{{item.videoDuration}}
{{item.title}}
{{item.text}}
{{item.videoDuration}}
{{item.text}}
Change remains a constant in financial services regulation
Read "our take" on the latest developments and what they mean.
Fed proposes changes to stress testing policy alongside models and scenarios
What happened? On October 24th, the Fed released:
- A proposal with amendments to the Stress Testing Policy Statement, Scenario Design Policy Statement, the as-of date for the stress test, and the FR Y-14 reporting forms;
- The proposed 2026 supervisory stress test scenarios;
- Comprehensive model documentation; and
- Proposed model changes for the 2026 cycle;
What is in the releases? Key points from the proposal and other releases include:
- Proposed amendments to stress testing policy:
- Annual notice and comment. The proposal would formalize the annual release of both stress test scenarios and full supervisory model documentation each year for public comment. To accommodate the notice-and-comment period, the proposal would move the stress test jump-off date from December 31st to September 30th. The annual timing would be as follows:
- September 30 - Stress test “jump-off” date (for balance sheet and risk data)
- October 15 - Publication of proposed stress test scenarios, draft model changes, model documentation for at least a 30 day period
- February 15 - Scenario finalization deadline (unchanged)
- April 5 - Capital plan submission deadline (unchanged)
- May 15 - Final supervisory model documentation publication deadline
- June 30 - Results release deadline (unchanged)
- Expanded scenario design guides. The proposal would expand the Fed’s use of “guides” — preset boundaries for scenario variables — beyond unemployment and housing prices to provide transparency into the range within which each variable can change.
- Reporting changes. The proposal includes targeted changes to FR Y-14 reporting, including eliminating certain data that is no longer used and reducing required supporting documentation.
- Annual notice and comment. The proposal would formalize the annual release of both stress test scenarios and full supervisory model documentation each year for public comment. To accommodate the notice-and-comment period, the proposal would move the stress test jump-off date from December 31st to September 30th. The annual timing would be as follows:
- Proposed changes to models for 2026 include:
- A new approach to pre-provision net revenue (PPNR) that fully replaces the current regression-based specifications with projections more tied to positions and business lines. These changes are estimated to reduce projected PPNR, thereby increasing capital depletion.
- An updated operational risk modeling approach that reduces losses and moves away from linking operational risk losses directly to the macroeconomic scenario.
- Changes to credit risk models, including simplifications, that reduce credit losses on average.
- Market risk changes including a reduction in the size of the shocks and lower total trading losses.
- Proposed 2026 scenario: The proposed 2026 scenario is largely consistent with prior years and is described as transitional ahead of broader scenario design changes. It includes a 5.5% increase in unemployment to a peak of 10%, a 29% decline in home prices and a 40% decline in commercial real estate values, and a 54% drop in equity prices.
- Supervisory model documentation: For the first time, the Fed published full documentation for the supervisory stress test models, including inputs, assumptions, calibration methods, limitations, and the rationale for model choices largely anchoring back to the principles the Fed published in 2019. The categories of models released are credit risk, PPNR, market risk, operational risk, and aggregation.
What’s next? Comments on the proposed 2026 stress test scenarios are due by December 1st, 2025 and comments on the policy amendment proposal, supervisory model documentation and proposed 2026 model changes are due by January 22nd, 2026.
Our Take
Reduced capital requirements through improved model calibrations
Model changes will reduce capital depletion by an average of 30 basis points across all firms, per the Fed’s analysis of the last two stress testing cycles, and scenario changes may further improve this result. The model changes are a major step in addressing many known, long-standing issues, especially related to PPNR, operational risk, and the calibration of the global market shock. That said, the distribution of the impact across the banks was not disclosed, and we expect variation in the impact across banks. In addition, these benefits may be eroded when Basel III endgame introduces standardized risk-weighted assets (RWA) for operational risk and the fundamental review of the trading book (FRTB) for market risk. Banks will need to carefully review the proposed changes alongside the Basel III endgame re-proposal, which could come as soon as the end of this year, to ensure they understand impact and advocate appropriately.
