letters answered the FDIC's request for information on a standard-setting organization and voluntary certification program for fintech models and third-party providers. Nearly all of them turned on a single word: reliance.

45 comment letters 6 staff-disclosure logs 9 recurring themes 0 rules ever issued RFI published 24 Jul 2020
What the docket decided

One question split the room

The FDIC asked whether a public-private body should set standards and certify the models and vendors banks use. Industry largely said yes, but only if a certification means something at the examination table. Consumer advocates and academics said that is precisely the problem.

FINDING 01

Conditional support was the industry norm

Trade groups, fintechs, card networks, and standards bodies welcomed the concept, but tied approval to a regulatory reliance mechanism, all banking agencies participating, and protection against cost, capture, and duplication.

FINDING 02

The safe harbor was the whole argument

A certification is worthless to a bank unless an examiner will accept it in place of independent due diligence. That reliance question is the hinge on which every other position turns.

FINDING 03

Advocates called the same mechanism a shield

AFR, NCLC, and Professor Odinet argued an industry-led body would let banks deflect fair-lending liability by pointing to a third-party stamp, and urged the FDIC to build its own expertise and rely on NIST.

The safe-harbor fault line Should certification = supervisory reliance?
▲ Reliance should attach
"Let banks rely on certification in place of their own due diligence, and let examiners honor it."
▼ Reliance is the danger
"A purchased stamp becomes a liability shield and an abdication of the FDIC's own supervisory duty."
◇ The unexpected common ground

Both camps distrust a purely industry-run body. Industry wanted every federal banking agency and the CFPB as active contributors. Opponents wanted the FDIC to develop in-house technical capacity rather than outsource it. Each side, for opposite reasons, argued the regulator must not stand back.

Tap any organization chip above, or open 02 · Theme Matrix to read every position in detail.

Positions by theme

The theme matrix

Each cell is a recorded position. Tap a cell for the detail, the source, and how firmly it is sourced. Tap an organization name for its full profile. Columns are the nine recurring themes; hover a column head for its full name.

F Supports / advocates C Conditional O Opposes ! Raises as concern · Addresses technically

Source confidence: full text read   partial / mirror   indexed, position provisional

Every letter in the docket

The full roster

All 45 comment letters as indexed by the FDIC (citation 7085), c-001 through c-045. Click a column head to sort. Names and IDs are confirmed against the official index; provisional positions are flagged.

ID Commenter Type Position Safe harbor Source

Staff-disclosure logs (not comment letters)

Six meetings between FDIC staff and outside parties were logged in the same docket. They are records of contact, not public comments, and are listed separately here.

  1. Federal Reserve Board / Reserve Bank staff
  2. Fidelity National Information Services (FIS)
  3. Accredited Standards Committee X9
  4. American Bankers Association
  5. Amount, Inc. (with attachment)
  6. Alliance for Innovative Regulation
The major commenters

Commenter profiles

The fully and partially sourced letters, with concepts, recommendations, position, and concerns. Lighter-sourced letters appear in the roster and matrix but are not profiled here.

Provenance and limits

Sources & caveats

The docket is fully public. This tool is built from the FDIC's official index and from the comment PDFs and authoritative mirrors that were readable at the time of research. Read the caveats before quoting any position as verbatim.

Where the docket lives

The complete index is the FDIC Federal Register Citations page, citation 7085. Individual letters follow two URL patterns, both on fdic.gov: the /resources/regulations/federal-register-publications/2020/ path and the /system/files/2024-06/ path, each ending in 2020-request-for-info-standard-setting-3064-za18-c-0XX.pdf.

Caveats

NCLC (c-041) full text was not independently retrieved. Every FDIC URL variant for this PDF was blocked by bot detection and no accessible mirror was found. The docket entry and authorship (Lauren Saunders, Rebecca Borne) are confirmed from the index, and the AFR/DPEF letter expressly aligns with NCLC's positions. The specific positions attributed to NCLC are inferred from adjacent NCLC filings and that cross-reference, not quoted from c-041. Verify against the primary PDF before presenting any NCLC quote.
About 21 letters are thinly sourced. Their existence, exact names, and c-numbers are solid from the official index. Their position labels are inferred from search snippets and letter type, not full-text review, and are marked provisional with a grey source dot. Treat those rows as a working hypothesis pending direct PDF review.
The RFI was exploratory, not a rulemaking. It stated the FDIC was not considering substantive revisions to existing model-risk or third-party guidance. No SSO or certification program was ever created; the thread was overtaken by the 2021 Interagency Guidance on Third-Party Relationships (RIN 3064-ZA26). Read industry "support" as support for further exploration under stated conditions, not endorsement of a built program.
Two entries are not substantive comments. c-001 (Antoine Delerme) is a one-line inquiry asking to join the program. c-044 (Robert E. Rutkowski) is an individual submission whose content was not retrieved.

