Our Take: financial services regulatory update – December 19, 2025

December 19, 2025

Change remains a constant in financial services regulation

Read "our take" on the latest developments and what they mean.

Fed continues pro-innovation chartering and payments account push

What happened? The following events took place over the last week related to bank charters and Fed master account access:

On December 15^th, PayPal Holdings announced that it submitted applications to the FDIC and the Utah Department of Financial Institutions for an industrial loan charter (ILC) to create PayPal Bank. The announcement states that PayPal Bank plans to use the charter to provide lending services directly to small businesses and offer interest-bearing deposit accounts.
On December 17^th, the Fed replaced 2023 guidance that said state-chartered banks that do not have deposit insurance are limited to the same novel activities, including crypto-related activities, that are permissible for other banks supervised by federal banking agencies. The new statement provides that state member banks may be permitted to engage in activities that are impermissible for other banks, which would “create a pathway for responsible, innovative products and services.”
On December 19^th, the Fed requested input on a potential “payment account” tailored to firms seeking access to the Fed’s clearing and settlement services. The potential payment account (also known as a “skinny master account”) has been mentioned in speeches by Fed Governor Christopher Waller over the past several months.

What does the Fed’s request for input contain?

Limitations of the payment account. Consistent with Governor Waller’s previous remarks, the accounts would not receive interest; would not be eligible for discount window lending or intraday credit; and would be subject to a low overnight balance limit. Payment accounts would also not be eligible for Fed ACH or check services, and any transactions resulting in an overdraft would be rejected.
Review process. Banks that are interested in receiving a payment account would apply with the relevant Reserve Bank, which would evaluate the application under the existing guidelines for master account access. Payment account applications would receive an answer within 90 days.
Specific questions. The request for input contains a set of questions around issues including (1) whether a proposed overnight balance limit set at the lesser of $500 million or 10% of the Payment Account holder’s total assets is appropriate; (2) benefits and drawbacks of not paying interest on overnight balances; (3) anti-money laundering and counter-terrorist financing controls.

What’s next? The Fed’s request for input will be open for 45 days following publication in the Federal Register. The rescission of the 2023 guidance is effective immediately.

Our Take

As chartering pathways expand, so do strategic considerations

The federal banking agencies are wrapping up 2025 by checking more items off the wish list of innovative firms seeking to enter the traditional banking world. As these new entrants plan their strategies, they will need to consider which charters and which forms of Fed account access aligns best with their business models:

The national trust charter continues to be an attractive route for many firms as it would allow them to issue stablecoins and provide custody services without being required to form a Bank Holding Company or obtain FDIC insurance. And this week’s formal articulation of “skinny” payments accounts presents the possibility of a faster track for such firms to receive access to the Fed’s payment rails.
State charters have now become another viable route for many firms following the Fed’s rescission of the 2023 guidance, which was cited in previous rejection letters for master account access for state-chartered banks without FDIC insurance.
The FDIC’s ILC charter requires applicants to obtain FDIC deposit insurance which comes with high regulatory expectations and legal requirements, but as evidenced by PayPal’s application it remains an attractive option as it would allow for deposit-taking and lending without having to form a Bank Holding Company.

In addition to evaluating chartering options, firms that meet the eligibility for a Fed account will need to consider whether the narrower payments account would suffice considering the restrictions and limitations set forth in the Fed’s request for information. While the payments account may be a viable path for Tier 3 applicants that operate a narrow payments business, firms that need the more robust services of a full master account may opt to explore applying for Fed membership to elevate their application into the Tier 2 category, despite the additional regulations and supervision that would not otherwise apply.

Looking ahead to 2026, the environment could not be better for fintechs and payments firms to compete in areas that have historically been limited to traditional banks. However, regardless of charter selection and deciding between payment account and master account, those hoping to take advantage of the current environment’s open door to chartering and innovation need to be prepared to demonstrate their ability to meet the agencies’ expectations around capital, liquidity, governance, risk management, and BSA/AML compliance.

Fed releases large bank supervision manual

What happened? On December 18^th, the Fed released a redacted version of its Large Institution Supervision Coordinating Committee (LISCC) Program Operating Manual, dated April 21, 2025.

