Our Take: financial services regulatory update – August 15, 2025

August 15, 2025

Change remains a constant in financial services regulation

Read "our take" on the latest developments and what they mean.

A collaborative, bank-led approach

A new approach: We propose a model under which banks that meet financial and compliance standards could be permitted to shift from retrospective, supervisor-led examinations to a process that is forward-looking and driven by bank-created issues management action plans. The new model would:

Empower banks to lead remediation, through self-identified issues, action plans, and milestone tracking
Preserve supervisory authority, with defined eligibility criteria, regulator validation of plans, timely escalation protocols, and mandatory fallback to traditional exams when warranted
Leverage AI and analytics to surface emerging risks, reduce manual testing, and prioritize supervisory attention

This approach would enable supervisors to focus on material financial risks and emerging systemic issues, while giving banks the capacity to identify and manage risks within their stated appetite and align resources to support their strategic and operational priorities.

The banking industry and its supervisors share commitments to the stability, resiliency, safety and soundness, and integrity of the banking system,¹ including the fair treatment of customers and clients who rely on the industry’s products and services. From the supervisors’ standpoint, bank examinations serve as the primary mechanism to assess adherence to expectations that further these goals. Through extensive on-site reviews, document analysis, and management interviews, examiners evaluate satisfactory compliance or identify areas of concern and promote corrective action.

History has demonstrated, however, that on-site examinations are by their nature retrospective and highly resource intensive and because of this, can draw supervisory resources and bank staff away from addressing emerging and significant risks. This dilemma came into stark relief during the 2023 bank failures, where post-mortem reports highlighted the disconnect between the volume of supervisory activity and the failure to identify and address the risks that caused the banks to fail. As noted by Fed Vice Chair for Supervision Michelle Bowman in a recent speech, “there is a risk that overemphasis on process and supervisory box-checking can be a distraction from the core purpose of supervision, which is to probe financial condition and financial risk.”

As supervisors work to modernize their structures and processes against the backdrop of reduction in force mandates in Executive Order 14179 and OMB guidance that explicitly encourage them to adopt AI, they should consider replacing detailed examination procedures and testing with a continuous, collaborative, AI-enabled process centered around bank-driven issues management plans. Such a shift in supervision^{^[1]} would help facilitate a constructive, outcome-oriented dialogue between banks and supervisors. Rather than a retrospective exercise focused on rigid and outdated process-based examinations, supervision would become a forward-looking discussion about the substance of risk management, bank strategy and risk appetite, and institutional accountability.

The case for modernizing the examination process

Bank examinations have been a cornerstone of the U.S. financial regulatory framework for decades. By providing an independent, structured review of a bank’s operations, risk management, and compliance, examinations have helped identify emerging risks, strengthen governance, bolster public confidence, protect depositors and support financial stability. However, as the process has evolved over decades alongside changes in regulations, markets, products, and bank infrastructure, certain attributes have emerged that can result in (1) a significant demand for bank resources; (2) distraction from material risks; and (3) regulation by supervision. We expand on these issues below:

A lengthy, resource intensive process. The current U.S. bank examination framework is a resource intensive exercise rooted in detailed processes and procedures. Examination scoping alone can take a couple months as regulators gather data and formulate a plan. Examiners then collect and test significant volumes of financial, governance and internal control documentation. Once the examination is underway, administrative tasks can be significant: preparing for interviews, compiling documents, producing memos, writing reports that may undergo layers of review by regional offices and headquarters staff. Different areas (e.g., compliance, IT) may be evaluated independently by different teams and agencies, leading to fragmented conclusions, redundant data requests, and missed opportunities to synthesize insights across the institution or across agencies. In total, the exam planning process, conducting the exam, and (where required) drafting enforcement actions can take up to two years. Even after a bank submits its final remediation package, regulators can take months or years to clear findings.

Focus on process can distract from material risks. Where weaknesses are identified, agencies issue examination findings, such as Matters Requiring Attention (MRAs) or enforcement actions – sometimes many months after the examination itself – that require an institution to develop action plans for remediation. For both examination and bank staff, these protracted efforts (1) can be ineffective at timely mitigation of identified risks and (2) risk crowding out more strategic tasks such as addressing issues, evaluating control design, and adjusting strategy to respond to market conditions. In the case of Silicon Valley Bank, the Fed’s post-mortem report stated that Fed staff spent more than 20,000 hours supervising the bank in 2022, yet failed to escalate responses to increasingly pronounced liquidity and interest rate risks. Much of the effort was absorbed by process and documentation, with even SVB’s own board materials “focused on compliance with enhanced prudential standards (EPS) or responding to supervisory findings, rather than managing the actual risks of the firm.”

