Strengthening Source Code Escrow: Regulatory Authorities Unveil Updated Third-Party Risk Management Guidelines for US Banking Institutions

In an ever-evolving financial landscape, banks and financial institutions in the United States are increasingly relying on third-party partnerships to enhance their services and remain competitive. However, these partnerships also expose them to potential risks and vulnerabilities.

To safeguard the stability of the financial system and protect consumers, regulatory agencies in the US, including the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Federal Reserve Board (FED Board), released revised guidelines in June this year for third-party risk management, notably consideration to establish source code escrow agreements when a banking organisation purchases software so access is available to source code and programmes under certain circumstances such as insolvency of the third-party.

In this blog, we explore the significance of these guidelines and the pivotal role that source code escrow agreements play in safeguarding the interests of US banking institutions.

Key elements of the revised guidelines

The OCC, FDIC, and FED Board’s revised guidelines mark a significant step towards strengthening the US banking sector’s risk management practices. Released as a comprehensive update to replace their previous guidance, the new guidelines have a wide-ranging scope, encompassing all National Banks & Federal Branches and Agencies, Trust Banks, Federal Savings Associations, and Banking as a Service (BaaS) providers.

The guidance addresses risk-based management practices for each stage in the life cycle of third-party relationships, including:

1. Planning. Allows financial institutions to evaluate and consider how to manage risks before entering into a third-party relationship.

2. Enhanced Due Diligence. The guidelines highlight the importance of rigorous due diligence while selecting third-party partners. Banks are now required to thoroughly assess the financial stability, regulatory compliance history, reputation, and ability of service providers to meet the bank’s requirements effectively.

3. Robust Contractual Agreements: The guidelines underscore the significance of well-structured contractual agreements with third-party partners. These agreements must outline clear responsibilities, obligations, and liabilities of both parties. Additionally, the contracts must include provisions for source code escrow agreements.

4. Ongoing Monitoring. Regular and continuous monitoring of third-party relationships is now a crucial aspect of risk management practices. Banks are expected to establish mechanisms for evaluating service providers’ performance on an ongoing basis and promptly addressing any emerging issues.

5. Termination. It is important for these relationships to be terminated in an effective manner, whether the activities are discontinued, brought in-house or transitioned to another third party. 

The Rise of Source Code Escrow Agreements in the US

Among the noteworthy changes in the revised guidelines is the emphasis on including source code escrow agreements as part of the contractual arrangements with third-party software-based providers. Source code escrow agreements act as an additional layer of protection, ensuring that US banking institutions can continue to access critical software solutions and protect themselves from potential third-party supplier risks in case of unforeseen events such as the bankruptcy or insolvency.

By depositing the source code and other essential materials with a trusted third-party escrow vendor, source code escrow agreements offer US banking institutions a contingency plan. If the software provider fails to fulfil its obligations or experiences financial difficulties, the source code escrow vendor releases the deposited materials to the bank, allowing them to maintain business continuity and minimise disruptions to their operations.


The release of the revised third-party risk management guidelines by the OCC, FDIC, and FED Board reflects the commitment to safeguarding the US banking sector against potential supply-chain risks. These guidelines set a robust foundation for secure and responsible third-party partnerships. The inclusion of source code escrow agreements further strengthens this foundation by providing US banks with robust continuity plans in the face of unforeseen circumstances.

As US banking institutions increasingly embrace third-party collaborations, adhering to the revised guidelines and implementing source code escrow agreements will not only enhance risk management practices but also foster long-term stability, trust, and resilience in the financial industry.


About Escrow London North America

Escrow London North America is a global software and SaaS escrow company headquartered in Atlanta, GA with offices in London, UK, and Sydney, Australia.

We have invested considerable resources into innovation to reinvent source code escrow for a SaaS world. Escrow London provides a range of SaaS Continuity escrow solutions suitable for AWS, Microsoft Azure and Google Cloud hosted SaaS applications. We support a wide range of clients includes major law firms, banks, central banks, insurance companies, technology companies and government organisations.

To find out more about Software Escrow and SaaS Escrow, visit our YouTube channel