A proposed non-profit, multi-stakeholder body that develops uniform banking-specific compliance standards for technology vendors, administers a tiered certification, maintains a public registry, and pursues regulatory recognition. A universal passport in place of hundreds of duplicative questionnaires.
1 founding white paper3 working papers2 interactive tools8 framework domains
Five core functionstap a frame to explorenavigate the dossier below
The case, in brief
A broken due-diligence system
American banks depend on outside technology providers more deeply than at any point in their history. The system for evaluating those providers has not kept pace. It is fragmented, duplicative, and structurally unable to surface the concentrated risk a shared vendor creates across hundreds of institutions at once.
30%
of breaches in 2024 involved a third party, double the prior year
Verizon DBIR 2025
$6.08M
average financial-services breach cost in 2025, well above the cross-industry mean
IBM Cost of a Data Breach 2025
74+
U.S. institutions hit by a single vendor breach in 2025, up to 1.35M individuals exposed
Marquis incident filings
The arithmetic of duplication
The core inefficiency is multiplicative. Every bank assesses every material vendor on its own, so the system performs roughly banks times vendors assessments per cycle, most of them redundant reviews of the same controls at the same providers. Certification makes the problem additive: each vendor is assessed once against the BTCF by an accredited firm, and every bank consults the registry. Toggle the two states below. The drawn network is a sample; the arithmetic is the point.
One picture · two regimes
20
Assessments per cycle · today
0banks × vendors
Assessments per cycle · with BVSC
0one per vendor + 0 registry consultations
At national scale the collapse is starker. Roughly 4,400 insured institutions against a certified universe of 200 material vendors implies on the order of 880,000 bank-side assessments per cycle today, against 200 certifications plus registry consultations that take minutes, not months. Dashed lines are consultations of the public registry, not assessments.
Six structural failures
FAILURE 01
No uniform baseline
SOC 2, ISO 27001, and PCI DSS address general IT controls, not BSA/AML passthrough, model-risk governance, or FFIEC examination expectations. A bank cannot rely on them to satisfy interagency TPRM guidance.
FAILURE 02
Duplicative burden
One core processor answers hundreds of idiosyncratic questionnaires a year. No mechanism lets a bank formally accept an external certification in lieu of its own assessment.
FAILURE 03
Community banks disadvantaged
Large institutions staff dedicated vendor-risk teams. Community banks rely on the same high-risk vendors without equivalent resources, an inequity embedded in the dual banking system.
FAILURE 04
Provider onboarding lag
A different complex assessment at every bank creates an onboarding lag that can threaten a smaller technology service provider's viability before revenue begins.
FAILURE 05
Invisible concentration
When one provider serves hundreds of banks, a single failure is systemic. No domestic framework flags this at the vendor level until it detonates.
FAILURE 06
Emerging categories unaddressed
AI underwriting, BNPL, stablecoin infrastructure, and agentic tools present risks legacy frameworks and the 2026 model-risk guidance were not designed to evaluate.
Marquis is not an outlier. It is the pattern.
A single vendor failure cascading across many institutions is a recurring structural event, not a freak occurrence. Four incidents span three years and three sectors. None was preventable by any one customer acting alone.
MOVEitBanking, direct · May–Oct 2023
60+ U.S. banks · 2,700+ orgs worldwide
Most affected banks never ran MOVEit. They were breached through a tech partner, or a partner's subcontractor, three and four parties deep.No bank can audit its way to safety when the vulnerable code sits four vendors downstream.
ICBC FSSystemic infrastructure · Nov 2023
U.S. Treasury clearing disrupted
A ransomware attack on one bank's U.S. arm severed its Treasury-clearing connection, forcing settlement onto a USB stick carried through Manhattan. The entry point was a single unpatched vendor appliance.One vendor's unpatched server became a stress test for the world's deepest sovereign-debt market.
MarquisBanking, direct · Aug 2025
74+ institutions · up to 1.35M individuals
A vendor serving community banks and credit unions was breached, exposing SSNs, TINs, and account-level data. The affected institutions were the constituency least able to conduct deep independent diligence.The institutions least able to vet a shared vendor are the ones most exposed when it fails.
CDK GlobalAdjacent, a preview · Jun 2024
~15,000 dealerships · $1B+ in three weeks
Not a bank vendor, but the structure is identical: one provider, an entire industry's operations, an always-on integration path.Substitute "core processor" for "dealer-management system" and the banking scenario writes itself.
Why this moment
DORA
Critical providers designated
On 18 November 2025 the European Supervisory Authorities published the first list of 19 designated Critical ICT Third-Party Providers. A U.S. processor serving European banks complies; the same provider serving 5,000 U.S. community banks faces no equivalent obligation.
AI CARVE-OUT
The model-risk vacuum
The April 2026 interagency Model Risk guidance rescinded SR 11-7 and stated that generative and agentic AI are not within its scope, inviting a future RFI. No domestic framework governs vendor-deployed AI in banking. BVSC claims and monitors the domain from the outset, then sequences the binding standard last, by design, so it sets the baseline once the field has settled rather than freezing it early.
DEREGULATION
A tailwind, not a headwind
As agencies step back from granular third-party oversight, they create the vacuum a credible industry-government standard is designed to fill. A standard co-built with regulators is how the system stays safe while the prescriptive touch lightens.
The argument in five steps
The market has failed
No body sets banking-specific compliance standards for technology vendors, issues a certification banks can credit against interagency guidance, or makes concentrated vendor risk visible before it detonates. The recent cascades are the pattern, not the anomaly.
The moment is right
DORA has begun designating critical ICT providers for direct oversight, while the 2026 U.S. model-risk guidance explicitly carved AI out of scope. There is regulatory air cover for an industry-developed standard to lead.
The model is proven, and so is its ceiling
PCI SSC, FFIEC, the CSBS Nationwide Cooperative Agreement, IEEE SA, and NACHA each solved an analogous problem. CFES proves the live demand for this body and the ceiling a purely private one hits: with no regulator at the table, it can only produce an advisory report, never a credential carrying supervisory weight.
The design is honest
Certification is a baseline, not a discharge of bank responsibility, the posture both U.S. and EU supervisors already expect. Reciprocity without examiner credit is explicitly a partial solution, so the regulatory-engagement work is load-bearing and treated as such.
The objections have shaped the structure
Antitrust safeguards, state-regulator representation, a committed AI and agentic-AI module sequenced after the mature domains, cross-jurisdictional mapping, and a published residual-limitations list are not afterthoughts. They are responses to the sharpest objections, built in from the outset.
The cost of inaction is not the absence of a standard. It is the continuation of a fragmented system in which systemic vendor risk remains invisible to regulators, duplicative diligence consumes bank resources, and community banks bear disproportionate exposure to risks they cannot independently assess.
BVSC Founding Rationale
What BVSC is, and how it governs itself
The Council
A non-profit, membership-funded, industry-governed standard-setting organization, structured as a 501(c)(6) trade association, incorporated in Delaware with operating presence in Washington, D.C. It is legally independent from any government agency, bank, or technology company, and functions as the governance layer where existing payment, messaging, architecture, and data standards meet bank risk-management obligations.
Five core functions
FUNCTION 01
Publish uniform standards
Develop and maintain the Banking Technology Compliance Framework, built on FFIEC, NIST CSF 2.0, and interagency TPRM guidance, with modules legacy frameworks omit: model-risk governance, AI and agentic-AI transparency, AML passthrough, and consumer-compliance pass-through.
FUNCTION 02
Issue the universal passport
Administer a tiered certification through which vendors are assessed by accredited independent audit firms and issued a publicly searchable certificate member banks credit as a due-diligence baseline.
FUNCTION 03
Maintain a public registry
A searchable registry showing certification tier, scope, last review date, and material conditions, consulted before independent diligence and referenceable by examiners.
FUNCTION 04
Accredit assessment firms
Certify and oversee a network of Qualified Security Assessment Organizations, mirroring the PCI SSC's QSA model and firewalled from standard-setting.
FUNCTION 05
Pursue regulatory recognition
Engage the FFIEC member agencies, FinCEN, and state banking departments to negotiate examiner reference to BVSC certification. This is the load-bearing element of the entire thesis, and the single most important execution risk.
