Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Loading Results

Fed supervisory principles, final small business data rule and more – May 8, 2026

  • May 08, 2026

Change remains a constant in financial services regulation

Read "our take" on the latest developments and what they mean.

Fed releases revised supervisory principles

What happened? On May 1st, the Fed issued an updated Statement of Supervisory Operating Principles (SOP) that supplements and supersedes the prior statement from October 2025. The updated SOP was circulated within the Fed on April 21st.

What do the principles say and how do they differ from the previous version? The updated principles include more color and specificity on key concepts from the October release in addition to several new principles:

 

Updated statement

Prior statement

MR(I)A issuance standard

Matters Requiring Attention (MRAs) and Matters Requiring Immediate Attention (MRIAs) may be based on an issue threatening safety and soundness only if supervisory staff “determine in good faith that a deficiency exists which, if not remediated in a timely manner, would create a significant probability of significant harm” to the firm’s financial condition, or has resulted in significant actual harm. The statement further specifies that:

  • The good‑faith requirement is satisfied only if supervisory staff have sufficient evidence that their probability and severity estimates are plausible.
  • It is developing quantitative tests for “significant harm” while noting two examples: losses that would cause the firm to be less than well capitalized (on a historical cost or fair‑value basis), or losses that would result in a significant outflow of cash or other liquid assets within a short period of time.

The revised statement adds detail to the prior SOP’s more general direction for supervisors to prioritize deficiencies with a material impact on financial condition rather than procedural or documentation shortcomings. The prior statement did not include a detailed issuance threshold or place an evidentiary burden on supervisors.

Enforcement action standard

Enforcement actions may be issued only if supervisory staff determine that an act or failure to act would, if not remediated in a timely manner, create an abnormal probability of abnormal harm to the firm’s financial condition, or has resulted in abnormal actual harm. The statement defines abnormal as substantially higher than normal or significant.

The prior statement indicated that the interpretation of the statutory standard for issuing enforcement actions would be changing and did not provide a separate threshold.

Internal Audit (IA) reliance and MR(I)A closure

For terminating MR(I)As and enforcement actions, supervisors should not perform duplicative validation unless IA is ineffective or unsatisfactory, the firm does not have an IA function, or IA has not validated the remediation. Supervisors should not delay closing an issue to test sustainability and may issue a new MR(I)A or take more forceful action if remediation later proves unsustainable. Instead, they should assess the firm’s internal audit validation and rely on it if satisfactory.

The prior statement did not identify additional conditions for reliance on internal audit, such as the absence of an internal audit function or lack of audit validation. It also did not raise the possibility of MR(I)A re‑issuance if remediation proves unsustainable.

Communications and transparency

There should not be any material differences between supervisory criticisms communicated at the final exit meeting and those included in the written examination report.

The prior statement did not address alignment between exit meetings and written reports.

Other net new items (did not appear in prior statement)
  • Credit for self-identification: A presumption that when a firm self‑identifies a deficiency that would otherwise meet the MR(I)A standard and promptly begins remediation in a manner deemed reasonable by supervisors, the issue can be treated as a supervisory observation.
  • Escalation: An explicit encouragement for firms to report failures of their supervisory contacts to comply with the updated principles.
  • Resolution: Direction for supervisory staff to facilitate the early resolution of troubled insured depository institutions, with the stated objective of minimizing long‑term costs to the Deposit Insurance Fund.
  • Tools: Direction for supervisory staff to maintain, develop, and continuously improve forward‑looking tools used to identify significant threats to safety and soundness or financial stability.
  • Objective statement: The primary objectives of supervision are noted as including early identification of significant threats to safety and soundness or financial stability and encouraging or directing proportionate action to address those threats promptly.

Our Take

A significantly higher bar for formal findings comes into focus

The updated SOPs provide a clearer picture of the extraordinary circumstances under which formal supervisory findings and enforcement actions will now be issued. They provide meaningful color around how the Fed intends to assess severity quantitatively and the level of evidentiary support supervisors will be expected to establish before formal supervisory escalation occurs. Against that standard, formal findings are even more likely to remain relatively infrequent, with supervisors instead expected to continue communicating concerns through regular, frank, and informal feedback channels and supervisory observations before issues rise to the level of an MR(I)A. Taken together, this dynamic and the new offramp for self-identified issues underscore the need for processes to record and evaluate supervisory observations and other informal feedback as well as identify, monitor, escalate, and remediate issues before they become more acute. Similarly, the revised SOP’s additional conditions for supervisors to rely on IA raise the stakes for IA functions to demonstrate the credibility and rigor of their validation processes.

Operationalization and consistency remain key questions

While the updated principles provide additional clarity around the standards for formal supervisory findings, the revised SOPs still leave a fair bit of room for examiner judgment in assessing the probability, severity, and immediacy of potential harm. That said, the SOP does provide some signals around how the Fed may seek to promote greater consistency in supervisory application, including explicit expectations for supervisor discipline with respect to transparency and clarity as well as reiterated encouragement for firms to challenge supervisory findings or raise concerns regarding noncompliance with the principles. In practice, those changes may reduce some of the variability in approach across supervisor teams that firms have historically experienced and they may fundamentally pivot the dynamic between firms and their supervisors toward one that is more collaborative and candid than perhaps historically has been the case. Even so, banks will expect additional clarity and consistency as the Fed develops its quantitative tests and formal rulemaking, including around causality between operational risks and financial harm, the role of violations of law, and how the quantitative standards will account for different bank sizes, business models, and risk profiles.

CFPB publishes final rule on small business data collection

What happened? On May 1st, 2026, the CFPB issued a final rule that revises its 2023 small business lending data collection rule to implement Section 1071 of the Dodd-Frank Act. The rule was adopted substantially as proposed in November 2025.

