NYDFS Tightens Expectations on Third-Party Risk: What New York’s Guidance Means for UK and Global FinTechs

How AnyAccount Helps

At AnyAccount, our US team supports FinTech founders, MSBs and scaling payment companies with:

• State and federal regulatory licensing strategy, including MSB, money transmitter and virtual-currency frameworks

• Bank sponsorship readiness, programme governance and partner-bank compliance alignment

• Technology market launches, including payments infrastructure, KYC/AML controls and onboarding flows

• End-to-end MSB governance frameworks with operational playbooks, audit trails and vendor oversight models

• Regulatory examinations preparation across FinCEN, state regulators and sponsor-bank reviews

If you want to avoid learning about regulatory gaps from a state examiner or a sponsor bank’s quarterly audit, speak to us. We help US FinTechs build compliant, scalable operating models that can withstand scrutiny from regulators, partner banks and investors

When the New York Department of Financial Services (NYDFS) publishes new guidance, the global financial sector tends to pay attention — and for good reason. NYDFS regulates one of the world’s most significant financial markets, and its approach to cybersecurity, outsourcing and third-party risk has a habit of setting the tone internationally.

Its latest Industry Letter, issued on 21 October 2025, does not create new regulations, but it might as well have. In practice, this is the new benchmark for how New York expects firms to manage third-party service providers (TPSPs), and it is stricter, more prescriptive and more operationally detailed than the majority of global peers.

Even though the Letter only “clarifies” Part 500.11 of the NYDFS Cybersecurity Regulation, it sets out expectations that many firms — even well-resourced ones — will find challenging.

Let’s unpack the key points.

A Full Lifecycle Approach to Third-Party Oversight

NYDFS structures its expectations around the entire relationship lifecycle: how firms select vendors, how they contract with them, how they monitor them and how they offboard them. It is not reinventing outsourcing regulation — rather, it is raising the bar on execution.

The heart of the guidance is this:
TPSP oversight is not a paperwork exercise, it is a cybersecurity control in its own right.

NYDFS repeatedly warns against “check-the-box” behaviour. If a firm is relying on a TPSP, it must actually understand the risk — not simply gather questionnaires and store them in a folder no one looks at again.

What NYDFS Expects at Each Stage

While the Letter avoids imposing new mandatory rules, the expectations it sets out are detailed enough that many firms will treat them as de facto requirements.

Here is the one list worth pulling out:

• Identification & Due Diligence:
  Before engaging a TPSP, firms must assess its access to systems and non-public information, review its cybersecurity maturity, understand how it manages its own subcontractors, and consider geopolitical or jurisdictional risks. Standard questionnaires are acceptable, but only if analysed by genuinely qualified personnel — not interns or automated scoring tools.

• Contracting:
  NYDFS recommends clauses covering access controls, encryption at rest and in transit, breach notification timelines, data residency disclosures, and visibility over subcontractors. It also reinforces prior guidance on setting boundaries around TPSP use of artificial intelligence. In short, contracts must reflect the operational reality of modern risk, not the templates firms have been recycling since 2012.

• Ongoing Monitoring:
  Periodic assessments should include SOC2 or ISO 27001 attestations, vulnerability management updates, security training evidence and proof that previously identified issues have actually been fixed. NYDFS expects firms to escalate unresolved risks — not quietly tolerate them because the vendor is “critical to operations”.

• Termination:
  Offboarding must include revoking identity federation, deleting or returning non-public information, ensuring backups or cached data are removed, and documenting the entire process. NYDFS signals that sloppy offboarding is a material regulatory concern, not an administrative afterthought.

All of this reflects a broader regulatory truth: third-party risk is often the weakest link in a firm’s cybersecurity posture, and regulators know it.

What This Means for US Financial Firms

NYDFS left little room for interpretation. If a financial institution operates in New York — or plans to serve New York customers — this is the standard it will be examined against. The Letter may not introduce new rules, but the expectations are clear enough that Covered Entities should treat them as operational requirements.

For US FinTechs, MSBs and bank-sponsored programmes, the implications are straightforward: third-party risk management must be evidence-driven, actively supervised and capable of withstanding regulatory scrutiny at any moment. Vendor files need to reflect real governance, not administrative formality.

And for firms looking to enter the US market, particularly those planning to obtain state licences or rely on sponsor banks, this level of operational discipline is not optional. NYDFS has made it clear that weak vendor oversight is a supervisory and enforcement concern — one that can affect licensing outcomes, partnership approvals and examination results.

In short, any company operating in or entering the US financial sector should expect NYDFS-style oversight to become the baseline standard across the country. Regulators tend to converge on the toughest benchmark, and today, that benchmark is unmistakably New York.