Board composition
The board draws on the IEEE SA one-entity-one-vote principle, with one structural anchor: banks hold at least half of every decision-making body, in all circumstances. The institutions that carry the risk, answer to examiners, and rely on the certification hold the majority of seats. But adoption requires a two-thirds supermajority, so a bank majority cannot impose a standard on the technology service providers it assesses without cross-bloc support, and the non-bank blocs together retain a collective check. The illustrative floor below is twelve voting directors: six banks, three independents, and three technology service providers.
≥6 voting
Bankers
Large, regional, and community-bank representation across every asset tier, including the ABA and ICBA. A structural majority: never fewer than half the board.
3 voting
Independents
Technologists, academics, and former bank supervisors with no commercial stake in certification outcomes. The neutral ballast, and the channel through which supervisory judgment enters the vote.
3 voting
Technology service providers
The constituency assessed against the standard, held as a structural minority so no standard passes on the votes of the regulated alone.
Non-voting: a technical advisory panel of accredited assessors informs the board on assessment practice without voting on the standard they apply, and four regulatory observers, the FDIC, Federal Reserve, OCC, and CSBS, attend every layer without a vote. Current supervisors observe rather than vote on a private standard; former supervisors among the independents carry that judgment into the ballot.
Board leadership: two models
Who holds the gavel shapes agenda control, and the evidence base shows chair affiliation measurably influences outcomes. Two models are on the table. The founding cohort chooses one in the bylaws.
Model A · Co-chairs
Neutral shared gavel
Two co-chairs share the chair. The non-bank chair is seated from the independents, so neither a commercial bank nor a commercial provider leads alone and the gavel stays with a neutral party.
Co-chairBank bloc
Co-chairIndependent bloc · neutral
Model B · Chair & vice-chair
Bank chair, provider vice-chair
A single chair drawn from the bank bloc, paired with a vice-chair drawn from the technology service providers. Leadership sits with the two commercial constituencies that build and rely on the standard, checked by the two-thirds adoption rule and the independents' balance-of-power vote.
ChairBank bloc
Vice-chairTechnology service provider bloc
Test the balance yourself
The strongest finding in the standards literature is also the simplest: a body fails the moment one constituency can quietly dominate it. BVSC's answer is a bank majority paired with a supermajority adoption rule. Adjust the seat counts and watch what the arithmetic guarantees, and what it forbids. Banks cannot be dragged below half, by design.
Balance simulator · illustrative
50% · bank majority floor
How to read it. The minus button on Banks is disabled once the bank bloc sits at exactly half the board; the floor is enforced, not merely checked. Adoption needs two-thirds of the seated board, so banks at 50% still need at least one other bloc to carry a standard, while the non-bank blocs together can always muster the votes to block one.
A majority, tiered across every bank size
A bank majority means little if it speaks with one voice. The community bank on a shared core and the G-SIB running its own vendor-risk shop face the same providers with wildly different resources, so the bank seats are apportioned across six FDIC-style asset tiers, each guaranteed at least one seat. The floor below seats one director per tier; as the bank bloc expands above the floor, added seats tilt toward the smaller institutions that carry the most concentrated shared-vendor exposure with the least capacity to assess it alone.
Bank-bloc seats by asset tier · illustrative
Every tier is represented. No asset band is spoken for by another; a $900M community bank and a G-SIB each hold their own seat at the floor. Allocation is a founding-cohort decision, shown here as an illustrative floor of one seat per tier, not a fixed rule.
Membership tiers
Tier
Eligibility
Annual dues
Governance rights
Founders
G-SIBs and leading technology platform providers
$50,000
Permanent board-seat eligibility; veto on technical-roadmap milestones; working-group co-chair access
General
Mid-tier banks and Series C+ technology service providers
$15,000
Full voting on working-group outputs; board-election eligible; full registry access
Associate
Community banks and seed / Series A technology service providers
$3,000
Working-group participation; standard templates; advisory input on drafts
Affiliate
Regulators, academics, law firms
$1,000
Advisory status; research and bulletins; no voting rights
Antitrust safeguards
FRAND commitment
Early disclosure of essential patents and binding fair, reasonable, and non-discriminatory licensing, enforced by the independent board.
Pro-competitive purpose
Every collaborative activity memorializes a rationale; pricing, output, and market-division topics are prohibited in all forums.
Open participation
Any entity with relevant expertise may contribute; no Founder may block a competitor's participation.
Royalty-free standard
The BTCF is published royalty-free; certification registration fees and annual license-renewal fees cover assessment and registry operations, not access to the standard.
Operational roadmap
What success looks like
Horizon
Target
Year 3 · Adoption
100+ certified vendors, including 5+ Tier III core processors and 3+ hyperscale cloud providers, enough to make registry consultation an institutional default.
Year 3 · Reciprocity
Signed commitments from institutions representing 60% of U.S. banking assets, across all four FDIC institution-size tiers.
Year 5 · Recognition
FFIEC member agencies and at least 25 state banking departments formally reference BVSC certification within published TPRM examination procedures.
Year 5 · Burden
Median vendor due-diligence cycle time among member banks reduced at least 50% relative to the 2026 pre-BVSC baseline.
These are objectives, not forecasts. Regulatory-recognition outcomes depend on agency action BVSC cannot guarantee, which is precisely why the proposal treats regulatory engagement as the central execution risk.
The standard, the passport, and where it fits
The Framework
The Banking Technology Compliance Framework is a modular, tiered standard that maps to existing regulatory expectations while adding banking-specific requirements general frameworks omit. It does not replace ISO 27001, NIST CSF 2.0, or the Shared Assessments SIG. It translates them into an assessable, banking-specific standard.
Consumer Compliance Pass-Through Pricing, underwriting, collections for consumer-facing applications
UDAAP · Fair Lending · ECOA · Reg B
Core
Real-Time Compliance Monitoring API Machine-readable risk-signal feeds for continuous monitoring
DORA (precedent) · FFIEC IT Handbook
Phase 3
The AI and Agentic-AI module is a committed, co-equal pillar, but it is sequenced last by design. The mature, well-precedented domains are standardized first; standardizing a fast-moving field too early risks locking in inferior technology and crowding out innovation, the timing problem the evidence base flags directly. BVSC holds the AI module open as a watching brief and standardizes it only once practices settle. Standards update on a two-year cycle with a minimum 60-day public comment period.
The universal passport: three tiers
Beneath the three tiers sits one fundamental question the assessment answers first: can this provider actually do what it claims? Before any control is tested, BVSC evaluates whether the partner has the requisite expertise and experience in its board and leadership team to deliver what it says it can. A control framework measures what a provider has built; the foundational capability gate measures whether the people running it are equipped to keep it standing. A provider that cannot clear the gate does not proceed to control testing.
TIER I
Foundational
The base gate for every provider: an assessment of board and leadership expertise and experience against the provider's stated capabilities, plus self-assessment against BTCF core, BVSC-reviewed documentation, and annual attestation renewal.
Mid-risk vendors with data or system access. Full BTCF assessment by accredited QSAO, on-site or remote control testing, biennial reassessment with annual monitoring.
Full registry listing; eligible for gap-analysis recognition by member banks.
TIER III
Critical
Core processors and systemic providers. Full BTCF plus all modules, annual reassessment, continuous monitoring, concentration-risk disclosure required.
Full listing with findings disclosure; regulatory-observer notification for material findings.
Reciprocity, and its limits
Certification has value only if banks actually credit it. BVSC pursues a formal mutual-recognition framework: a signed commitment by member banks to accept a valid Tier II or Tier III certification as a baseline, conducting only institution-specific gap analysis on top.
Reciprocity without examiner credit is approximately a 60-percent solution. A bank can use BVSC certification as a baseline, but must still document its reliance and conduct institution-specific gap analysis. The full prize requires the formal regulatory-engagement work.
On the honest limits of reciprocity
The stress test: when a certified vendor fails
A certification regime is judged by its first crisis, not by its first certificate. Some vendor holding a valid BVSC certificate will eventually suffer a material incident, and the design has to assume it from the outset. The precedent is instructive: Heartland Payment Systems had been validated PCI-compliant before its 2008 breach, and Target had passed a PCI assessment weeks before its 2013 compromise. The lesson is not that certification failed. It is that a point-in-time assessment was asked to carry a weight it never claimed, and the regime had no pre-committed answer for the moment the gap showed. BVSC writes that answer into the framework before the first certificate is issued.
Flag first, investigate second
On a material incident at a certified vendor, the registry entry carries an incident flag and moves to under-review status within 72 hours, and every member bank listed as reliant is notified through the registry. The map function, not a press cycle, is how reliant institutions learn their exposure.