Along these lines, one former deputy director of the CFPB observed that examiners frequently require banks to document and formalize longstanding informal practices, apply equal weight to issues regardless of materiality, and respond to supervisory findings that are “more about process than about substance.” This dynamic can result in overly prescriptive MRAs, such as mandates to change system default settings or rework governance frameworks, even when the underlying controls are functioning as intended. Such requirements consume institutional resources without improving safety and soundness while detracting from root cause analysis and forward-looking risk management.

Regulation through supervision. The current examination model also enables examiner findings to effectively dictate regulatory standards without the transparency, deliberation, or accountability of formal rulemaking – a dynamic sometimes referred to as “regulation through supervision.” Through horizontal examinations and thematic expectations, examiners can dictate a model of control design or issue prioritization that may not align with each bank’s risk profile, business model, or operational reality.

Accordingly, what was established to safeguard against risk can become a costly, backward-looking exercise, falling short of the forward-looking, dynamic supervision required to help drive the continued health of today’s financial system. While the outputs of these examination processes may drive remediation, the examination findings risk being out of sync with the bank’s actual performance or being too little too late and can divert bank resources from other issues and implementation strategies supporting the long term operations of the firm. If the ultimate examination objective is to ensure banks remediate known issues to enable operation in a safe and sound manner, this goal can be achieved much more efficiently and effectively through an ongoing, collaborative, technology-driven process.

A bank-driven solution, augmented by technology

The current model delivers value by providing an independent perspective on the safety and soundness of financial institutions, enforceable expectations, and a pathway to remediation when concerns are not addressed. We posit that it is possible to maintain these benefits while redesigning examiner supervision as a more continuous, collaborative, bank-driven and technology-supported effort that that customizes risk prioritization and issue management to individual banks’ business models and risk appetites.

A new approach. Under this new model (which we refer to as “the program”) eligible institutions would replace traditional on-site examinations by creating a self-directed Issues Management Action Plan (IMAP) – a structured blueprint for identifying, prioritizing, and remediating risk issues aligned to strategy, risk appetite, and regulatory expectations. Supervisors would maintain oversight and enforcement authority, but their role would shift toward monitoring remediation progress and systemic concerns, and away from extensive reviews of practices and documentation. This approach would foster more timely, effective, and efficient conversations about risk while reducing examination-related operational burdens and costs for all parties. It would also not be an entirely unfamiliar supervisory dynamic as other frameworks (e.g., Basel II, Fundamental Review of the Trading Book) have permitted banks to use internal models following an approval process.

Eligibility. As a starting point, supervised institutions would have to meet certain requirements to qualify for the program. For example, by:

Demonstrating strong financial condition;
Having no material violations of laws or regulation;
Demonstrating implementation of an effective issues management program that includes strong complaints management practices; and
Developing an effective audit plan with adequate third line staffing to support its execution.

In practice, a bank would follow a self-certification process against the criteria and obtain approval from its board of directors – similar to the process instituted by the Federal Reserve to increase limits for daylight overdrafts. Their primary supervisor would review this self-certification and make the final determination regarding eligibility for the program.

Issues Management Plan. Once in the program, supervision would rely on a bank’s issue identification and management processes, where the bank would compare its policy, procedure, control, and practice documentation against regulatory requirements and other standards and obligations. Based on these analyses, a bank would create and maintain an IMAP that:

Prioritizes the bank’s issues based on risk severity, regulatory impact, and business implications;
Identifies root causes, specific enhancement actions, executive responsibility, and timelines; and
Aligns resourcing to enhancement actions to implement the bank’s strategy within risk appetite.

Supervised institutions would give examination teams access to the IMAP along with details on supporting programs and progress. They would seek to build a mutual understanding of areas including (1) concrete actions the bank is taking to remediate issues; (2) prioritization and timing of remediation activities; and (3) issues management resource allocation. Satisfactory maintenance of an IMAP would provide relief from examinations and enable expedited regulatory approvals.

Monitoring. Bank management would be responsible for providing supervisors with access to ongoing reporting and maintaining a dialogue around progress, risks, priorities and constraints related to the IMAP. Supervisors and banking institutions would establish regular cadences to review information, recent impactful events that could redirect strategy (e.g., market conditions, significant litigation or ethics complaints, or change in financial performance), and discuss their plan for further interaction. Supervisors would retain the ability to monitor progress, analyze supporting data, or intervene if significant negative events occurred. Removed, however, would be the thousands of pages of examination procedures and months of testing, replaced by accountability within the bank for management to assess risks and actions that drive its strategy while maintaining safe and sound operations within its risk appetite.