What does the manual say? The manual describes how the Fed supervises the largest and most systemically important banking organizations through:

Program governance: The manual outlines the roles and responsibilities of the LISCC and its Operating Committee, portfolio programs, Dedicated Supervisory Teams, and related leadership bodies as well as responsibilities across these groups.
Supervisory planning: It describes the annual supervisory planning process, including how supervisory priorities are set, how mandatory and discretionary supervisory events are proposed and approved, and how plans may be adjusted during the cycle.
Supervisory events: The manual defines examination, horizontal, monitoring, risk assessment, and topical study activities, and sets out standardized phases for supervisory events including preparation, execution, conclusion, and follow-up, along with required artifacts and internal approvals at each stage.
Documentation and communication: It specifies required supervisory products such as scope memoranda, entry letters, examiner and examiner-in-charge conclusion memoranda, supervisory letters, and meeting records, along with timing, approval, and recordkeeping expectations.
Issue management: The manual details how supervisory issues, including Matters Requiring Attention (MRAs) and Matters Requiring Immediate Attention (MRIAs), are identified, vetted, tracked, verified, and closed, including the use of remediation verification events.
Oversight and quality control: The manual outlines internal quality control and quality assurance processes, including escalation pathways and procedures for documenting and resolving divergent supervisory views.

What’s next? The Fed said it expects to publish additional manuals early next year, including those covering the large bank operating committee, capital and liquidity planning, recovery and resolution planning, the large bank rating program, enforcement actions, and the large bank risk identification system. It will also update the recently released manual to reflect the program’s name change (to GSIB supervision) and the Fed’s new supervisory operating principles.

Our Take

Transparency now, fuller relevance later

While this release heralds a new era of supervisory transparency for the Fed, it has limited practical impact as it largely reflects supervisory structures and processes that predate recent changes to the Fed’s supervisory principles and organization. The manual’s significance will increase once it is updated to reflect those changes, at which point this document will serve as a useful point of comparison for how supervisory operations, escalation, and issue management have evolved. Even in its current form, however, the manual provides insight into how supervision has been structured and managed internally. In doing so, it could help firms reconcile messages across teams, understand why workstreams appear to overlap, and identify where questions about scope, timing, or follow-up are most appropriately directed. The manual is also informative in explaining how supervisory conclusions are shaped internally. By laying out the internal vetting, quality control, and escalation steps that occur beyond the supervisory team, it helps explain why responses may take time and why issue framing can shift as matters move through review.

OCC publishes semiannual risk perspective

What happened? On December 16^th, the OCC released its Fall 2025 Semiannual Risk Perspective (SARP), outlining the agency’s assessment of key risks facing the federal banking system as of mid-2025.

What risks does the OCC highlight and how have they changed? Overall, the OCC continues to characterize the federal banking system as resilient, with strong capital, stable funding, and improved earnings performance. It outlines risks including:

Credit, market and liquidity risk. Credit risk is described as manageable, with continued attention on commercial real estate concentrations, particularly multifamily and certain office portfolios. Relative to the Fall 2024 SARP, the latest discussion refers more to institution- and market-specific pockets of risk than broad-based deterioration. Compared with Spring 2025, refinance risk receives less prominence, with greater emphasis on underwriting discipline and borrower differentiation. Market and liquidity risk remain a focus, though the OCC notes improved liquidity positioning and more stable deposit behavior relative to Spring 2025, when unrealized securities losses, deposit competition, and rate uncertainty featured more prominently.
Operational risk, including cybersecurity and fraud. Operational risk remains elevated. The Fall 2025 SARP expands its cyber discussion to include foreign state-sponsored actors and geopolitical threats, moving beyond the ransomware and third-party outage focus emphasized in prior reports. Fraud continues to be highlighted, with an increased focus on payments system integrity, operational resilience, and interagency coordination.
Innovation and technology. The Fall 2025 SARP includes a new special topic on federal banking system innovation, covering artificial intelligence, payments modernization, and digital assets as increasingly relevant strategic considerations for banks. Notably, the OCC suggests that insufficient investment in technology may present longer-term business and risk management challenges.
Consumer compliance and fair lending. Following related announcements over the course of the year, the OCC confirms that its fair lending supervision no longer includes disparate impact analysis and introduces a discussion of politicized or unlawful debanking, describing supervisory steps to ensure customer access to banking services.