Primary sources cited

bankregbro · research instrument FDIC RIN 3064-ZA18 · SSO & voluntary certification RFI, 2020 positions verified against primary sources; provisional rows flagged
Certification registry & concentration map

What a registry lets supervisors see

A certification registry is more than a vendor convenience. The moment you record which banks rely on which certified vendors, and which vendors rely on the same fourth parties, the registry becomes a supervisory map. It surfaces the concentration that no single bank, and no single certification, can see from the inside. The view below is interactive: select any institution, vendor, or fourth party to trace its dependencies.

Illustrative and synthetic. BVSC is a proposed body and does not yet certify anyone. The institutions, vendors, and fourth parties shown here are fictional, built to demonstrate the supervisory value of the registry-as-map. No real certification, relationship, or concentration is depicted.
Bank Certified vendor In remediation Expired Uncertified Fourth party
Trace a dependency
Registry map

Hover or tap any node to highlight its dependency path. Banks show their full vendor stack and the fourth parties beneath it; a fourth party shows its blast radius across separately certified vendors.

What the map tells a supervisor

The registry

Vendor / productTierDomains certifiedQSAOStatusExpiresBanks

The supervisory point, in one line: vendor-by-vendor certification answers "is this provider sound," but only the registry-as-map answers "what happens to the system if this one node fails." That second question is the one a certified, separately sound set of vendors can still hide, when they all rest on the same fourth party. This is the case for treating the registry as examination infrastructure, alongside interagency third-party risk guidance and bank-service-company examination authority.

Prospective implementation timeline

From formation to the final module

A hypothetical build sequence for BVSC across five parallel workstreams, playable under three scenarios: a baseline, a tailwind where regulatory engagement accelerates recognition and the AI field settles sooner, and a headwind where the comment period forces a re-ballot and recognition stalls. In every scenario the ordering holds: mature, well-precedented domains first, certification and recognition in the middle, and the AI and agentic-AI module last by design. Drag the NOW marker, or press play, to read the state of the council at any quarter. Toggle dependencies to see what feeds what, and the critical path to see the chain that actually gates recognition.

Prospective and illustrative. Dates are a planning hypothesis, not a commitment, and the scenario shifts are stylized. Sequencing, not the calendar, is the point.

Breaking the cold start

The registry is a two-sided market and it opens empty. Vendors will not pay for a certificate no bank credits, and banks will not credit a certificate no vendor holds. PCI never faced this problem, because the card networks could compel merchant participation from day one. BVSC has no compulsion lever, so the sequence on this chart is built to manufacture its own demand, in three moves that must land in order.

MOVE 01

Charter reciprocity, signed first

Founding member banks execute the mutual-recognition commitment at formation, contingent on adoption of the standard. The demand side exists on paper before the first assessment is scoped, so an anchor vendor is certifying into a known market, not a hypothesis.

MOVE 02

Anchor vendors, one per category

A first cohort across core, payments, cloud, and AI certifies on a founding-cohort fee schedule. For a provider answering hundreds of idiosyncratic questionnaires a year, the certificate becomes a sales asset the day the charter banks credit it, and each anchor pulls its category's competitors in behind it.

MOVE 03

Examiners in the room from day one

Regulator observers sit in governance from formation, so the recognition work runs in parallel with the standard rather than after it. The tipping event is the first examiner reference to the registry, not the thousandth certificate.

This is also why recognition sits mid-sequence on the chart below and the AI module sits last: the flywheel needs supervisory weight early and technical finality late.

Read the plan
Implementation timeline

Hover or tap any bar or milestone for its window, phase, and dependency. Drag the NOW marker to compute the state of the council at that quarter.

Illustrative instrument

Bylaws of the Banking Vendor Standards Council, Inc.