Ratings and enforcement. To ensure transparency and accountability, evaluation of progress could be factored into supervisory ratings. While implementing this could come in various forms, the CAMELS framework “Management” component (if retained) could be adapted to reflect the quality and execution of the bank’s IMAP (e.g., Strong Progress (SP), Adequate Progress (AP), and Inadequate Progress (IP)). Sanctions could escalate in cases of IP, including potential removal from the program, while AP and SP institutions would obtain relief from the burdens of the traditional examination process. Similarly, the Federal Reserve could consider the quality and execution of a firm’s IMAP through the “governance and controls” evaluation of a bank holding company.³ With this in place, supervisory teams would retain visitation and enforcement authority, and a bank that failed to maintain an IMAP or progress remediation of significant issues could be removed from the program and could be subject to enforcement actions.

Technology. Advances in technology – including generative AI, machine learning, and data analytics – offer new opportunities to augment the creation, maintenance, and monitoring of the IMAP by enabling more timely and scalable analysis of complex data. Supervisors and the financial services industry are investing in these capabilities today, and as usage expands, banks and examination teams will increasingly be able to rapidly analyze bank operations to identify and manage risk. While the banking agencies’ expectations will need to evolve alongside these rapid advancements in technology, widespread adoption of these technologies is inevitable. Institutions and supervisors will have the ability to analyze data at increased speed and scale, enhancing timely risk management for banks and providing monitoring data for supervisors by providing real-time insights into exceptions, progress, risks and risk profiles. The examples below illustrate several potential applications of these technologies in an IMAP context.

How can technology augment this new approach to supervision?

Generative AI can be used to analyze internal issue logs, audit findings, and remediation plans to identify common drivers of control failures – such as inconsistent implementation, ineffective handoffs, or process gaps – and generate narrative summaries of root causes. These summaries can help banks group related issues, prioritize remediation steps, and structure more coherent IMAP components. Supervisors can use these outputs to assess whether the bank is focusing on the underlying causes of recurring issues rather than isolated symptoms.
Predictive models can aid banks in designing forward-looking risk scenarios by analyzing historical data alongside current operational, financial, and market inputs. These models can help simulate potential disruptions – such as volatility, liquidity stress, or third-party failure – and recommend targeted adjustments to credit policies, risk limits, or resource allocation. This analysis can support proactive updates to IMAP components and timelines, ensuring alignment with evolving risk conditions. Supervisors can use similar techniques to identify emerging systemic risks across institutions and assess responsiveness to changing conditions.
Natural language processing tools can scan and classify large volumes of internal documents – such as policies, procedures, and audit reports – to identify outdated references, control gaps, or inconsistencies with regulatory expectations. These insights can help banks target specific documents for revision and provide supervisors with clearer visibility into how a bank’s documentation reflects its risk posture and remediation priorities.
AI-enabled monitoring tools can evaluate performance metrics – such as control test results, issue recurrence, remediation timeliness, and audit coverage – to update risk indicators and track progress on IMAP commitments. This analysis can occur closer to real time, helping both banks and supervisors identify where risks remain elevated, whether actions are having the intended effect, and where additional intervention may be needed.

Challenges to bank-led planning

A shift to a bank-led, technology-enabled supervision model offers compelling advantages, but also can present legitimate challenges. Banks may face hurdles in developing an IMAP, including the need to assimilate adequate data across business lines, ensure objectivity and effective risk identification, develop needed technology, and maintain accountability across the three lines of defense. Critically, building internal credibility and external trust with supervisors will require not only technical competence but also cultural change that enables demonstrable execution over time. Shifting the bulk of assessment and remediation planning to regulated institutions raises a series of natural concerns:

Can banks be trusted to objectively assess their own weaknesses?	Trust is earned through demonstrable performance and transparency. The model includes internal governance, external oversight that includes monitoring capabilities as well as retention of enforcement powers.
Will plans be comparable across institutions?	The goal of this model is to provide for tailored, bank-driven plans. That said, supervisors may share baseline expectations for IMAP content and governance, providing guidance to firms seeking to enter the program.
Could this model reduce supervisory visibility into emerging or systemic risks?	On the contrary, enhanced use of AI, centralized data, and thematic risk analysis across institutions will improve system-wide visibility. Supervisors retain access to full datasets and can identify cross-cutting trends more effectively.
Does this approach weaken regulatory rigor or increase the risk of capture?	No. Supervisory rigor is preserved through continuous monitoring, visitorial authority, and enforcement mechanisms. The model shifts effort from process to outcome, increasing substantive engagement. Transparency is achieved via structured IMAPs with traceable inputs, and reporting.
Will regulators accept a bank’s internal view or second-guess it?	Supervisors retain the authority to challenge IMAPs. However, trust will build over time through continuous dialogue, consistent quality and effective execution.
Is the required investment in technology and governance worth it?	Yes. Banks benefit from proactive risk management, reduced exam burden, and better alignment between issues, resources, and strategy. Supervisors gain efficiency and deeper insights (from enhanced data), aligning with digital modernization mandates.
What about insider fraud or management misconduct?	These risks remain a concern under any model. This framework increases the likelihood of early detection and remediation through continuous monitoring, complaint analysis, channels for whistleblowing, and real-time data review, enabled by advances in technology. Enforcement powers remain fully intact.