Separate control failure from assessment failure
An independent post-incident review answers one question: did controls drift after a sound assessment, or did the QSAO miss what was there? The second finding triggers a parallel accreditation review of the assessing firm, up to suspension. Assessor accountability is what keeps the passport from inflating.
Publish the findings into the standard
A redacted post-incident report enters the BTCF revision record, and the control gap it exposes is addressed in the next published cycle. Every failure makes the standard harder to fail the same way twice, which is the property no bank-by-bank questionnaire regime has ever had.
Remediate or revoke on a published ladder
Cure period, re-assessment, restoration or revocation, each step visible in the registry as it happens. A bank's reliance file updates itself, because the registry states are the ladder.
Never let the certificate become the defense
Certification is evidence of diligence at a point in time. It is not a warranty of vendor performance, not a substitute for the bank's own risk management, and not a liability shield. That is the posture the sharpest critics in the 2020 docket demanded, and conceding it up front is what makes the rest of the protocol credible.
What the certificate asserts
The vendor's controls met the BTCF at the assessment date, verified by an accredited independent firm.
Continuous attestation obligations are current and material changes have been reported.
The scope, tier, conditions, and expiry are exactly what the public registry entry says they are.
What it never asserts
That the vendor cannot be breached, or that controls have not drifted since assessment.
That a reliant bank has discharged its third-party risk obligations under interagency guidance.
That certification shields the vendor, the assessor, or the bank from supervisory or legal consequence.
PCI survived Heartland because the card networks could compel participation regardless of the embarrassment. BVSC has no compulsion lever, so its crisis protocol has to be written before the first certificate, not after the first breach.
Design principle · certification integrity
Where BVSC fits, and how it differs
The financial sector already has a robust ecosystem of standards bodies. BVSC does not replace them. It occupies a distinct governance layer none addresses: the risk-management and compliance interface between banks and their technology partners. The most instructive comparison is the Coalition for Financial Ecosystem Standards (CFES), the proof of demand and the proof of the ceiling a purely private body hits.
Capability
BVSC
CFES
HITRUST
TruSight
Shared A.
Banking / vendor-specific control set
Yes
Partial
No
Partial
No
Pass/fail certification (not advisory)
Yes
No
Yes
No
No
Public certification registry
Yes
No
Yes
No
No
Binding bank-side reciprocity
Yes
No
No
Partial
No
AI & agentic-AI governance module
Yes
No
Partial
No
No
Multi-stakeholder voting governance
Yes
No
No
No
Partial
State-regulator (CSBS) at the table
Yes
No
No
No
No
Regulator observers in governance
Yes
No
No
No
No
Active regulatory-recognition pathway
Yes
Partial
No
No
No
The single design choice that lets BVSC offer a defined pass/fail certification with supervisory weight, rather than CFES's necessarily hedged maturity report, is the presence of government in its governance. The maturity model is what an organization builds when no regulator will stand behind a bright line. The bright line is what regulatory participation buys.
The 2020 FDIC precedent
BVSC is not a novel idea, and that is its strongest evidence. In July 2020 the FDIC issued a formal request for information (RIN 3064-ZA18) asking the precise question BVSC answers: should a public-private body set standards and run a voluntary certification for the models and third-party technologies banks rely on? Forty-five comment letters responded. The docket is the closest thing to a market test this concept has, and the live, interactive analysis of all 45 letters is in the Certification RFI tab.
LESSON 01
Demand is real, but conditional
Industry broadly welcomed the concept, but tied approval to a real reliance mechanism, the participation of every banking agency, and protection against cost, capture, and duplication.
LESSON 02
Reliance is the hinge
Every position reduced to one question: does a certification mean anything at the examination table? Without supervisory reliance, certification is a cost with no offsetting benefit, and the industry said so plainly.
LESSON 03
The opposition is serious
AFR, the NCLC, and Professor Odinet argued a reliance safe harbor would become a fair-lending liability shield and an abdication of the FDIC's own supervisory duty. These are the objections a credible proposal must answer.
The unexpected common ground: neither camp trusted a purely industry-run body. Industry wanted every federal banking agency as an active contributor; opponents wanted the regulator to build its own capacity. For opposite reasons, both insisted the regulator must not stand back. BVSC's governance is the synthesis of that shared instinct.
Three companion papers
Working Papers
Each working paper takes up one of the sharpest objections to the founding proposal and answers it in detail: jurisdictional duplication, the role of AI in assessment, and the organizational design that keeps the body credible to a regulator.
WP No. 1
The DORA–BTCF Crosswalk
Answers the objection that a U.S. vendor-certification regime would simply add another compliance layer on top of the EU's Digital Operational Resilience Act, by mapping the BTCF control by control against DORA's third-party-risk provisions.
The headline result
A single, well-designed BTCF assessment can be engineered to produce documentation that directly evidences a substantial majority of the enumerated DORA obligations a vendor faces, leaving only a defined residual set that is genuinely EU-specific. Each mapped obligation gets one of four coverage ratings.
DIRECT
A BTCF control produces documentation that directly evidences the DORA obligation. Most of the Article 28 principles and the Article 30 contractual core.
PARTIAL
The control evidences the substance, but an EU-specific formality or counterparty step remains. Register of Information fields, notification steps.
STRUCTURAL
The BTCF mirrors the concept, but the DORA mechanism is a supervisory act no certification can perform. Tier III is modeled on Article 31 but cannot confer it.
RESIDUAL
Genuinely EU-specific, outside any U.S. framework. The EU-subsidiary requirement for designated providers; participation in ESA oversight.
Representative crosswalk rows
BTCF control objective
DORA article
Coverage
DORA-conformant master service agreement template
Art. 30(1)–(2)
Direct
Business continuity with tested recovery objectives
Art. 30(3)(c)
Direct
Fourth-party / subcontractor oversight and chain mapping
Art. 28(1), 30(5) RTS
Direct
Register of Information data fields (provider-supplied)
Art. 28(3)
Partial
Threat-led penetration testing participation
Art. 26–27
Partial
BTCF Tier III "Critical" designation
Art. 31
Structural
EU-subsidiary establishment for designated CTPPs
Art. 31
Residual
The design principle that holds it together
Assess templates, not transactions. Rather than reviewing each of a vendor's contracts against DORA's Article 30 checklist, a BTCF control assesses whether the vendor maintains a standard MSA template containing all the required clauses. One template assessment replaces hundreds of contract reviews, and that single choice produces most of the Direct ratings.
WP No. 2
AI-Assisted Qualified Assessor Review
How machine assistance can supplement expert judgment in BTCF certification, with SOC 2 review as the worked example. The thesis is narrow: AI handles the mechanical layer; the human retains every consequential judgment.
The division of labor
Assign each task to AI, to the human, or to a supervised collaboration, based on whether it is rule-governed or judgment-bound. AI owns the mechanical layer outright; a narrow band is shared; every consequential judgment and the signature is human only.
Task
Owner
Rationale
Completeness & structure check
AI leads
Deterministic presence test; AI does not skip sections under time pressure.
Exception extraction & structuring
AI leads
High-volume reading; produces a complete, sourced exception register.
Control-to-criteria-to-BTCF mapping
Shared
AI proposes the mapping; the assessor confirms it cell by cell.
Carve-out / subservice detection
Shared
AI flags every carved-out org; the assessor decides which matter.
Scope-adequacy determination
Human only
Whether the scope matches the real relationship is professional judgment.
Banking-specific sufficiency
Human only
The central BTCF judgment a generic SOC 2 never addressed.
Certification decision & sign-off
Human only
The accredited assessor of record owns and signs the conclusion. Never delegated.
Where AI fails, and how BVSC contains it
Confident fabrication
Every AI assertion must cite its source location. Unsourced conclusions are rejected by design; a single fabricated citation fails the tool's accreditation.
Judgment masquerading as extraction
The tool is structurally barred from emitting scope-adequacy, materiality, or sufficiency conclusions. Those fields are absent from its output schema.
Prompt injection via the report
The ingested report is untrusted input. The tool runs with OWASP-consistent injection defenses and is itself governed as a model under the BTCF.
Automation complacency
The workflow forces active human decision on every judgment field; a provenance audit trail records who decided what, for any peer reviewer or examiner.
The test of the workflow is a single question a peer reviewer should answer from the record alone: did a human, not a tool, make every judgment that mattered? Practitioner reporting puts the efficiency gain near an order of magnitude, 300 to 500 hours down to 110 to 170.