Greater transparency with benefits for the Fed and the banks
The breadth and depth of the materials provided will facilitate a meaningful public debate about the models and scenario specifications, which should lead to improved risk measurement. For the Fed, the releases address a longstanding criticism of the opacity of the stress testing regime and reduce the potential for further litigation. For banks, greater visibility into how the models translate inputs into projections will give them a clearer view of supervisory logic during capital planning as well as an opportunity to influence the design of the models and scenarios. Given that banks will approach this process with different views and priorities, each bank will need to present technically sound arguments that can gain traction both with the Fed and among peer institutions, as consensus will carry weight in shaping outcomes.
More restrictions and influence on annual scenarios
The expanded use of scenario variable guides will limit the year-to-year variability and severity of certain assumptions, making the scenarios more predictable and reducing the likelihood of outsized shocks in any single cycle. While banks would have the ability to provide feedback on proposed scenarios, the compressed timing and more prescriptive scenario framework will require banks to be selective and strategic in how they engage, with a greater emphasis on identifying outliers, calibration issues, and unintended interactions.
Long-awaited streamlining of the capital stress testing regulatory reporting requirements
The number of attributes required to be reported was reduced, though not to the extent many banks had hoped, as there would still be required data elements that the Fed does not currently use in their models. We expect further comments from the industry on how the reports can be further streamlined, particularly in areas like wholesale credit reporting.
What’s the bottom line? The Fed is instituting a new era of transparency in stress testing, with initial model and scenario changes opening the door to further influence and change as a feature of the regime. The precise extent of capital benefit will vary across banks, which will now begin the work of not just absorbing the newly transparent details of the Fed’s models, but participating effectively in shaping them.
Fed considering “skinny master accounts” for payments
What happened? On October 21st, Fed Governor Christopher Waller spoke at the Fed’s Payments Innovation Conference and revealed that the agency is exploring the idea of a “skinny master account,” which would provide “lower-risk” payments firms with access to the Fed’s payments rails.
What would the master account provide? While the potential new master account is in an exploratory stage and details may change, Waller suggested that skinny master accounts would only grant access to the Fed’s payment and settlement infrastructure and that the accounts would not pay interest, be eligible for discount window borrowing, and would potentially come with deposit limits at the Fed.
Which firms would be eligible for an account? Waller noted that the accounts would be available for all institutions that are legally eligible for a full master account, specifying that the accounts would be particularly beneficial for firms focused on payments innovation. Under the Fed’s 2022 guidelines, legally eligible firms include (1) insured depository institutions and insured credit unions, which receive a more streamlined review; (2) institutions that are not federally insured but are subject to supervision by a federal banking agency and have a bank holding company subject to Fed oversight, which receive an intermediate level of review; and (3) federal or state chartered non-federally insured institutions without a bank holding company, which receive the most stringent level of review. The proposed skinny master accounts would come with a more streamlined review process and faster approval timelines.
What’s next? Waller stated that the Fed will soon seek comments on a potential approach.
Our Take
Skinny master accounts create a wider door for crypto firms and fintechs
Waller’s announcement is welcome news for a growing group of fintechs and digital asset firms, which have largely had no choice but to rely on traditional bank partners for payments, adding cost, complexity and operational friction. In particular, the growing list of these firms that have recently applied or are planning to apply for OCC trust charters celebrating the announcement, as they would be classified as “tier 3 institutions” and likely face a very steep uphill battle to obtain a full master account. The “skinny master account” changes that equation, and if implemented it will further enhance the attraction of trust charters and other similarly narrower charters (e.g., FDIC-insured Industrial Loan Company charters, certain state charters) for innovative firms seeking payments infrastructure access tailored to their needs with a reduced compliance burden and more streamlined approval process.
More options for new entrants
While the potential “skinny master account” may be the sweet spot for some institutions, chartering decisions are not one-size-fits-all. As we have seen the OCC conditionally approve a de novo charter for a crypto-focused institution just last week, firms wishing to offer a broader set of banking services may still choose to pursue a full banking charter, which will require them to obtain the capital, liquidity and compliance infrastructure to meet the very high regulatory demands for a de novo charter. While a narrower charter combined with a skinny master account will come with a lesser degree of regulatory expectations than a full national bank charter, it will still be a heavy lift for many firms, especially smaller firms starting their compliance programs from scratch. As such, bank partnerships will remain the most viable path for some.
