Insights from the Capital One Outage on Managing Third-Party Risks

When it comes to a financial institution’s reputation, few things are more critical than the customers’ confidence that their accounts are readily available. Many institutions rely on third-party providers to perform critical processes, including hosting and maintaining the financial systems used to manage customer accounts.

Although financial institutions frequently attempt to shift operational risks to third parties, customers who encounter account access issues often hold the financial institution responsible. The ownership of risk ultimately rests with the institution. In this situation, the average customer sees the logo of the financial institution, and from the customers’ perspective, the financial institution is withholding their money.

On January 15, 2025, thousands of Capital One customers reported outages in the institution’s online banking platform. The outage lasted five days, and users were unable to complete transactions or view accurate account balances. The disruption in Capital One’s online services was caused by a power outage with a critical third-party vendor partially responsible for hosting Capital One’s online banking platforms. During the outage, customers were not able to access their accounts until the vendor restored operations. Although the timeline of service restoration was not within Capital One’s control, the institution experienced the largest share of reputation loss due to the incident.

What Can Financial Institutions Do to Reduce Risk Exposure?

While financial institutions cannot ensure round-the-clock availability of third-party services, outsourcing critical processes remains a key strategy for staying competitive in the digital era. Implementing comprehensive risk assessment, disaster recovery, business continuity and due diligence measures enables institutions to minimize the effects of service disruptions and address customer dissatisfaction effectively.

There are several immediate steps institutions can take to identify potential points of failure and reduce exposure, including:

• Technology self-assessments and risk assessments: Business should identify vendor dependencies, specifically related to technology that supports critical processes and quantify the significance to operations. It’s also important to define clear service-level agreement (SLAs) with critical vendors to align with expected uptimes and incident response times in the case of service loss.
• Disaster recovery and business continuity: Establish responsibilities to restore service in the event of disruption and perform periodic simulations to validate the institution’s disaster recovery capabilities. Recovery-time objectives (RTO) and recovery-point objectives (RPO) should be defined for each information system, including developing escalation, communication and contingency plans in the event of disruption.
• Vendor due diligence: Select critical vendors after gaining confidence in the vendors’ ability to support the institution. You may also perform periodic due diligence over vendors responsible for supporting critical processes.
• Third-party risk management oversight: Risk cannot be outsourced. Management should obtain and review assurance reports (like SOC 1s and SOC 2s) and evaluate key attributes, including questions like:
  • Is the subject matter and commitments relevant to the outsourced activity?
  • Are there gaps in the testing or findings that are impactful to the organization?
  • Is the report issued by an experienced, qualified and reputable firm?
• Periodic compliance auditing: It’s important to perform periodic audits against regulatory guidelines (i.e., FFIEC information technology examination handbooks) including evaluation of the institution’s risk assessment, business continuity management and vendor management practices.

Contact us to learn how Weaver can boost your institution’s confidence in its risk assessment, business continuity, disaster recovery and vendor management practices.

Authored by Chris Keller

©2025