In short, the model presented is not intended to reduce accountability. Rather, the goal is to redistribute effort, focusing the bank on earlier risk detection and remediation, and the regulator on validation and strategic oversight. But most importantly, by automating and shifting many of the resource-intensive tasks of supervision, while allowing a bank to develop a remediation plan that aligns to its strategy, this approach enhances supervision by aligning supervisory attention with the institution’s true risk posture in real time. By enabling a proactive, transparent, and structured form of institutional self-awareness, the model helps supervisors move from episodic inspection to continuous engagement, without sacrificing independence, rigor, or enforcement authority. With appropriate safeguards and staged implementation, it offers a pathway to a more efficient, transparent, and resilient regulatory regime.

Implementing the vision

To operationalize this model, change is required on both sides of the supervisory relationship, guided by clear expectations, measurable outcomes, and shared accountability.

Banks should consider:

Establishing cross-functional risk and technology teams to develop self-assessment capabilities that integrate operational, compliance, and financial risk domains.
Standardizing data taxonomies and control inventories to ensure that inputs into the IMAPs are consistent, traceable, and analyzable.
Investing in enabling tools, including anomaly detection and remediation tracking systems – while ensuring these tools align with model risk management frameworks.
Developing robust governance frameworks for plan creation, board-level approval, periodic updates, and transparent escalation of emerging risks.

Supervisors should consider:

Creating supervisory protocols to review, approve, and monitor institutional plans – backed by systems that can ingest and evaluate digital submissions.
Updating examiner training to focus on technology-enabled assessments, assessing risk prioritization logic, and reviewing AI outputs.
Implementing phased adoption, beginning with pilot institutions – potentially within the FFIEC’s existing structure – to evaluate impact and refine guidance before broader rollout.

Conclusion

For supervisors and eligible banking institutions, this proposal can help:

Minimize required examination procedures and related “checklist” examinations by shifting the diagnostic responsibility to supervised institutions;
Replace extended examiner-driven findings and required remediation with a bank-created issues management plan aligned to its risk tolerance and strategic goals;
Increase the quality and quantity of data available to institutions and supervisors through use of technology to accelerate testing and anomaly detection
Preserve the visitation and enforcement powers of bank regulators, whose role would become one of understanding the plan and monitoring the bank’s progress, as well as analyzing data across institutions to identify and communicate emerging risk trends

This model would enable a more efficient and effective use of public and private resources. Supervisory agencies could focus efforts on high-risk firms or business lines and validating risk themes across the system. Banks could shift resources from reactive exam support to proactive risk management. Agencies could make better use of digital tools to improve efficiency and reduce administrative burden.⁴ While risk-taking is a fundamental part of the banking business, and no system or technology can prevent all failures, this approach would drive efficiency and better information and decision-making for banks and their supervisors.

Finally, this change in the supervisory process could be implemented through smaller, well-trained examination teams, allowing agencies to reduce the cadre of examination generalists and examination processing support personnel while increasing staffing of subject matter specialists with expertise in technical areas. In the end, enabled by technology, both these skilled examiner resources and the banks they supervise would have access to better data that would drive more timely resolution of issues. We believe this model could foster improved outcomes for banks, supervisory teams, and the public they serve.

_{[1] This paper uses the term “banks” to encompass banks and bank holding companies supervised at the federal level by the Federal Reserve Board (Fed), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and Consumer Financial Protection Bureau (CFPB).}

_{[2] This paper proposes a new approach to supervision, not the legislative or regulatory structures which govern banking in the U.S.}

_{[3] Evaluation criteria are described in FR Letter 19-3 “Large Financial Institution (LFI) Rating System,” recently the subject of a Notice of Proposed Rulemaking.}

_{[4] A recent study by the Bank Policy Institute reveals that employee hours dedicated to complying with financial regulations and examiner mandates has increased by 61% from 2016 to 2023 and that IT budgets dedicated to compliance have increased by 40% in the same time period. Federal Reserve Vice Chair for Supervision Michelle Bowman has expressed concern that the rising costs of compliance are passed on to consumers.}