An FDX-style operating structure: a small full-time staff that runs the institution, with the real standard-development work carried by industry-led, dual-chaired working groups, adapted so regulators sit at the table where FDX keeps them out.
Five layers, mirroring the Financial Data Exchange
Layer
Role
Board of Directors
Banks hold ≥50% in all circumstances; illustrative floor of ≥6 bankers (across all asset tiers), 3 independents, 3 technology service providers (voting); technical advisory panel and four regulatory observers (non-voting).
Executive Steering Committee
Acts between quarterly board meetings; board chair(s), bloc representatives, and senior staff (non-voting).
Standards Review Committee
Technical oversight and version alignment across all working groups; owns the two-year revision cycle.
Certification Oversight Committee
QSAO accreditation, registry integrity, appeals. The body FDX lacks, walled off from standard-setting.
Domain Working Groups
One per BTCF specialty area, dual-chaired by a bank and a vendor technical lead, with regulator observers.
Task Forces
Time-limited, cross-cutting work chartered by a working group or the board; dissolve on delivery.
How balance is maintained
FDX balances financial against non-financial institutions and keeps regulators out. BVSC gives banks a structural majority and seats every prudential supervisor as an observer. Banks hold at least half the board because they carry the risk and answer to examiners, but adoption takes a two-thirds supermajority, so a bank majority still needs cross-bloc support to carry a standard. The technology service providers are a structural minority so no standard passes on the votes of the regulated alone; independents are the neutral ballast; and one-entity-one-vote within each bloc prevents a large member dominating by sending more people.
Current regulators watch; former supervisors vote. That is the difference between a useful technical standard and a standard a supervisor can rely on.
The adaptation, in one sentence
The full slate, with named candidates for every board and working-group seat, is in the Org Structure tab.
The academic and empirical foundation
The Evidence
BVSC's design is not improvised. The scholarly literature on standard-setting organizations, read against real financial-sector precedents, converges on a single prescription: a balanced, multi-stakeholder body with tiered-but-equal voting, consensus decision-making with open public comment, a royalty-free core IP policy, and transparent due process. Those are the same attributes the CFPB codified for recognition under Section 1033, and the ones this proposal is built to.
Balance of interests is the master variable. No single group, large banks, community banks, or vendors, should be able to carry a standard alone.
The inverted-U. Fiedler, Larrain and Prüfer (2023) find welfare peaks when control is shared, not when either side dominates. BVSC's no-bloc-majority rule aims the board at the top of the curve.
What the literature prescribes, and where BVSC answers
Theme 01 · The master variable
Balance of interests
Finding
Fiedler, Larrain and Prüfer1 model shared SSO control and find an inverted-U: some downstream (bank) power curbs vendor hold-up, but too much deters the innovators a standard needs. ANSI2 and the CFPB3 both bar any single interest from dominating.
Precedent
FDX seats data providers and third parties equally, with reserved non-commercial seats. PCI SSC, where the card brands hold a permanent Executive Committee above the consensus process, is the textbook capture case.
In BVSC
Three voting blocs with banks holding a structural majority (≥50% in all circumstances), a two-thirds adoption rule so banks still need cross-bloc support to carry a standard, technology service providers held as a structural minority, and regulators present only as non-voting observers.
Theme 02 · Membership
Tiers without pay-to-play
Finding
Practitioners value a broad membership base, equal votes, low cost, and free implementation (Wiegmann et al.)4, and large and small members pull in opposite directions (Fiedler et al.)1.
Precedent
MISMO dropped tiered membership in 2017 to kill pay-to-play and runs one-member-one-vote. Nacha reserves rule votes for Direct Members whose dues run tens of thousands a year.
In BVSC
Tiered dues so community banks and small vendors can afford a seat, but votes decoupled from fees, one organization one vote within its category, and the standard free to implement.
Theme 03 · Governance
Board and committee design
Finding
Simcoe5 frames the core task as winning adoption without hold-up, and warns that consensus-as-unanimity drives delay. Chair affiliation measurably shapes outcomes (Baron and Kanevskaia)6.
Precedent
MISMO elects governance committees to two-year terms with a six-year cap, and the drafting happens in open workgroups.
In BVSC
Leadership under one of two models — co-chairs (one bank, one independent) or a bank chair with a technology-service-provider vice-chair — two-year staggered terms, elected committees over open working groups, and chairs who disclose affiliations and recuse on conflicts.
Theme 04 · IP
Royalty-free core
Finding
FRAND is the modal regime (about 86.5% of SSOs in the Searle database)7, but royalty-free maximizes adoption in interoperability domains. Chiao, Lerner and Tirole8 find, against intuition, that less-strict IP rules track higher standard quality.
Precedent
FDX and the open-banking world are royalty-free. W3C switched to a royalty-free patent policy in 20049 after a developer backlash.
In BVSC
A royalty-free core with reciprocal grant-back and a disclosure-and-exclusion procedure on the W3C model, with a FRAND fallback reserved for any optional patent-encumbered module.
Theme 05 · Openness
Open process, members-only votes
Finding
Legitimacy is built across input, throughput, and output (Botzem and Dobusch)10. Open process earns credibility but slows as commercial stakes rise (Simcoe)5.
Precedent
Nacha lets anyone, member or not, submit ideas and comment on a request for comment. The CFPB's first recognition attribute is openness, explicitly including consumer and public-interest groups.
In BVSC
Public comment on every draft, published agendas and minutes, open idea submission, members-only final votes, and a published basis for each decision.
Theme 06 · Recognition
Competition and focal status
Finding
Firms forum-shop on membership base and rules (Wiegmann et al.; Lerner and Tirole)4,11. Recognition confers focal-point status and guards against fragmentation.
Precedent
The CFPB allows multiple recognized setters, which the Bank Policy Institute warns could fragment formats12. It recognized FDX first, in January 20253.
In BVSC
Pursue prudential-regulator recognition early, interoperate with MISMO, FDX, Nacha, X9, and ISO 20022 rather than overlap them, and occupy the open ground of bank-vendor and third-party-risk standards. See Agency Pathways.
Theme 07 · Innovation
Standardize the stable layer
Finding
Standards cut transaction costs and build trust, but setting them too early can lock in inferior technology (Blind; Farrell and Saloner)13,14.
Precedent
The recurring lesson across telecom and information-technology standards bodies, where premature lock-in is the standing risk.
In BVSC
Standardize the stable layer (interfaces, security baselines, risk and due-diligence taxonomies), leave fast-moving product features unstandardized, and use versioning and sunset clauses. See the standards calendar.
Theme 08 · Financing
Funding without conflict
Finding
Firms prefer low-cost participation and free implementation4, and revenue dependence on certification can pull against neutral standard-setting.
Precedent
Nacha runs on member dues, MISMO on dues and an innovation fee, PCI partly on certification and training revenue.
In BVSC
Scaled dues by size with the standard free to implement, plus recurring certification revenue from registration fees and annual license renewals, and reduced or free tiers for community banks and consumer groups. Certification governance stays ring-fenced from standard-setting, so no single revenue stream can skew the standard. See the Certification Oversight firewall.
Models and anti-models
THE ANTI-CAPTURE IDEAL
FDX, MISMO, Nacha
Equal or one-member-one-vote, royalty-free or open access, public comment, and at FDX reserved non-commercial seats. These are close to the bodies the literature would design, and BVSC borrows their structure directly.
THE CAUTIONARY TALE
PCI SSC
Five card brands hold a permanent Executive Committee that sits above the consensus process, and they separately run enforcement. That concentrates exactly the dominant-member power the literature and the CFPB warn against. BVSC seats no permanent founder committee above the vote, and walls certification off from standard-setting.
What the evidence recommends
REC 01
A balanced board, capped
Explicit interest categories, no category above roughly one-third of any decision body, two-year terms with a six-year cap, and consumer seats. If any category's effective control exceeds one-third in practice, restructure the allocation.
REC 02
Decouple fees from votes
Tiered dues, one organization one vote per category, free implementation. If community-bank voting share falls below a meaningful level, cut their fees further or add reserved seats.
REC 03
Royalty-free core IP
Reciprocal grant-back and a disclosure-and-exclusion procedure on the W3C model, with a FRAND fallback only for optional patent-encumbered modules.
REC 04
Open comment, published rationale
Mandatory comment periods and a published basis for conclusions, with members-only final votes.