Our Take

Innovation is shifting from cautiously permitted to OCC-encouraged

The Fall 2025 SARP reflects a clear change in the OCC’s posture toward innovation which has shifted from something banks can pursue with caution to a promoted imperative. This shift is consistent with the OCC’s broader efforts to enable bank participation in digital asset-related activities through the rescission and clarification of prior guidance as well as the Administration’s broader emphasis on growth and competitiveness. At the same time, the OCC’s continued focus on cybersecurity, fraud, and operational resilience underscores the agency’s recognition that these risks remain significant and are evolving alongside increased digitalization and reliance on complex technologies and third parties. Even as the OCC proposes to focus the issuance of MRAs more squarely on material financial risks, these operational risk areas appear to be where weaknesses are most likely to emerge and where risk management failures could translate quickly into financial impact. In line with the OCC’s warning on the risks of outdated systems – including those associated with fraud, cybersecurity, and operational resilience – banks should continue to advance modernization and engagement with new technologies. That said, adhering to risk management standards, particularly those for technology change management and engaging with third parties, will be critical for maintaining safe and sound operations when engaging in any innovation.

White House issues EO challenging state AI rules as Florida announces AI bill of rights

What happened? On December 11^th, President Trump signed an Executive Order (EO) directing federal agencies to pursue a uniform, minimally burdensome national approach to AI and to identify and challenge state AI laws viewed as inconsistent with federal policy.

Separately, on December 4^th, Florida Governor Ron DeSantis announced the proposal of an Artificial Intelligence Bill of Rights outlining consumer protections.

What does the EO do? The EO reflects the Administration’s view that state-by-state AI regulation creates compliance burdens, threatens interstate commerce, and slows innovation. To address this, the EO directs a series of federal actions, including:

Federal review of state AI laws: It directs the Department of Commerce to evaluate existing state AI laws and identify those considered onerous or inconsistent with the EO’s policy objectives.
DOJ litigation: The EO directs the Department of Justice to create AI Litigation Task Force charged with challenging certain state AI laws on constitutional, preemption, or other legal grounds.
Federal agency policies: The EO directs the FTC to issue a policy statement addressing AI-related unfair or deceptive practices and the FCC to consider whether to initiate a federal AI reporting and disclosure standard.
Legislative pathway: It calls for Congress to consider legislation that could expressly preempt conflicting state AI laws while carving out areas such as child safety, state procurement, and data center infrastructure.

What is in the Florida proposal? The proposed AI Bill of Rights would require disclosures when consumers interact with AI, restrict the use of an individual’s name, image, or likeness without consent, reenact and expand protections against deepfakes and explicit AI-generated content, impose data privacy safeguards, and limit the use of AI to provide licensed professional services. There would be specific provisions for insurance companies that would prohibit AI from being used as the sole basis for adjusting or denying a claim and require insurers that use AI in claims handling to disclose that use and allow the Florida Office of Insurance Regulation to review AI models for compliance with unfair insurance trade practice laws. When discussing the impact of the EO on the proposal, Governor DeSantis expressed his view that EOs cannot pre-empt states and “we have a right to do this.”

What’s next? The deadline for the AI Litigation Task Force is January 10^th, 2026; the deadline for the Commerce Department evaluation of state AI laws and related FTC policy statement is March 11^th, 2026. The FCC then needs to initiate a proceeding on a federal AI reporting and disclosure standard within 90 days after the Commerce Department’s evaluation is released.

Our Take

Questions on application vary across financial institutions

For nationally chartered financial institutions, the EO is unlikely to materially affect their use of AI as applied to the fundamental business of banking given the well-established preemption of state requirements by federal banking law. By contrast, the implications are more complex for state-licensed organizations like insurance companies, where state authority has long been preserved under the McCarran-Ferguson Act of 1945, a federal statute providing that state laws regulating the business of insurance are not preempted by federal law unless Congress clearly and expressly provides otherwise. Because the EO does not not address McCarran-Ferguson or resolve that allocation of authority, insurers remain subject to state-led regulation of AI use in underwriting, claims handling, pricing, and consumer interactions unless Congress acts directly.

Insurers continue to face active state-led oversight of AI use

State legislative activity makes clear that AI governance requirements for insurers are continuing to advance independently of federal policy debates. Colorado has moved ahead with requirements that apply its algorithmic discrimination framework to insurance underwriting, pricing, and claims decisioning, signaling sustained regulatory focus on how automated tools affect consumer outcomes. Florida’s proposed AI Bill of Rights reflects a similar willingness to assert state authority, pairing broad consumer protections with insurance-specific limits on AI use in claims handling and explicit rejection of the view that federal AI policy constrains state action. Taken together, these developments reinforce that insurers should plan for continued, and potentially divergent, state-led oversight of AI usage. In practical terms, firms should expect ongoing scrutiny of AI use across claims adjudication, underwriting, and customer interaction and continue strengthening governance frameworks that support explainability, clear documentation of model purpose and limitations, appropriate human oversight for material decisions, and monitoring for bias or unintended outcomes.