A Delaware nonstock, nonprofit corporation  ·  Intended 501(c)(6) business league  ·  Mock draft for discussion
Mock

These are illustrative bylaws, not an adopted instrument. They translate the governance concepts elsewhere in this dossier, a bank-majority board, two-thirds adoption, the three voting blocs, the two leadership models, the six operating layers, the certification firewall, and the dues and fee structure, into the form a founding cohort's counsel would use as a starting draft. Bracketed items and thresholds are placeholders. Nothing here is legal advice.

Recital. The undersigned, being the initial directors of Banking Vendor Standards Council, Inc., adopt the following Bylaws to govern the affairs of the Council in furtherance of its exempt purpose.

Article IName, Purpose, and Offices

1.1Name. The name of the corporation is Banking Vendor Standards Council, Inc. (the “Council” or “BVSC”).

1.2Legal form. The Council is a nonstock, nonprofit corporation organized under the General Corporation Law of the State of Delaware and intended to qualify as a business league exempt from federal income tax under Section 501(c)(6) of the Internal Revenue Code.

1.3Purpose. The Council is organized to serve the common business interest of the banking industry and its technology providers, and in particular to:

  1. develop, maintain, and publish the Banking Technology Compliance Framework (the “BTCF”) as a voluntary consensus standard;
  2. operate a voluntary certification program and a public registry of certified parties;
  3. accredit independent assessors to evaluate conformance with the BTCF;
  4. convene banks, technology service providers, independent experts, and observing regulators on balanced terms; and
  5. advance the safety, soundness, resilience, and interoperability of bank technology.

The Council pursues these purposes to promote competition and efficiency, and not to restrain trade or exclude any qualified participant.

1.4Offices. The Council shall maintain a registered office in the State of Delaware and a principal office in Washington, D.C., and may maintain such other offices as the Board of Directors determines.

Article IIMembership

2.1Eligibility. Membership is open, on reasonable and non-discriminatory terms, to any organization with a bona fide interest in the Council's purpose.

2.2Categories and dues. The Council has four membership categories, with illustrative annual dues scaled by size:

  1. Founders, open to global systemically important banks and leading technology platform providers, [$50,000];
  2. General, open to mid-tier banks and Series C and later technology service providers, [$15,000];
  3. Associate, open to community banks and seed or Series A technology service providers, [$3,000]; and
  4. Affiliate, open to regulators, academics, and law firms, [$1,000], advisory and non-voting.

2.3Voting blocs. Each voting member is assigned to exactly one bloc, Bank, Independent, or Technology Service Provider, based on its primary business. Bloc assignment governs apportionment of the Board and quorum, and is determined by the Board on admission and reviewed on renewal.

2.4One member, one vote. At any meeting of the members, and within any bloc, each member organization has a single vote regardless of size or dues paid. No member may enlarge its influence by sending additional representatives.

2.5Rights by category. Working-group participation, registry access, eligibility to stand for the Board, and similar privileges attach to category as set out in a schedule maintained by the Board, provided that governance influence is never a function of dues.

2.6Dues and fees. Dues are set annually by the Board and scaled by size. The Council is further funded by certification registration fees, annual license renewals, assessment fees, and education. The BTCF is free to implement; fees fund the Council's operations, not access to the standard.

2.7Admission, resignation, and removal. The Board admits members and may suspend or expel a member for cause, including non-payment or conduct inconsistent with the Council's antitrust and conduct policies, after notice and an opportunity to be heard. No member holds any equity, property, or distributive interest in the Council.

Article IIIBoard of Directors

3.1Authority. The Board of Directors is the governing body of the Council; all corporate powers are exercised by or under the authority of the Board.

3.2Bank majority. Banks shall hold not fewer than fifty percent (50%) of the voting seats of the Board at all times, and not fewer than fifty percent of the seats of any committee exercising Board authority. This Section is an entrenched provision under Section 12.2.

3.3Composition and floor. The Board shall have no fewer than twelve (12) voting directors, apportioned by bloc as a minimum of six (6) Bank directors, three (3) Independent directors, and three (3) Technology Service Provider directors. The Board may add seats in any bloc, provided the Bank bloc remains at least fifty percent and adoption of a standard continues to require the supermajority in Section 3.9.

3.4Bank tiering. The Bank directors shall be apportioned across six asset tiers, each guaranteed at least one seat: $500M to $2B; $2B to $10B; $10B to $30B; $30B to $100B; $100B to $500B; and global systemically important banks. Seats added above the floor shall favor the smaller tiers.

