Our Take: financial services regulatory update – October 10, 2025

October 10, 2025

Change remains a constant in financial services regulation

Read "our take" on the latest developments and what they mean.

FDIC and OCC propose rules on unsafe / unsound practices and reputation risk

What happened? On October 7^th, the OCC and FDIC issued two proposals. One would define “unsafe or unsound practice” and revise the framework for the issuance of matters requiring attention (MRAs). The other would define “reputation risk” and prohibit it as a basis for regulators to criticize institutions.

How would the proposal define unsafe or unsound practice and change the framework for MRAs? With this proposal the agencies would:

Define “unsafe or unsound practice” as a practice, act, or failure to act that:
- Is contrary to generally accepted standards of prudent operation, and either:
  - Has already materially harmed the institution’s financial condition,
  - Is likely to materially harm the institution’s financial condition if continued, or
  - Is likely to present a material risk of loss to the Deposit Insurance Fund (DIF) if continued.
Stipulate that the agencies can only issue MRAs when a:
- Practice, act, and/or failure to act could reasonably be expected to become an unsafe or unsound practice under current or reasonably foreseeable conditions; or
- An actual violation of a banking or banking-related law or regulation is identified.
Specify that a downgrade in an institution’s composite supervisory rating to less-than-satisfactory would generally only occur in connection with:
- An MRA that meets the proposed rule’s standard, or
- An enforcement action, including one based on the newly defined “unsafe or unsound practice.”

The proposal also provides that examiners may provide non-binding, non-enforceable supervisory observations but institutions are not required to track or remediate them unless elevated to an MRA.

What would the reputation risk proposal do? With this proposal the agencies would:

Define “reputation risk” as the risk that public perception could be negatively impacted for reasons unrelated to the current or future financial condition of the institution.
Codify the removal of “reputation risk” from their supervisory frameworks by prohibiting formal or informal criticism of an institution or employee based solely on perceived reputational concerns.
Prohibit the agencies from requiring or encouraging institutions to refuse, modify, or terminate business relationships based on political, social, cultural, or religious views or beliefs; constitutionally protected speech, or lawful but politically disfavored business activities.
Specify that adverse supervisory actions cannot be taken on the basis of reputation risk.
Prevent agencies from using BSA/AML or safety and soundness authorities as a pretext to act on perceived reputation risk.

What’s next? For both rules, the agencies have included a list of questions, including several relating to further defining terms used in the rules as well as several related to MRA closure (verification, validation, timing). Comments on both proposals are due 60 days after they are published in the Federal Register.

Our Take

MRAs may decline but risk will not

With a higher bar to issue formal findings, OCC and FDIC-supervised banks¹ could expect a significant decline in the volume of MRAs they receive – particularly those related to documentation gaps, governance mechanics, and other non-financial concerns. In addition, examiners may wait to issue MRAs until concerns are severe enough to quickly escalate into enforcement actions and ratings downgrades. While the proposal would raise the bar and narrow the focus of examiner-driven findings, effective management of many types of risks – such as weak cyber defences, operational resilience, insider threat, or sales misconduct – remains critical for financial institutions to maintain their profitability and franchise value. However, with potentially less focus from examiners, this change shifts more responsibility to firms to surface, prioritize, and address these risks through their own risk identification, risk assessment, and issue management processes. Given the increased scrutiny on financial impact, banks should consider refining processes that assess the potential cost impact of risk events to support prioritization and identify areas that may receive heightened supervisory attention. Overall, banks that have dedicated substantial staff and budget to MRA remediation would have a new ability to adjust their risk management strategies and redirect resources towards managing the risks they consider to be most material to their business.

Reputation risk is out of scope, not out of play

The formal elimination of reputational risk from policy represents a decisive shift in regulatory posture aimed at limiting examiner discretion and curbing perceived political overreach. For banks, this removes a longstanding, ambiguously defined basis for supervisory criticism and opens the door to recalibrating internal risk frameworks that had grown around examiner expectations. Institutions may revisit documentation and client onboarding policies that were historically shaped more by supervisory optics than by measurable legal or financial risk. But the reputational stakes themselves have not gone away. Examiners may no longer cite reputational risk, but scrutiny from lawmakers, the media, and the public over customer selection remains high. That scrutiny also includes the agencies themselves as they are now looking at customer acceptance decisions for signs of perceived “debanking” based on political or reputational concerns. Banks must still make and defend judgment calls through clear governance frameworks rooted in operational, legal, and compliance-based risk assessments.

Defining terms, but not ending discretion

Both the unsafe or unsound practice and reputation risk proposals reflect an effort to codify guardrails to supervisory standards that have historically been shaped by agency discretion and interpreted by courts. By setting regulatory definitions, the agencies aim to limit future policy reversals and reduce litigation risk. But even with these changes, key terms such as “prudent,” “material,” and “foreseeable” remain open to interpretation — which means examiners will still play a central role in defining their scope. In a post-Chevron environment with reduced deference to agency interpretation, the courts may ultimately still have the final word.

What’s the bottom line?