REC 05
Standardize the stable layer
Freeze interfaces, security baselines, and risk taxonomies; leave product features open; version and sunset to preserve innovation.
REC 06
Pursue recognition early
Become the focal SSO to avoid fragmentation, and interoperate with adjacent bodies rather than overlap them.
REC 07
Ring-fence certification revenue
Keep certification governance and its revenue separate from standard-setting, so the body never has a financial stake in who passes. This is the single safeguard PCI lacks.
Open tensions, stated plainly
Innovation versus standardization
Standardizing too early can entrench inferior technology. BVSC's answer is to freeze only the stable layer and review on a published cycle, but where that line falls is a judgment call the board will have to keep making.
Strict IP is not automatically better
Chiao, Lerner and Tirole8 find that less-strict IP rules track higher standard quality. In interoperability the adoption gain from royalty-free usually wins, but BVSC should revisit the policy if patent-holding vendors decline to participate.
The regulatory anchor may shift
The CFPB's 1033 rule and its standard-setter recognition regime are under active litigation and reconsideration through 2025 and 20263. If formal recognition narrows, BVSC's fallback is voluntary alignment with interagency third-party-risk guidance, which is the OMB Circular A-119 route set out in Agency Pathways.
References
Fiedler, Larrain & Prüfer (2023). Membership, governance, and lobbying in standard-setting organizations. Research Policy 52(6), 104761.
ANSI. Essential Requirements: Due Process Criteria for American National Standards (no single interest category may dominate a consensus body).
CFPB (2024–2025). Personal Financial Data Rights Rule (12 CFR Part 1033) and Industry Standard-Setting Rule; Decision and Order recognizing FDX, Jan. 8, 2025.
Wiegmann, Eggers, de Vries & Blind (2022). Competing Standard-Setting Organizations: A Choice Experiment. Research Policy 51(2), 104427.
Simcoe (2012; 2014). Standard Setting Committees, American Economic Review 102(1), 305–336; and Governing the Anticommons, Innovation Policy and the Economy 14, 99–128.
Baron & Kanevskaia (2023). Wearing multiple hats: the role of working-group chairs' affiliation in standards development. Research Policy 52(9).
Baron & Spulber (2018). Technology Standards and Standard Setting Organizations: Introduction to the Searle Center Database. J. Economics & Management Strategy 27(3), 462–503.
Chiao, Lerner & Tirole (2007). The rules of standard-setting organizations: an empirical analysis. RAND J. Economics 38(4), 905–930.
W3C (2004). W3C Patent Policy, 5 February 2004 (royalty-free).
Botzem & Dobusch (2012). Standardization Cycles: A Process Perspective. Organization Studies 33(5–6), 737–762.
Lerner & Tirole (2006). A Model of Forum Shopping. American Economic Review 96(4), 1091–1113.
Bank Policy Institute. The CFPB's Section 1033 Rule Is Not an “Open Banking” Rule.
Blind, Kenney, Leiponen & Simcoe (2023). Standards and innovation: a review and introduction to the special issue. Research Policy 52(8), 104830.
Farrell & Saloner (1988). Coordination Through Committees and Markets. RAND J. Economics 19(2), 235–252.
Primary and organizational sources: FDX, MISMO, Nacha, PCI SSC, and ISO 20022 governance documents.
Precedent facts (PCI's executive committee, FDX recognition conditions, Nacha dues) are case evidence, not causal findings. The CFPB 1033 rule and its recognition regime are under active litigation and reconsideration as of 2025 to 2026, so the regulatory anchor may shift.
Interactive tool
Organization & Founding Slate Explorer
An interactive view of the proposed FDX-style organization and a recruitable slate of named candidates for every board and working-group seat. Tap any tier to expand its mandate; review the governance functions, standards calendar, and certification registry; filter the seats by layer, gettability, or search; and compare four models for how the federal banking agencies could be involved in standing the body up.
Candidate suggestions only. BVSC does not exist. Every individual named is a candidate based solely on public professional role and public standards or policy activity. No one named has any known affiliation with, knowledge of, or endorsement of BVSC. Titles change; re-verify before any use.
Banking Vendor Standards Council · Organization Explorer
Structure & Founding Slate
An interactive view of the proposed FDX-style organization and its governance functions, a recruitable slate of named candidates for every board and working-group seat, and four models for how the federal banking agencies could be involved.
01
The Organization at a Glance
Six layers, mirroring the Financial Data Exchange: a governing board, an executive steering committee acting between board meetings, a lean full-time staff that runs the institution, two parallel oversight bodies, the domain working groups where the standard is built, and time-limited task forces. Tap any tier to expand its mandate.
02
Governance Functions
Structure is only half the institution. These are the recurring functions that keep the standard current and the certification trustworthy: the reporting structure at a glance, a published standards calendar with fixed review cycles, and a public certification registry with a defined record and lifecycle.
Reporting Structure
The same six layers as the Organization tab, drawn as a reporting tree. The board governs; the Executive Steering Committee acts between meetings; a lean staff runs the institution; two committees sit in parallel, with the Certification Oversight Committee firewalled off from standard-setting; the working groups build the standard; task forces handle cross-cutting work. The technical advisory panel and the four regulatory observers attend the board without a vote.
Governing & steeringStaffStandards lineCertification firewallWhere the standard is built
Where Certification Sits: Two Options
The certification function must never be controlled by the people who write the standard. There are two ways to guarantee that. The default rings it off inside BVSC; the alternative moves it out entirely into its own legal entity. The founding cohort chooses.
Option A · Default
Ring-fenced committee inside BVSC
Certification runs as the Certification Oversight Committee, a walled-off body within BVSC that owns QSAO accreditation and the registry, excludes anyone with a commercial interest in assessment outcomes, and clears every certification through central QA before it posts.
One institution to fund, staff, and pursue regulatory recognition.
Standard and certification share governance, so crosswalks and re-certification stay tightly in sync.
Independence rests on committee walls and conflict rules rather than on a separate corporate boundary.
Option B · Alternative
A separate certification entity
Certification spins out into its own organization, distinct from the standards body, on the model of a standards developer whose certification arm is a separately governed affiliate. BVSC writes the standard; the separate entity accredits assessors, issues certifications, and runs the registry under its own board.
Structural separation, not just procedural: the firewall is a corporate boundary a critic can see.
Insulates BVSC from the conflict and liability exposure of the pass/fail decision.
Costs more to stand up and requires an explicit coordination agreement to keep standard and certification aligned.
The Standards Calendar
Every part of the BTCF moves on a published schedule, so members, vendors, and examiners can plan against it. Reviews are staggered across domains so the whole framework never re-opens at once, and the board runs each cadence in the open.
Continuous
Living drafts
Working groups maintain working drafts, log issues, and stage proposed changes between formal cycles.
Annual
Errata & guidance
Minor clarifications, errata, and interpretive guidance publish once a year. Non-substantive fixes need no comment period; interpretive guidance carries a 30-day notice.
Every 2 years
Full domain review
Each domain gets a full review on a two-year cycle. Substantive changes require a minimum 60-day public comment period before the board adopts them.
Out of cycle
Triggered revision
A new rule, supervisory guidance, or a material incident can open an emergency revision: expedited 30-day comment, board ratification, then folded into the next regular cycle.
Every 3–5 years
Retrospective review
On the A-119 schedule, the board asks the harder questions: is the domain still needed, does it still map to current regulation, and should anything be retired.
Review Cohort A · odd years
Cybersecurity & Operational Resilience
AML/BSA Compliance Capability
Model Risk & Validation
Consumer Compliance Pass-Through
Review Cohort B · even years
Data Governance & Privacy
Financial & Operational Stability
Technical Interoperability / API
AI & Agentic-AI Governance (see note)
Domains split into two cohorts and review in alternating years, the same staggering principle as board terms, so the full framework never re-opens at once. The AI and Agentic-AI domain is sequenced last onto the roadmap by design, so an early standard does not lock in immature technology; once it enters, it runs on an accelerated annual review given how fast the technology and its supervision are moving.
The Certification Registry
The public, machine-readable record of who is certified, to what, by whom, and through when. It is the artifact an examiner or a bank's vendor-risk team actually checks, and the reason a certification can carry weight at the examination table.
Registry record · illustrative
VendorExample Core Systems, Inc.