Payments competition to heat up
Regardless of chartering approach, the potential for a skinny master account will have a significant impact on competition in payments, with an estimated 25-30 firms likely to apply for an account within 12 to 24 months of its availability. With direct access to the Fed’s payment rails and without the constraints associated with bank partnerships, these firms will be able to provide more efficient services with lower fees – and we expect to see a surge of innovative new products and services. This will likely put pressure on banks to examine their own offerings to compete with new entrants and to evaluate how they can maintain and attract strategic partnerships with fintechs and crypto firms.
What’s the bottom line? A potential “skinny master account” will open the door for many crypto and fintech firms to access the Fed’s payments infrastructure. However, master account access and chartering options are not one-size-fits-all – and firms should now be assessing which path best suits their business models.
NYDFS issues industry letter on third-party cybersecurity
What happened? On October 21st, the New York Department of Financial Services (NYDFS) issued an industry letter on third-party risk management for entities covered by its Part 500 cybersecurity regulation.
What does the letter say? The letter does not introduce any new requirements but clarifies expectations for third-party cybersecurity oversight in light of noted outages and enforcement actions. The letter emphasizes that regulated entities remain “ultimately accountable” for third-party cybersecurity risk and may not delegate responsibility for compliance to vendors or affiliates. The guidance outlines specific practices firms should adopt throughout the third-party lifecycle:
- Due diligence: Firms are expected to assess third parties’ cybersecurity posture, financial stability, reputation, and exposure to geopolitical or legal risk. This includes evaluating the vendor’s controls over data access, segmentation, encryption, and how it manages subcontractors (“fourth parties”).
- Contracting: Agreements with third-party providers should include cybersecurity provisions such as multi-factor authentication, data encryption (at rest and in transit), incident notification timelines, and restrictions on data use and cross-border transfers. Contracts should also address disclosures related to AI usage and reserve the right to reject subcontractors handling sensitive systems or data.
- Ongoing monitoring and oversight: Firms should conduct periodic, risk-based assessments of third parties’ cybersecurity practices, incorporating security attestations (e.g., SOC 2, ISO 27001), penetration testing summaries, vulnerability remediation updates, and evidence of security awareness training. Escalation pathways should be in place for unresolved or material risks.
- Governance and accountability: Senior governing bodies and officers are expected to have sufficient understanding of third-party cybersecurity risks to provide credible oversight and challenge, as well as review policies and procedures at least annually.
- Termination: When offboarding a third-party provider, firms must disable access to information systems, revoke identity federation tools and integrations, and ensure secure return or verified deletion of data. Offboarding plans should define timelines and roles, document residual risk reviews, and retain audit logs to confirm that exit obligations were fulfilled.
What’s next? The final set of enforceable requirements under NYDFS’ Part 500 amendments take effect on November 1st, two years after the amendments were finalized. These include expanded multi-factor authentication (MFA) for all users accessing any information system and written asset inventories that track each asset’s owner, location, classification, support expiration, and recovery time objective.
Our Take
A blueprint for enforcement focus as final requirements take effect
With the final provisions of the Part 500 amendments taking effect November 1st, this industry letter offers institutions a timely opportunity to align with how DFS is likely to examine compliance with third-party oversight expectations already in force. While the letter doesn’t introduce new obligations, it clarifies what “good” looks like — and underscores that supervisory focus will fall on execution, not intent. Examiners are expected to probe whether firms have segmented vendor risk with precision, maintained complete and current inventories, and built contingency plans that can withstand scrutiny — not just in theory, but through tabletop or live simulation. Many institutions still struggle with subcontractor visibility, unclear vendor RTOs, or static oversight models that rely too heavily on attestations. Leading firms are raising the bar by embedding contingency readiness scoring, aligning tiering to business impact thresholds, and integrating vendor testing into enterprise resilience programs. Those that use this letter to pressure-test how their third-party programs perform — not just how they’re written — will be best positioned for what’s next.
What’s the bottom line? The letter underscores that effective third-party risk management means tested controls, actionable plans, and clear accountability for the financial institutions themselves.