The proposals would narrow supervisory discretion and insulate current policy from future shifts in leadership. While banks would welcome fewer MRAs and clearer boundaries around reputation-based supervision, they and their stakeholders will have fewer early warnings from regulators and greater accountability for identifying and mitigating risk.

Gould comments on FDIC priorities

What happened? On October 7^th, Comptroller of the Currency Jonathan Gould spoke on areas he intends to focus on in his capacity as an FDIC board member.

What are Gould’s focus areas? He commented on a number of areas, including:

Resolution execution capabilities: Gould distinguished between resolution "execution" and "planning," stating that execution is a core FDIC function while he questioned the efficacy and legality of resolution planning requirements. He called for increased transparency into how the FDIC handled the 2023 bank failures and said future improvements should be informed by those lessons.
Deposit insurance: Gould criticized the FDIC’s current approach to calculating insurance premiums as unclear and subject to litigation or gaming. He called for methodologies that are transparent, fair, and designed to reduce market distortions. He also argued that the FDIC’s approach to deposit insurance applications since the financial crisis has hampered new bank formation and advocated for a narrower, statute-based review process that is aligned across the agencies.
State preemption: Gould emphasized that preemption rights are not exclusive to national banks and called on the FDIC to more clearly support state banks when their federally granted authorities are challenged.
Bank funding: He described the funding and deposit categories used by the FDIC and OCC as being outdated and not having predictive value for managing liquidity risk.

Our Take

Back to basics

Gould’s first statement as an FDIC Board Member signals his intent to be an active voice in reorienting the FDIC toward a more disciplined, statutory framework. His emphasis on execution over hypothetical planning aligns with Acting Chairman Travis Hill’s broader push to strengthen the FDIC’s ability to conduct timely, market-based resolutions. Gould’s critique of resolution planning signals that relief could be on the table, particularly for regional and mid-size institutions. His nod to the need to revisit current approaches to liquidity risk also points to potential flexibility ahead for how supervisory models treat funding and deposit dynamics. Combined with calls for clearer premium assessments and a streamlined chartering process, Gould is pushing for a practical, back-to-basics regulatory posture. Institutions should expect a more statute-bound FDIC with less interpretive discretion and more transparency.

What’s the bottom line?

Gould is signaling a return to basics at the FDIC — prioritizing statutory clarity, execution over planning, and more transparent supervisory frameworks.

FinCEN issues Suspicious Activity Reporting (SAR) FAQ

What happened? On October 9^th, the Financial Crimes Enforcement Network (FinCEN), together with the Federal Reserve, NCUA, and OCC, issued updated FAQs regarding SAR requirements and Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) obligations for financial institutions (FI). The FAQs follow remarks from the Treasury Under Secretary for Terrorism and Financial Intelligence, John Hurley, on September 17^th, in which he cited the growing complexity around the SAR filing process and the defensive filings that FIs that are “overwhelming the system with noise."

What do the FAQs say? The FAQs clarify regulatory expectations for SARs on the following four topics:

SAR filings for potential structuring-related activity: A FI is not required to file a SAR solely because transactions are near the $10,000 currency transaction reporting (CTR) threshold. Rather, SARs must be filed only when the institution knows, suspects, or has reason to suspect that transactions are structured to evade BSA reporting requirements.
Continuing activity reviews: FIs are not required to conduct a separate review (manual or automated) after filing a SAR to check whether suspicious activity has continued.
Timeline for continuing activity reviews: Although the prior FAQ clarified that continuing activity reviews are not required, FinCEN stated that financial institutions may continue to follow the 90/12 timeline for continued activity SAR filings, provided that all activity is captured within applicable SAR deadlines: Day 0: detection of facts that may constitute a basis for filing a SAR; Day 30: filing of initial SAR; Day 120: end of 90-day period; Day 150: filing of a SAR for continued suspicious activity.
SAR non-filing documentation: There is no requirement under the BSA or its rules to document a decision not to file a SAR. However, FinCEN suggests a short statement is typically sufficient for most cases but more detailed documentation may be appropriate for complex investigations.

Our Take

Less box-checking – more focus on real risk

FinCEN’s new SAR guidance marks a positive shift toward risk-based compliance – reducing pressure to file defensively and enabling institutions to focus on activity that truly warrants scrutiny. At the same time, BSA/AML/CFT risk remains a critical supervisory priority – and one that could be linked to material financial impact under the FDIC and OCC proposal discussed above. FIs should therefore not take this as a signal to scale back their efforts in this domain but instead reallocate time and resources toward more strategic capabilities – including investments in automation, data analytics, and AI tools that enhance detection. Although there is no formal requirement to document SAR non-filings, supervisory scrutiny often hinges less on whether a SAR was filed and more on how the decision was reached – making it important for BSA/AML/CFT compliance leaders to assess when a brief note suffices and when a more defensible audit trail is warranted. For many FIs, the challenge will be aligning these FAQs to the “on the ground” expectations from examiners, the FFIEC BSA/AML Examination Manual, and even internal stakeholders such as internal audit. In addition, FIs that are currently remediating examiner-identified issues associated with documentation of non-filing decisions will need to reconcile those remediation efforts with these FAQs through discussions with their regulator(s) and examination teams before continuing to invest time and resources towards those efforts.