3.5Non-voting participants. The Technical Advisory Panel of accredited assessors shall designate non-voting representatives to advise the Board, and the Council shall invite the FDIC, the Federal Reserve, the OCC, and CSBS to attend every layer of the Council as non-voting observers.

3.6Terms. Directors serve two-year terms, staggered so that approximately half of the Board is elected each year. Term limits, if any, are set by the Board.

3.7Vacancies, resignation, and removal. Vacancies are filled within the affected bloc for the remainder of the term. A director may resign on written notice, and may be removed for cause by a two-thirds vote of the other directors then in office.

3.8Quorum. A quorum is a majority of the directors then in office, provided that the directors present include Bank-bloc directors sufficient to preserve the bank majority under Section 3.2.

3.9Voting; Reserved Matters. Except where a supermajority is required, the Board acts by majority of directors present and voting. A two-thirds (2/3) vote of directors present and voting is required to adopt, revise, or withdraw a standard, to approve the annual budget, to change certification policy, to establish or separate the certification entity under Section 5.4, and for such other matters as these Bylaws designate (“Reserved Matters”).

3.10Meetings and action. The Board meets at least quarterly. Directors may participate by electronic means, and the Board may act without a meeting by unanimous written consent.

Article IVBoard Leadership and Officers

4.1Leadership model. The Board shall, by resolution, adopt one of two leadership models and record its choice in a schedule to these Bylaws:

  1. Model A, Co-Chairs. Two Co-Chairs share the chair, one drawn from the Bank bloc and one from the Independent bloc, so that neither commercial constituency leads alone; or
  2. Model B, Chair and Vice-Chair. A Chair drawn from the Bank bloc and a Vice-Chair drawn from the Technology Service Provider bloc, checked by the supermajority required for Reserved Matters.

4.2Officers. The officers of the Council are the presiding officer or officers under Section 4.1, a Secretary, and a Treasurer, together with such other officers as the Board appoints. Officers disclose their affiliations and recuse from matters in which they hold a conflict.

4.3Managing Director. The Board shall appoint a Managing Director to serve as chief executive of the Council, responsible for day-to-day management and for the professional staff. The Managing Director serves at the pleasure of the Board and does not vote.

4.4Terms and removal. Officers serve one-year terms and may be removed by the Board. Vacancies are filled by the Board for the unexpired term.

Article VCommittees

5.1Executive Steering Committee. The Executive Steering Committee acts for the Board between meetings on operational matters. Reserved Matters remain with the full Board, and any two directors or any bloc minority may escalate a committee decision to the full Board.

5.2Standards Review Committee. The Standards Review Committee maintains the technical coherence and versioning of the BTCF, owns the published standards calendar, and recommends standards to the Board for adoption.

5.3Certification Oversight Committee. The Certification Oversight Committee is independent of standard-setting and oversees assessor accreditation, the registry, and certification decisions. No person with a commercial interest in a certification outcome may vote on that outcome. The persons who write the standard do not control who passes it.

5.4Separation option. The Board may, by a two-thirds vote, establish the certification function as a separately governed affiliated entity operating under a coordination agreement, provided the independence protections of this Article and Article VII are preserved.

5.5Domain Working Groups. The Council maintains one working group per coverage domain, each dual-chaired by a Bank and a Technology Service Provider technical lead, open to member volunteers on balanced terms and attended by regulator observers. The working groups develop the standard.

5.6Task Forces. The Board or a committee may charter time-limited task forces with a defined deliverable and a sunset date, dissolved on delivery.

5.7Standing committees. The Board maintains a Nominating and Governance Committee and an Audit and Finance Committee, and may create others.

5.8Committee balance. No committee exercising Board authority may have a Bank share below fifty percent, consistent with Section 3.2.

Article VIStandards Development

6.1Consensus principles. The Council develops standards under principles of openness, balance of interests, due process, transparency, and a right of appeal.

6.2Development pipeline. A working group prepares a draft; the draft is published for public comment; the Standards Review Committee reviews comments and recommends a final text; and the Board adopts the standard by the two-thirds vote required for Reserved Matters.

6.3Review and versioning. Each standard is reviewed on the schedule set by the standards calendar and versioned on adoption. Fast-moving domains, including artificial intelligence, may be placed on an accelerated review cycle.

6.4Appeals. Any materially and directly affected party may appeal a procedural defect in the development of a standard to the Board, whose decision is final.