What does the rule do and why was it revised? Section 1071 amended the Equal Credit Opportunity Act (ECOA) to require financial institutions to compile, maintain, and submit to the Bureau certain data on applications for credit for women-owned, minority-owned, and small businesses. The CFPB’s 2023 rule faced opposition from industry groups arguing it imposes data collection requirements far exceeding the Section 1071 mandate and that it would make small business lending more expensive, which could cause banks to reduce or cease small business lending. The rule was also met with litigation arguing that (1) the rule is arbitrary and capricious and (2) the CFPB’s funding structure violates constitutional separation of powers.

What does the new final rule change from the 2023 rule? The revisions differ significantly from the 2023 rule by narrowing coverage and eligibility criteria, streamlining reporting requirements, and reducing data fields. Key changes include:

  • Raising the lender coverage threshold from 100 to 1,000 small business loans in each of the prior two years.
  • Narrowing the scope of covered lending by excluding certain products, including merchant cash advances, agricultural lending, and some small-dollar or short-term credit.
  • Changing the rule’s definition of “small business” from $5 million or less in gross annual revenue to $1 million or less, with provisions for inflation adjustments.
  • Eliminating several data points from the 2023 rule, including pricing, denial reasons, application method, and number of employees.
  • Simplifying demographic reporting by streamlining demographic data collection, reinforcing applicants’ right not to respond, and removing requirements to monitor low response rates as potential discouragement.

What’s next? The final rule is effective on June 30th, 2026, with a compliance date of January 1st, 2028. It notes that the rule could be further amended to include additional products, lenders or data points as “the Bureau and financial institutions learn from early iterations of data collections.”

Our Take

A narrower, more focused approach to small business lending data collection with room to evolve

While the revised Section 1071 rule addresses many of the industry’s concerns around the breadth and complexity of the 2023 rule, the ultimate scope of small business lending data collection is far from final. The CFPB’s incremental approach means that additional lenders (e.g., certain fintechs and agricultural lenders excluded in the final rule), products and data points could be added in future amendments. More immediately, advocacy groups – no strangers to litigation involving Section 1071 – could challenge the final rule in the court. Considering these uncertainties, firms should be cautious about scaling back data infrastructure going forward. In addition to the potential for further change, data points excluded from the final rule often support firms’ own fair lending analyses and are used for compliance with other rules.

On our radar

Fed publishes latest Financial Stability Report. On May 8th, the Fed published its May 2026 Financial Stability Report, noting that financial system vulnerabilities remain moderate overall but highlighting elevated asset valuations, high leverage among hedge funds and certain nonbanks, and emerging risks tied to private credit and AI. The report also underscores geopolitical tensions, including Middle East conflict and potential energy shocks, as key near-term risks that could amplify market volatility, inflation, and funding stress, while pointing to continued resilience in the banking sector supported by strong capital and liquidity positions.

OCC publishes latest Semiannual Risk Perspective. On May 7th, the OCC published its Spring 2026 Semiannual Risk Perspective, highlighting geopolitical risk, AI governance, and private credit markets as emerging supervisory focus areas. The report discusses the potential effects of Middle East tensions on cyber, sanctions, and inflation risk; increased bank adoption of generative and agentic AI; and growing attention to refinancing and concentration risk tied to private credit exposures. The OCC also reiterated its focus on tailoring supervision and reducing regulatory burden for community banks, particularly in areas such as BSA/AML compliance and model risk management.

SEC proposes amendments to allow optional semi-annual reporting in lieu of quarterly reports for public companies. On May 5th, the SEC proposed rule and form amendments that would permit public companies to file semi-annual reports on a new Form 10-S in place of quarterly Form 10-Q filings. The proposal would allow companies to choose between quarterly and semi-annual reporting, with semi-annual reports due 40 or 45 days after the reporting period. Comments will be due 60 days after Federal Register publication.

SEC publishes notice seeking comment on swap dealer and major participant definitions. On May 4th, the SEC published a Federal Register notice requesting comment on a staff report evaluating the definitions of “security-based swap dealer” and “major security-based swap participant,” including the effectiveness of current de minimis thresholds.

BIS publishes paper on supervisory risk appetite frameworks. On May 4th, the BIS released a paper outlining a supervisory risk appetite framework (RAF) to help authorities define and manage tolerance for supervisory risk. Referencing lessons from the global financial crisis and recent banking sector stress, the paper highlights how clearer articulation of supervisory trade-offs can improve consistency, accountability, and timeliness of interventions, supporting more effective and risk-based supervision.

Vice Chair Bowman discusses AI in financial system and supervisory approach. On May 1st, Fed Vice Chair for Supervision (VCS) Michelle Bowman delivered remarks at an FSOC roundtable highlighting the growing use of artificial intelligence in banking, particularly in cybersecurity and risk management. Bowman emphasized the need for a balanced supervisory approach that supports innovation while addressing risks, including updates to model risk and third-party risk management frameworks.

Vice Chair Bowman speaks on coordinated approach to consumer fraud. On May 5th, VCS Bowman delivered remarks emphasizing the growing scale and sophistication of consumer fraud and its impact on financial stability. Bowman also noted that the Fed, Federal Communications Commission, and Treasury Department plan to convene a public-private roundtable to gather input on strategies to combat payments fraud.

1Federal preemption is the principle that federal banking regulations take precedence over conflicting state requirements. Certain areas of preemption are codified under the National Bank Act and Dodd-Frank Act, which prohibit state laws and regulations from “significantly interfer(ing)” with banks’ abilities to “carry on the business of banking” when they conflict with federal requirements.

Our Take: Financial services regulatory update – May 8, 2026

(PDF of 297.23KB)

{{filterContent.facetedTitle}}

Follow us

© 2017 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.