Product / scopeDeposit & ledger platform
Domains certifiedCyber · Data Gov · Model Risk
TierIII · Critical
Assessing QSAOAccredited assessor firm
Issued / expires2026-Q3 / 2028-Q3
StatusActive
CrosswalkDORA · SOC 2 mapped
Integrity & cadence
Operated by the Certification Oversight Committee, walled off from standard-setting.
Every certification clears central BVSC QA review before it posts.
Re-certification tracks the standards calendar, so a vendor re-attests when its domains revise.
Published through a public API with no login wall, so banks and examiners can query it programmatically.
Active
Current and in good standing.
In Remediation
A finding is open; the vendor is under a corrective plan with a deadline. Shown publicly.
Suspended
Certification paused pending resolution of a material issue.
Expired
Lapsed; re-certification required to return to active.
Withdrawn
Ended voluntarily or for cause; kept in the public history.
Candidate suggestions only. BVSC does not exist. Every individual named is a candidate based solely on public professional role and public standards/policy activity — no one named has any known affiliation with, knowledge of, or endorsement of BVSC. Titles change; re-verify before any use, and have counsel and the individuals themselves vet any real outreach slate.
03
Seats & Candidates
Every board, working-group, and founding-vendor seat with named candidates where gettable people exist, and archetype profiles where naming a real person would be speculative. Filter by layer or gettability, or search by name, role, or domain.
Layer
Gettable
04
Federal Agency Pathways
There is no single way for the banking agencies to be involved in standing up BVSC. Four distinct models trade regulatory credibility against legal and political cost. Select a path to see how setup, hand-off, and the agencies' steady-state role differ, then compare all four at the bottom.
Two things frame all four paths. First, no banking-specific program yet lets the FDIC, OCC, or Fed formally rely on a private certification. Second, a government-wide framework for exactly this kind of reliance has existed since 1996: the National Technology Transfer and Advancement Act and OMB Circular A-119, which Path 4 is built on. The CFPB's 2024 Section 1033 regime, which recognized FDX in January 2025, shows a banking-adjacent regulator operationalizing the same idea. Across all of them, conformance is evidence of compliance, not a safe harbor.
·
Side by Side
Dimension
Path 1 · Convene & Hand Off
Path 2 · Agency-Run Subsidiary
Path 3 · Criteria & Step Back
Path 4 · Voluntary Consensus (A-119)
Who leads setup
Agencies convene, then exit control
Interagency / federally chartered parent
Industry, building to published criteria
Industry, building to A-119 attributes
Long-term owner
Independent industry 501(c)(6)
Government / interagency parent
Independent industry 501(c)(6)
Independent industry 501(c)(6)
Agencies' end role
Standing advisory council (non-voting)
Parent and controller
Advisory observer, or hands-off
Statutory participant; may sit on board, incorporate by reference
Legal vehicle
Convened, then spun out
Controlled subsidiary (MISMO / MBA model)
Independent body meeting agency criteria
VCS body under the NTTAA / A-119 (existing framework)
Federal reliance on ASTM, ANSI, NFPA; NIST conformity assessment
05
Recruitment Strategy & Sequencing
Who to approach first to build momentum, and how to keep the founding slate defensible against the "industry capture" critique.
Anchor neutrality first; recruit the proven standards-builders next; land one anchor vendor per category for signaling; fill technical leads from the FDX, CFES, NACHA, and Shared Assessments alumni pool who self-select for consensus work.
Banking Vendor Standards Council — Organization & Founding Slate Explorer. A discussion draft built from BVSC Working Paper No. 3, the founding recruitment research, a benchmarking review of MISMO, FDX, the CFPB 1033 regime, and peer standard-setting bodies, and OMB Circular A-119. Named individuals are candidate suggestions based on public roles only and have no affiliation with or knowledge of BVSC. Re-verify all titles; have counsel vet any outreach.
Interactive tool
The Certification Question
Forty-five public comment letters answered the FDIC's 2020 request for information on a standard-setting organization and voluntary certification program for fintech models and third-party providers. Nearly all of them turned on a single word: reliance. Explore the fault line, the nine-theme matrix, the full roster, and every commenter profile.
FDIC DocketRIN 3064-ZA18Comment Period Closed 22 Sep 2020
The Certification Question
Forty-five public comment letters answered the FDIC's request for information on a standard-setting organization and voluntary certification program for fintech models and third-party providers. Nearly all of them turned on a single word: reliance.
The FDIC asked whether a public-private body should set standards and certify the models and vendors banks use. Industry largely said yes, but only if a certification means something at the examination table. Consumer advocates and academics said that is precisely the problem.
FINDING 01
Conditional support was the industry norm
Trade groups, fintechs, card networks, and standards bodies welcomed the concept, but tied approval to a regulatory reliance mechanism, all banking agencies participating, and protection against cost, capture, and duplication.
FINDING 02
The safe harbor was the whole argument
A certification is worthless to a bank unless an examiner will accept it in place of independent due diligence. That reliance question is the hinge on which every other position turns.
FINDING 03
Advocates called the same mechanism a shield
AFR, NCLC, and Professor Odinet argued an industry-led body would let banks deflect fair-lending liability by pointing to a third-party stamp, and urged the FDIC to build its own expertise and rely on NIST.
The safe-harbor fault lineShould certification = supervisory reliance?
▲ Reliance should attach
"Let banks rely on certification in place of their own due diligence, and let examiners honor it."
▼ Reliance is the danger
"A purchased stamp becomes a liability shield and an abdication of the FDIC's own supervisory duty."
◇ The unexpected common ground
Both camps distrust a purely industry-run body. Industry wanted every federal banking agency and the CFPB as active contributors. Opponents wanted the FDIC to develop in-house technical capacity rather than outsource it. Each side, for opposite reasons, argued the regulator must not stand back.
Tap any organization chip above, or open 02 · Theme Matrix to read every position in detail.
Positions by theme
The theme matrix
Each cell is a recorded position. Tap a cell for the detail, the source, and how firmly it is sourced. Tap an organization name for its full profile. Columns are the nine recurring themes; hover a column head for its full name.
F Supports / advocatesC ConditionalO Opposes! Raises as concern· Addresses technically
Source confidence: full text read partial / mirror indexed, position provisional
Every letter in the docket
The full roster
All 45 comment letters as indexed by the FDIC (citation 7085), c-001 through c-045. Click a column head to sort. Names and IDs are confirmed against the official index; provisional positions are flagged.
ID
Commenter
Type
Position
Safe harbor
Source
Staff-disclosure logs (not comment letters)
Six meetings between FDIC staff and outside parties were logged in the same docket. They are records of contact, not public comments, and are listed separately here.
Federal Reserve Board / Reserve Bank staff
Fidelity National Information Services (FIS)
Accredited Standards Committee X9
American Bankers Association
Amount, Inc. (with attachment)
Alliance for Innovative Regulation
The major commenters
Commenter profiles
The fully and partially sourced letters, with concepts, recommendations, position, and concerns. Lighter-sourced letters appear in the roster and matrix but are not profiled here.
Provenance and limits
Sources & caveats
The docket is fully public. This tool is built from the FDIC's official index and from the comment PDFs and authoritative mirrors that were readable at the time of research. Read the caveats before quoting any position as verbatim.
Where the docket lives
The complete index is the FDIC Federal Register Citations page, citation 7085. Individual letters follow two URL patterns, both on fdic.gov: the /resources/regulations/federal-register-publications/2020/ path and the /system/files/2024-06/ path, each ending in 2020-request-for-info-standard-setting-3064-za18-c-0XX.pdf.
Caveats
NCLC (c-041) full text was not independently retrieved. Every FDIC URL variant for this PDF was blocked by bot detection and no accessible mirror was found. The docket entry and authorship (Lauren Saunders, Rebecca Borne) are confirmed from the index, and the AFR/DPEF letter expressly aligns with NCLC's positions. The specific positions attributed to NCLC are inferred from adjacent NCLC filings and that cross-reference, not quoted from c-041. Verify against the primary PDF before presenting any NCLC quote.
About 21 letters are thinly sourced. Their existence, exact names, and c-numbers are solid from the official index. Their position labels are inferred from search snippets and letter type, not full-text review, and are marked provisional with a grey source dot. Treat those rows as a working hypothesis pending direct PDF review.
The RFI was exploratory, not a rulemaking. It stated the FDIC was not considering substantive revisions to existing model-risk or third-party guidance. No SSO or certification program was ever created; the thread was overtaken by the 2021 Interagency Guidance on Third-Party Relationships (RIN 3064-ZA26). Read industry "support" as support for further exploration under stated conditions, not endorsement of a built program.