Federal authorities focus on insider betting and illegal gambling
What happened? On October 23rd, federal authorities announced that more than 30 people, including professional athletes and mob-linked associates, were arrested by the FBI and the US Attorney’s Office as part of an investigation targeting illegal sports-betting and poker rings. The investigation contains two major schemes: one alleged insider sports-betting conspiracy exploiting confidential information and a separate but related rigged poker-game operation tied to organized crime families. In the sports‐betting scheme, authorities allege that an athlete provided non-public knowledge about team performance, including an incident when the player left a game early citing injury, while bets were placed on the same athlete’s underperformance.
Our Take
Financial institutions should stay alert for insider betting and illegal gambling
Focus on illegal gambling has emerged as a theme for the DOJ’s enforcement efforts, including the July 2025 indictment of an athlete charged with running illegal high-stakes poker games. Financial institutions may be unwittingly providing services linked to these activities and should consider the following steps:
- Reassessing due diligence practices, including evaluating how their existing onboarding processes and risk rating approaches – particularly for high-profile individuals that may have access to non-public, market-sensitive information – could be enhanced to provide a clearer picture of expected activity without over-targeting specific groups.
- Enhancing transaction monitoring and analytics to integrate typologies related to insider betting and illegal gambling. This may include monitoring for correlations between transactions and major public events – particularly cash transactions that may suggest participation in illegal activity.
- Expanding cross-functional and external intelligence sharing. Internal coordination among AML, fraud, insider risk, and private banking teams – coupled with external engagement with leagues, legal gaming operators, industry groups, law enforcement, and other institutions under Section 314(b) frameworks – can improve early detection and disruption of illegal betting-related schemes.
What’s the bottom line? As federal authorities continue to focus on insider betting and illegal gambling, financial institutions should take steps to make sure they aren’t unwitting participants.
OFAC issues new Russia sanctions
What happened? On October 22nd, OFAC imposed new sanctions on Russia’s energy sector, targeting Russia’s two largest oil companies: (1) Open Joint Stock Company Rosneft Oil Company (Rosneft), including 28 named subsidiaries; and (2) Lukoil OAO (Lukoil), including 6 named subsidiaries.
What changed? Following Russia’s initial invasion of Crimea in 2014, both Rosneft and Lukoil have been subjected to sanctions from the US and its partners, and sanctions have continued to tighten as Russia expanded its aggression in Ukraine. In addition to a US ban on Russian oil imports and the G7’s Russian oil price-cap, OFAC has previously restricted Rosneft and Lukoil’s access to financing via sectoral sanctions. Both companies are also impacted by export controls designed to restrict their access to technology, constraining Russia’s oil sector development.
This week’s designation of Rosneft, Lukoil, and 34 combined subsidiaries results in the blocking of all property and interests in property located in the US or possessed or controlled by a US person and must be reported to OFAC. Additionally, all entities owned 50 percent or more, directly or indirectly, by Rosneft and Lukoil are blocked even if not designated by OFAC.
Why are sanctions on Russia increasing now? The substantial escalation in Russia sanctions is in response to “Russia’s lack of serious commitment to a peace process to end the war in Ukraine.” By focusing on Russia’s two largest oil companies, the United States is hoping to restrict the funding of Russia’s war on Ukraine and to bring the Kremlin to the negotiating table.
Our Take
Rosneft and Lukoil's designation creates sanctions risks for non-US financial institutions.
Despite the US ban of Russian oil imports and the G7’s Russian oil price-cap, Russia maintained substantial export volumes with countries less affected by Western restrictions and increasingly uses third countries to evade sanctions. Although foreign financial institutions (FFIs) are not within OFAC's jurisdiction, those that transact with the newly-blocked entities run the risk of “secondary sanctions,” which would cut them off from the US financial system. In response, FFIs should assess their exposure to activity involving Rosneft and Lukoil, including their subsidiaries in countries that typically deal with Rosneft and Lukoil. Activities should include screening transactions, customers and counterparties; assessing customers to determine exposure; communicating compliance expectations to customers; and obtaining attestations from high-risk customers not to deal with Rosneft or Lukoil.