On our radar

These notable developments hit our radar recently:

FDIC and CFTC leaders confirmed. On December 18^th, the Senate confirmed Michael Selig as Chairman of the CFTC and Travis Hill to lead the FDIC for a five-year term.

FDIC establishes GENIUS Act application procedures. On December 16^th, the FDIC approved application procedures for firms seeking to issue stablecoins under the GENIUS Act. The procedures reflect those required by the GENIUS Act, and the FDIC is expected to release a proposal around prudential requirements and other risk management expectations in early 2026.

NIST releases preliminary draft of Cyber AI Profile for public comment. On December 16^th, NIST’s National Cybersecurity Center of Excellence published a preliminary draft of its Cybersecurity Framework Profile for Artificial Intelligence, which is intended to help organizations adopt AI while prioritizing cybersecurity risks. The draft outlines guidance across three focus areas: securing AI system components, using AI for cyber defense, and mitigating AI-enabled cyber attacks. NIST is accepting comments through January 30, 2026 and will host a public workshop on January 14, 2026 to discuss the draft and provide updates on related AI security control overlays.

GAO reports that Federal Home Loan Banks provided stable liquidity to members during recent periods of financial stress. On December 5^th, GAO released an analysis of FHLBank borrowing from 2015 through June 2025, finding that the system remained a consistent funding source for banks of all sizes, including during the 2020 pandemic and the March 2023 liquidity episode. GAO found that increased FHLBank borrowing, primarily among small banks, was associated with higher real estate lending and lower likelihood of failure or problem-bank designation.

CFTC finalizes rule revising swap dealer business conduct and documentation requirements. On December 18^th, the CFTC approved a final rule that codifies long-standing staff no-action positions related to business conduct and documentation obligations for swap dealers and major swap participants. The amendments align CFTC requirements more closely with SEC and MSRB rules and are intended to reduce duplicative compliance burdens and resolve regulatory uncertainty. The CFTC also issued a related no-action letter updating relief for certain UK trading facilities in light of the new rule.

Senators introduce bipartisan bill to strengthen federal response to cryptocurrency fraud. On December 15^th, Senators Slotkin and Moran introduced the SAFE Crypto Act, which would establish a federal task force to coordinate Treasury, law enforcement, financial regulators, and private-sector experts in combating crypto-related scams. The task force would support local law enforcement, improve public awareness of digital asset fraud risks, and provide Congress with recurring updates on emerging threats and enforcement activity.

OCC and FDIC clarify supervisory expectations for insider lending rules under Regulation O. On December 12^th, the agencies issued a statement confirming they will not take action against banks that extend credit to certain fund complex-controlled portfolio companies that would otherwise be treated as insiders, provided specified conditions are met. The statement also provides reporting relief under FDIC Part 363 and will remain in effect until the Fed finalizes amendments to Regulation O to address this issue. The statement rescinds prior OCC guidance and applies to community banks subject to Regulation O.

FSB reports continued expansion of global nonbank financial intermediation and ongoing vulnerabilities. On December 16^th, the Financial Stability Board released its 2025 Global Monitoring Report showing that NBFI assets grew 9.4% in 2024 to represent 51% of global financial assets. The report highlights strong growth across investment funds and other financial institutions and presents new granular data on wholesale funding and finance company lending. It also includes a case study on bank–NBFI interconnectedness that identifies key channels of funding, credit, and securities exposures and notes persistent data gaps in private finance and cross-border reporting.

OCC files amicus brief urging full Tenth Circuit review of interest rate ruling. On December 12^th, the OCC filed an amicus brief arguing that a recent Tenth Circuit decision allowing Colorado to enforce its interest rate cap on loans made by state-chartered banks undermines the federal interest rate framework for state-chartered banks and creates competitive disparities relative to national banks.

CFTC finalizes rule streamlining swap dealer business conduct and documentation requirements. The CFTC approved a final rule revising swap dealer and major swap participant business conduct and documentation requirements, largely codifying long-standing staff no-action relief and aligning CFTC requirements more closely with SEC and MSRB rules. The amendments are intended to remove duplicative documentation, reduce compliance costs, and resolve regulatory uncertainty.

¹_{The Fed has a three-tiered framework for reviewing applications for master account access. Tier 1 institutions are those with FDIC insurance and receive a streamlined level of review. Tier 2 institutions are not federally insured but are subject to review by one of the federal banking agencies and, if chartered under federal law, have a holding company subject to Fed oversight. Tier 3 includes all other eligible institutions, which receive the strictest level of review.}