Two entries are not substantive comments. c-001 (Antoine Delerme) is a one-line inquiry asking to join the program. c-044 (Robert E. Rutkowski) is an individual submission whose content was not retrieved.
Primary sources cited
Certification registry & concentration map
What a registry lets supervisors see
A certification registry is more than a vendor convenience. The moment you record which banks rely on which certified vendors, and which vendors rely on the same fourth parties, the registry becomes a supervisory map. It surfaces the concentration that no single bank, and no single certification, can see from the inside. The view below is interactive: select any institution, vendor, or fourth party to trace its dependencies.
Illustrative and synthetic. BVSC is a proposed body and does not yet certify anyone. The institutions, vendors, and fourth parties shown here are fictional, built to demonstrate the supervisory value of the registry-as-map. No real certification, relationship, or concentration is depicted.
BankCertified vendorIn remediationExpiredUncertifiedFourth party
Trace a dependency
Registry map
Hover or tap any node to highlight its dependency path. Banks show their full vendor stack and the fourth parties beneath it; a fourth party shows its blast radius across separately certified vendors.
What the map tells a supervisor
The registry
Vendor / product
Tier
Domains certified
QSAO
Status
Expires
Banks
The supervisory point, in one line: vendor-by-vendor certification answers "is this provider sound," but only the registry-as-map answers "what happens to the system if this one node fails." That second question is the one a certified, separately sound set of vendors can still hide, when they all rest on the same fourth party. This is the case for treating the registry as examination infrastructure, alongside interagency third-party risk guidance and bank-service-company examination authority.
Prospective implementation timeline
From formation to the final module
A hypothetical build sequence for BVSC across five parallel workstreams, playable under three scenarios: a baseline, a tailwind where regulatory engagement accelerates recognition and the AI field settles sooner, and a headwind where the comment period forces a re-ballot and recognition stalls. In every scenario the ordering holds: mature, well-precedented domains first, certification and recognition in the middle, and the AI and agentic-AI module last by design. Drag the NOW marker, or press play, to read the state of the council at any quarter. Toggle dependencies to see what feeds what, and the critical path to see the chain that actually gates recognition.
Prospective and illustrative. Dates are a planning hypothesis, not a commitment, and the scenario shifts are stylized. Sequencing, not the calendar, is the point.
Breaking the cold start
The registry is a two-sided market and it opens empty. Vendors will not pay for a certificate no bank credits, and banks will not credit a certificate no vendor holds. PCI never faced this problem, because the card networks could compel merchant participation from day one. BVSC has no compulsion lever, so the sequence on this chart is built to manufacture its own demand, in three moves that must land in order.
MOVE 01
Charter reciprocity, signed first
Founding member banks execute the mutual-recognition commitment at formation, contingent on adoption of the standard. The demand side exists on paper before the first assessment is scoped, so an anchor vendor is certifying into a known market, not a hypothesis.
→
MOVE 02
Anchor vendors, one per category
A first cohort across core, payments, cloud, and AI certifies on a founding-cohort fee schedule. For a provider answering hundreds of idiosyncratic questionnaires a year, the certificate becomes a sales asset the day the charter banks credit it, and each anchor pulls its category's competitors in behind it.
→
MOVE 03
Examiners in the room from day one
Regulator observers sit in governance from formation, so the recognition work runs in parallel with the standard rather than after it. The tipping event is the first examiner reference to the registry, not the thousandth certificate.
This is also why recognition sits mid-sequence on the chart below and the AI module sits last: the flywheel needs supervisory weight early and technical finality late.
Read the plan
Implementation timeline
Hover or tap any bar or milestone for its window, phase, and dependency. Drag the NOW marker to compute the state of the council at that quarter.
Illustrative instrument
Bylaws of the Banking Vendor Standards Council, Inc.
A Delaware nonstock, nonprofit corporation · Intended 501(c)(6) business league · Mock draft for discussion
Mock
These are illustrative bylaws, not an adopted instrument. They translate the governance concepts elsewhere in this dossier, a bank-majority board, two-thirds adoption, the three voting blocs, the two leadership models, the six operating layers, the certification firewall, and the dues and fee structure, into the form a founding cohort's counsel would use as a starting draft. Bracketed items and thresholds are placeholders. Nothing here is legal advice.
Recital. The undersigned, being the initial directors of Banking Vendor Standards Council, Inc., adopt the following Bylaws to govern the affairs of the Council in furtherance of its exempt purpose.
Article IName, Purpose, and Offices
1.1Name. The name of the corporation is Banking Vendor Standards Council, Inc. (the “Council” or “BVSC”).
1.2Legal form. The Council is a nonstock, nonprofit corporation organized under the General Corporation Law of the State of Delaware and intended to qualify as a business league exempt from federal income tax under Section 501(c)(6) of the Internal Revenue Code.
1.3Purpose. The Council is organized to serve the common business interest of the banking industry and its technology providers, and in particular to:
develop, maintain, and publish the Banking Technology Compliance Framework (the “BTCF”) as a voluntary consensus standard;
operate a voluntary certification program and a public registry of certified parties;
accredit independent assessors to evaluate conformance with the BTCF;
convene banks, technology service providers, independent experts, and observing regulators on balanced terms; and
advance the safety, soundness, resilience, and interoperability of bank technology.
The Council pursues these purposes to promote competition and efficiency, and not to restrain trade or exclude any qualified participant.
1.4Offices. The Council shall maintain a registered office in the State of Delaware and a principal office in Washington, D.C., and may maintain such other offices as the Board of Directors determines.
Article IIMembership
2.1Eligibility. Membership is open, on reasonable and non-discriminatory terms, to any organization with a bona fide interest in the Council's purpose.
2.2Categories and dues. The Council has four membership categories, with illustrative annual dues scaled by size:
Founders, open to global systemically important banks and leading technology platform providers, [$50,000];
General, open to mid-tier banks and Series C and later technology service providers, [$15,000];
Associate, open to community banks and seed or Series A technology service providers, [$3,000]; and
Affiliate, open to regulators, academics, and law firms, [$1,000], advisory and non-voting.
2.3Voting blocs. Each voting member is assigned to exactly one bloc, Bank, Independent, or Technology Service Provider, based on its primary business. Bloc assignment governs apportionment of the Board and quorum, and is determined by the Board on admission and reviewed on renewal.
2.4One member, one vote. At any meeting of the members, and within any bloc, each member organization has a single vote regardless of size or dues paid. No member may enlarge its influence by sending additional representatives.
2.5Rights by category. Working-group participation, registry access, eligibility to stand for the Board, and similar privileges attach to category as set out in a schedule maintained by the Board, provided that governance influence is never a function of dues.
2.6Dues and fees. Dues are set annually by the Board and scaled by size. The Council is further funded by certification registration fees, annual license renewals, assessment fees, and education. The BTCF is free to implement; fees fund the Council's operations, not access to the standard.
2.7Admission, resignation, and removal. The Board admits members and may suspend or expel a member for cause, including non-payment or conduct inconsistent with the Council's antitrust and conduct policies, after notice and an opportunity to be heard. No member holds any equity, property, or distributive interest in the Council.
Article IIIBoard of Directors
3.1Authority. The Board of Directors is the governing body of the Council; all corporate powers are exercised by or under the authority of the Board.
3.2Bank majority. Banks shall hold not fewer than fifty percent (50%) of the voting seats of the Board at all times, and not fewer than fifty percent of the seats of any committee exercising Board authority. This Section is an entrenched provision under Section 12.2.
3.3Composition and floor. The Board shall have no fewer than twelve (12) voting directors, apportioned by bloc as a minimum of six (6) Bank directors, three (3) Independent directors, and three (3) Technology Service Provider directors. The Board may add seats in any bloc, provided the Bank bloc remains at least fifty percent and adoption of a standard continues to require the supermajority in Section 3.9.
3.4Bank tiering. The Bank directors shall be apportioned across six asset tiers, each guaranteed at least one seat: $500M to $2B; $2B to $10B; $10B to $30B; $30B to $100B; $100B to $500B; and global systemically important banks. Seats added above the floor shall favor the smaller tiers.
3.5Non-voting participants. The Technical Advisory Panel of accredited assessors shall designate non-voting representatives to advise the Board, and the Council shall invite the FDIC, the Federal Reserve, the OCC, and CSBS to attend every layer of the Council as non-voting observers.