US persons should reassess their exposure to the Russian oil giants
Generally, US institutions have established comprehensive compliance frameworks to effectively respond to the extensive Russia sanctions programs. Although these compliance programs are expected to address the new OFAC sanctions, the blocking designation of major Russian oil companies presents risks that may require monitoring. Due to the global presence of these companies, all firms should perform enhanced due diligence to identify any subsidiaries that are owned 50% or more by Rosneft, Lukoil, or the listed subsidiaries. US financial institutions should also assess any exposure to securities of Rosneft and Lukoil, which are now blocked and required to be formally reported to OFAC, and any exposure to Lukoil retail gas stations.
What’s the bottom line? New sanctions on Russia’s energy sector means that foreign financial institutions should evaluate potential exposure to avoid secondary sanctions, and US firms should assess whether they are exposed to any new risks.
On our radar
These notable developments hit our radar recently:
SEC Chair Atkins responds to questions about modernizing communications. On October 21st, SEC Chairman Paul Atkins commented on concerns outlined in an October 15th letter from the SIFMA urging modernization of record-keeping rules after more than 90 cases and $2.2 billion in penalties. Atkins said the agency should focus enforcement on genuine investor harm. In response to other questions, Atkins expressed support for electronic delivery of investor disclosures and private assets within 401k plans (within reason).
Senators introduce bill to modernize Bank Secrecy Act reporting. On October 21st, Senate Banking Committee Chairman Tim Scott (R-SC) and Senator John Kennedy (R-LA) introduced the STREAMLINE Act, which would raise reporting thresholds for currency transaction reports (CTRs) and suspicious activity reports (SARs) under the Bank Secrecy Act for the first time since 1970. The bill increases CTR thresholds from $10,000 to $30,000 and SAR thresholds from $2,000–$5,000 to $3,000–$10,000, with future inflation adjustments every five years.
Fed and FDIC release resolution plan summaries for large banks. On October 23rd, the Federal Reserve and FDIC released the public sections of resolution plans for 15 large banking organizations, including five U.S. firms and 10 foreign banks. These plans outline strategies for the orderly resolution of each firm under bankruptcy in the event of financial distress. The sections released also included a public summary of Capital One’s interim resolution plan update following its acquisition of Discover, with a full plan due July 1, 2026.
Basel III monitoring exercise shows higher capital ratios for large banks. On October 23rd, the Basel Committee on Banking Supervision reported that risk-based capital ratios for large internationally active banks increased in the second half of 2024, while leverage ratios and the Net Stable Funding Ratio (NSFR) remained stable. The Liquidity Coverage Ratio (LCR) declined slightly to 134.8%, with three banks below the 100% minimum.
Our Take
Rosneft and Lukoil's designation creates sanctions risks for non-US financial institutions.
Despite the US ban of Russian oil imports and the G7’s Russian oil price-cap, Russia maintained substantial export volumes with countries less affected by Western restrictions and increasingly uses third countries to evade sanctions. Although foreign financial institutions (FFIs) are not within OFAC's jurisdiction, those that transact with the newly-blocked entities run the risk of “secondary sanctions,” which would cut them off from the US financial system. In response, FFIs should assess their exposure to activity involving Rosneft and Lukoil, including their subsidiaries in countries that typically deal with Rosneft and Lukoil. Activities should include screening transactions, customers and counterparties; assessing customers to determine exposure; communicating compliance expectations to customers; and obtaining attestations from high-risk customers not to deal with Rosneft or Lukoil.
US persons should reassess their exposure to the Russian oil giants
Generally, US institutions have established comprehensive compliance frameworks to effectively respond to the extensive Russia sanctions programs. Although these compliance programs are expected to address the new OFAC sanctions, the blocking designation of major Russian oil companies presents risks that may require monitoring. Due to the global presence of these companies, all firms should perform enhanced due diligence to identify any subsidiaries that are owned 50% or more by Rosneft, Lukoil, or the listed subsidiaries. US financial institutions should also assess any exposure to securities of Rosneft and Lukoil, which are now blocked and required to be formally reported to OFAC, and any exposure to Lukoil retail gas stations.
What’s the bottom line? New sanctions on Russia’s energy sector means that foreign financial institutions should evaluate potential exposure to avoid secondary sanctions, and US firms should assess whether they are exposed to any new risks.
Our Take: financial services regulatory update – October 24, 2025
{{filterContent.facetedTitle}}
{{contentList.loadingText}}
{{contentList.loadingText}}
Follow us