Article VIICertification and Registry

7.1Program. The Council operates a voluntary, tiered certification program measuring conformance with the BTCF, administered under the Certification Oversight Committee and delivered by accredited independent assessors.

7.2Foundational capability gate. Before any control is tested, the assessment determines whether the applicant has the requisite expertise and experience in its board and leadership team to deliver what it claims. An applicant that does not clear the gate does not proceed to control testing.

7.3Fees. Certification is funded by registration fees and annual license renewals. These fees fund assessment and registry operations and do not purchase access to the standard, which remains royalty-free.

7.4Registry. The Council maintains a public registry recording each certified party, the scope and tier of its certification, and its status. Certifications may be suspended or revoked for cause after notice and an opportunity to cure.

7.5Marks. Use of the Council's certification marks is licensed and conditioned on maintaining certification in good standing.

Article VIIIAntitrust and Intellectual Property

8.1Antitrust compliance. The Council operates for a documented pro-competitive purpose. Members shall not use the Council to agree on prices, output, customers, or other competitively sensitive terms. Counsel attends deliberations on standards and certification policy, and minutes are kept.

8.2Open participation and FRAND. Participation is open on reasonable and non-discriminatory terms. A holder of a patent essential to a standard commits to license it on fair, reasonable, and non-discriminatory terms.

8.3Royalty-free standard. The BTCF is published royalty-free. Copyright in the standard vests in the Council, which licenses it broadly to promote adoption.

8.4Sensitive information. Members shall not exchange competitively sensitive, non-public information through the Council.

Article IXMeetings of Members

9.1Annual meeting. The members meet annually to elect directors within their blocs and to receive reports of the Council.

9.2Special meetings. Special meetings may be called by the presiding officer, the Board, or on the written request of members holding [ten percent] of the votes.

9.3Notice. Written notice of each meeting is given not fewer than [fourteen] days in advance.

9.4Quorum. A quorum for a meeting of members is [one-third] of the voting members, present in person or electronically.

9.5Voting. Each voting member has one vote, cast within its bloc. Voting by proxy and by electronic ballot is permitted as the Board provides.

Article XFinances

10.1Fiscal year. The fiscal year of the Council is the calendar year, unless the Board provides otherwise.

10.2Revenue. The Council is funded by membership dues, certification registration fees, annual license renewals, assessment fees, education, and grants. No part of the net earnings of the Council inures to the benefit of any member, director, or officer.

10.3Budget. The annual budget is approved by a two-thirds vote of the Board as a Reserved Matter.

10.4Audit. The Council obtains an annual independent audit, reported to the members.

10.5No member equity. Members have no ownership or distributive interest in the assets of the Council.

Article XIConflicts of Interest and Indemnification

11.1Conflicts of interest. Directors and officers disclose actual and apparent conflicts and recuse from the affected matter. In their Council role, directors act in furtherance of the Council's mission rather than the narrow interest of any member or employer.

11.2Indemnification. The Council indemnifies its directors and officers to the fullest extent permitted by Delaware law and may maintain directors' and officers' liability insurance.

Article XIIAmendments and Entrenched Provisions

12.1General amendments. Except as provided in Section 12.2, these Bylaws may be amended by a two-thirds vote of the directors then in office.

12.2Entrenched provisions. The following may be amended only by a three-quarters (3/4) vote of the directors then in office and a majority of each voting bloc:

  1. the requirement that Banks hold at least fifty percent of the voting seats (Section 3.2);
  2. the independence and firewall of the certification function (Article V and Article VII); and
  3. this Section 12.2.
Why entrench

The bank majority and the certification firewall are the two commitments that make the Council credible to the institutions that rely on it and to the providers it assesses. Entrenching them prevents a transient majority from quietly unwinding either.

12.3Tax status. No amendment may cause the Council to fail to qualify under Section 501(c)(6) of the Internal Revenue Code.

Article XIIIDissolution

13.1Distribution on dissolution. On dissolution, and after payment or provision for the Council's liabilities, the remaining assets shall be distributed to one or more organizations then qualifying under Section 501(c)(6) or 501(c)(3) of the Internal Revenue Code with a compatible mission, or to a successor standards body, as the Board directs. No assets shall be distributed to any member, director, or officer.

Adopted by the Board of Directors of Banking Vendor Standards Council, Inc. on [        ], effective immediately. These Bylaws supersede any prior bylaws of the Council.

Presiding officer (Chair or Co-Chairs) · Section 4.1
Secretary
↑ Back to articles