What’s the bottom line?

With reduced filing expectations, firms can shift SAR efforts toward higher-risk activity and strategic compliance investments.

NAIC meets with FEMA on flood insurance

What happened? On October 1^st, members of the National Association of Insurance Commissioners (NAIC), met with members of the Federal Emergency Management Agency (FEMA) Review Council to discuss the future of the National Flood Insurance Program (NFIP).

What did they discuss? Among other topics, NAIC members discussed issues including:

Market stability and long-term NFIP reauthorization: State regulators emphasized that program stability is essential to maintaining consumer confidence and protecting communities exposed to flood risk. After 33 short-term NFIP extensions since 2017, most enacted through continuing resolutions, regulators renewed their call for a ten-year reauthorization to ensure long-term program stability. They argued that a durable renewal would give homeowners, lenders, and insurers the predictability needed to plan for resilient infrastructure and long-term capability improvements.
Private market growth: Regulators continued to advocate for a balanced expansion of the private flood insurance market to complement, not replace, the NFIP. Such growth, they noted, can expand consumer choice, foster market competition, and reduce taxpayers’ exposure to catastrophic losses. To achieve this, the NAIC has urged federal policy makers to allow private policies to qualify for continuous coverage under the NFIP; enhance data sharing among FEMA, insurers, and state regulators; and lift remaining barriers to private market participation, including limitations previously imposed by FEMA on Write Your Own (WYO) insurance companies.
Incentivized mitigation activities: Recognizing that sustainable affordability depends on reducing risk, not just redistributing it, regulators also called for strong incentive programs for homeowners and communities to invest in infrastructure resilience. This includes expanding premium discounts for properties built or renovated to meet higher construction standards, promoting state-led incentive programs, and creating parity in federal tax treatment for state-funded mitigation grants.

What’s next? Congress is currently debating funding measures that could extend NFIP operations through November 2025.

Our Take

A push for durable reauthorization

These priorities align closely with the NAIC’s prior correspondence with federal lawmakers and reinforce state regulators’ continued advocacy for a more resilient, data-driven, and consumer-centric flood insurance ecosystem. While the path towards reauthorization at the federal level remains uncertain, state regulators continue to frame these objectives as critical to strengthening market confidence, expanding coverage access, and ensuring that flood insurance remains a viable tool for consumers.

If momentum toward a multi-year reauthorization continues, insurers and policymakers should anticipate a shift toward sustained private-sector investment in flood insurance products, analytics, and mitigation initiatives, enabled by longer planning horizons and improved data transparency. A durable NFIP framework would provide the certainty necessary for innovation, new underwriting models, and risk-based incentives to take root across the market.

What’s the bottom line?

Momentum is building toward NFIP stability. Durable reauthorization and expanded private participation could reshape flood insurance, but execution will depend on federal follow-through and data-sharing frameworks.

On our radar

These notable developments hit our radar recently:

Fed issues FAQs on Regulation MM and mutual capital instruments. On October 8th, the Fed published staff FAQs to clarify requirements under Regulation MM for mutual banking organizations proposing to issue mutual capital instruments. In addition, the OCC commended the Fed for clarifying capital rules for mutual banking organizations and noted its recent approval of a new mutual capital certificate for a federal mutual savings association, the first in decades.

Fed to expand operating days for wholesale payments services. On October 9th, the Fed announced plans to expand operating days for the Fedwire Funds Service and National Settlement Service (NSS) to include Sundays and weekday holidays, beginning no earlier than 2028. Both systems currently operate Monday through Friday.

Leaders speak on community banking. On October 9th, at the Fed’s Community Bank Conference, Vice Chair for Supervision Michelle Bowman emphasized the need to recalibrate supervision for community banks, including revisiting fixed asset thresholds, streamlining the applications process, and revising the community bank leverage ratio to reflect risk and business model complexity. Treasury Secretary Scott Bessent used the same forum to preview a broad deregulatory agenda, including tailoring reforms, AML/CFT modernization, enhanced examiner accountability, and support for increased FDIC insurance limits on business accounts. He also suggested that the Administration’s plans to recalibrate risk-based capital requirements for large banks could be extended to smaller banks as well – particularly where current risk weights penalize low-risk activities like small business lending and community development. Speaking at a separate event, Fed Governor Michael Barr focused on long-term risks to community banks from nonbank competition and emerging technologies like AI, while warning that deregulation of large institutions could again leave smaller banks exposed to systemic fallout.

OCC announces actions to reduce burden for community banks. On October 9th, the OCC announced new guidance and proposed rules to reduce regulatory and supervisory burdens on community banks. The agency will eliminate fixed examination requirements and tailor exam scope and frequency based on risk, while clarifying that model risk management practices should match a bank’s size and complexity. The OCC proposed rescinding its Fair Housing Home Loan Data System rule and expanding eligibility for expedited licensing procedures.

^{1 Fed supervised banks would remain subject to a broader supervisory framework unless the Fed issues a similar proposalce.}