3.6Terms. Directors serve two-year terms, staggered so that approximately half of the Board is elected each year. Term limits, if any, are set by the Board.
3.7Vacancies, resignation, and removal. Vacancies are filled within the affected bloc for the remainder of the term. A director may resign on written notice, and may be removed for cause by a two-thirds vote of the other directors then in office.
3.8Quorum. A quorum is a majority of the directors then in office, provided that the directors present include Bank-bloc directors sufficient to preserve the bank majority under Section 3.2.
3.9Voting; Reserved Matters. Except where a supermajority is required, the Board acts by majority of directors present and voting. A two-thirds (2/3) vote of directors present and voting is required to adopt, revise, or withdraw a standard, to approve the annual budget, to change certification policy, to establish or separate the certification entity under Section 5.4, and for such other matters as these Bylaws designate (“Reserved Matters”).
3.10Meetings and action. The Board meets at least quarterly. Directors may participate by electronic means, and the Board may act without a meeting by unanimous written consent.
Article IVBoard Leadership and Officers
4.1Leadership model. The Board shall, by resolution, adopt one of two leadership models and record its choice in a schedule to these Bylaws:
Model A, Co-Chairs. Two Co-Chairs share the chair, one drawn from the Bank bloc and one from the Independent bloc, so that neither commercial constituency leads alone; or
Model B, Chair and Vice-Chair. A Chair drawn from the Bank bloc and a Vice-Chair drawn from the Technology Service Provider bloc, checked by the supermajority required for Reserved Matters.
4.2Officers. The officers of the Council are the presiding officer or officers under Section 4.1, a Secretary, and a Treasurer, together with such other officers as the Board appoints. Officers disclose their affiliations and recuse from matters in which they hold a conflict.
4.3Managing Director. The Board shall appoint a Managing Director to serve as chief executive of the Council, responsible for day-to-day management and for the professional staff. The Managing Director serves at the pleasure of the Board and does not vote.
4.4Terms and removal. Officers serve one-year terms and may be removed by the Board. Vacancies are filled by the Board for the unexpired term.
Article VCommittees
5.1Executive Steering Committee. The Executive Steering Committee acts for the Board between meetings on operational matters. Reserved Matters remain with the full Board, and any two directors or any bloc minority may escalate a committee decision to the full Board.
5.2Standards Review Committee. The Standards Review Committee maintains the technical coherence and versioning of the BTCF, owns the published standards calendar, and recommends standards to the Board for adoption.
5.3Certification Oversight Committee. The Certification Oversight Committee is independent of standard-setting and oversees assessor accreditation, the registry, and certification decisions. No person with a commercial interest in a certification outcome may vote on that outcome. The persons who write the standard do not control who passes it.
5.4Separation option. The Board may, by a two-thirds vote, establish the certification function as a separately governed affiliated entity operating under a coordination agreement, provided the independence protections of this Article and Article VII are preserved.
5.5Domain Working Groups. The Council maintains one working group per coverage domain, each dual-chaired by a Bank and a Technology Service Provider technical lead, open to member volunteers on balanced terms and attended by regulator observers. The working groups develop the standard.
5.6Task Forces. The Board or a committee may charter time-limited task forces with a defined deliverable and a sunset date, dissolved on delivery.
5.7Standing committees. The Board maintains a Nominating and Governance Committee and an Audit and Finance Committee, and may create others.
5.8Committee balance. No committee exercising Board authority may have a Bank share below fifty percent, consistent with Section 3.2.
Article VIStandards Development
6.1Consensus principles. The Council develops standards under principles of openness, balance of interests, due process, transparency, and a right of appeal.
6.2Development pipeline. A working group prepares a draft; the draft is published for public comment; the Standards Review Committee reviews comments and recommends a final text; and the Board adopts the standard by the two-thirds vote required for Reserved Matters.
6.3Review and versioning. Each standard is reviewed on the schedule set by the standards calendar and versioned on adoption. Fast-moving domains, including artificial intelligence, may be placed on an accelerated review cycle.
6.4Appeals. Any materially and directly affected party may appeal a procedural defect in the development of a standard to the Board, whose decision is final.
Article VIICertification and Registry
7.1Program. The Council operates a voluntary, tiered certification program measuring conformance with the BTCF, administered under the Certification Oversight Committee and delivered by accredited independent assessors.
7.2Foundational capability gate. Before any control is tested, the assessment determines whether the applicant has the requisite expertise and experience in its board and leadership team to deliver what it claims. An applicant that does not clear the gate does not proceed to control testing.
7.3Fees. Certification is funded by registration fees and annual license renewals. These fees fund assessment and registry operations and do not purchase access to the standard, which remains royalty-free.
7.4Registry. The Council maintains a public registry recording each certified party, the scope and tier of its certification, and its status. Certifications may be suspended or revoked for cause after notice and an opportunity to cure.
7.5Marks. Use of the Council's certification marks is licensed and conditioned on maintaining certification in good standing.
Article VIIIAntitrust and Intellectual Property
8.1Antitrust compliance. The Council operates for a documented pro-competitive purpose. Members shall not use the Council to agree on prices, output, customers, or other competitively sensitive terms. Counsel attends deliberations on standards and certification policy, and minutes are kept.
8.2Open participation and FRAND. Participation is open on reasonable and non-discriminatory terms. A holder of a patent essential to a standard commits to license it on fair, reasonable, and non-discriminatory terms.
8.3Royalty-free standard. The BTCF is published royalty-free. Copyright in the standard vests in the Council, which licenses it broadly to promote adoption.
8.4Sensitive information. Members shall not exchange competitively sensitive, non-public information through the Council.
Article IXMeetings of Members
9.1Annual meeting. The members meet annually to elect directors within their blocs and to receive reports of the Council.
9.2Special meetings. Special meetings may be called by the presiding officer, the Board, or on the written request of members holding [ten percent] of the votes.
9.3Notice. Written notice of each meeting is given not fewer than [fourteen] days in advance.
9.4Quorum. A quorum for a meeting of members is [one-third] of the voting members, present in person or electronically.
9.5Voting. Each voting member has one vote, cast within its bloc. Voting by proxy and by electronic ballot is permitted as the Board provides.
Article XFinances
10.1Fiscal year. The fiscal year of the Council is the calendar year, unless the Board provides otherwise.
10.2Revenue. The Council is funded by membership dues, certification registration fees, annual license renewals, assessment fees, education, and grants. No part of the net earnings of the Council inures to the benefit of any member, director, or officer.
10.3Budget. The annual budget is approved by a two-thirds vote of the Board as a Reserved Matter.
10.4Audit. The Council obtains an annual independent audit, reported to the members.
10.5No member equity. Members have no ownership or distributive interest in the assets of the Council.
Article XIConflicts of Interest and Indemnification
11.1Conflicts of interest. Directors and officers disclose actual and apparent conflicts and recuse from the affected matter. In their Council role, directors act in furtherance of the Council's mission rather than the narrow interest of any member or employer.
11.2Indemnification. The Council indemnifies its directors and officers to the fullest extent permitted by Delaware law and may maintain directors' and officers' liability insurance.
Article XIIAmendments and Entrenched Provisions
12.1General amendments. Except as provided in Section 12.2, these Bylaws may be amended by a two-thirds vote of the directors then in office.
12.2Entrenched provisions. The following may be amended only by a three-quarters (3/4) vote of the directors then in office and a majority of each voting bloc:
the requirement that Banks hold at least fifty percent of the voting seats (Section 3.2);
the independence and firewall of the certification function (Article V and Article VII); and
this Section 12.2.
Why entrench
The bank majority and the certification firewall are the two commitments that make the Council credible to the institutions that rely on it and to the providers it assesses. Entrenching them prevents a transient majority from quietly unwinding either.
12.3Tax status. No amendment may cause the Council to fail to qualify under Section 501(c)(6) of the Internal Revenue Code.
Article XIIIDissolution
13.1Distribution on dissolution. On dissolution, and after payment or provision for the Council's liabilities, the remaining assets shall be distributed to one or more organizations then qualifying under Section 501(c)(6) or 501(c)(3) of the Internal Revenue Code with a compatible mission, or to a successor standards body, as the Board directs. No assets shall be distributed to any member, director, or officer.
Adopted by the Board of Directors of Banking Vendor Standards Council, Inc. on [ ], effective immediately. These Bylaws supersede any prior bylaws of the Council.
Presiding officer (Chair or Co-Chairs) · Section 4.1