Banking Regulation 2023

Last Updated October 25, 2022


Law and Practice


Moore & Van Allen PLLC has nearly 400 attorneys and professionals serving clients in over 75 practice areas. Founded and led by former Bank of America Global General Counsel, Ed O’Keefe, and Chambers nationally ranked regulatory lawyer Neil Bloomfield, the firm's Financial Regulatory Advice & Response (FRAR) division assists many of the nation’s most recognisable banks, including global systemically important financial institutions, in connection with their most pressing regulatory concerns. It is one of the few American law firms that place financial services regulation at the centre of its international banking practice. Its interdisciplinary group of over 30 attorneys, includes former regulators, senior in-house practitioners, and attorneys with deep experience in financial regulation. FRAR's work is regularly acknowledged by a number of respected publications, including Chambers and Partners. It serves financial institutions and the industry in the US.

There are three types of depository institutions in the US: commercial banks, savings associations (sometimes called “thrifts,” which specialise in deposit taking and mortgage lending), and credit unions (a cooperative financial institution formed for members of a common group who collectively own the institution, such as a group associated with an employer, business type, or branch of the military). Charters for the different types of institutions (collectively, “banks”) are available for issuance both by individual US states and at the federal level. As a result, the banking system in the US is often referred to as a “dual” banking system. The decision regarding which charter type is the most appropriate and whether to apply for a state or federal charter is often driven by several considerations, including expected product and service offerings, anticipated customer base, the markets in which the bank will operate, examination costs, preference for or familiarity with a particular primary regulator, and the importance of federal law preemption of certain state laws to the bank’s business plans.

Given the variety of charters available and the option of obtaining a state or federal charter, the US regulatory structure governing banks is correspondingly complex. A state-chartered bank is regulated and supervised at the state level by the chartering state’s banking agency (under state laws and regulations) and by a federal bank regulator depending on its insured status and whether it has elected to become a member of the Federal Reserve System. The primary federal bank regulators are:

  • the Office of the Comptroller of the Currency (OCC), which charters, regulates, and supervises national banks and federal savings associations;
  • the Federal Deposit Insurance Corporation (FDIC), which insures deposit accounts and manages the deposit insurance fund as well as being the primary federal bank regulator and supervisor of state insured banks that do not belong to the Federal Reserve System;
  • the Board of Governors of the Federal Reserve System (Federal Reserve Board), which regulates and supervises bank and financial holding companies, foreign banking organisations operating in the US, and all nonbank financial companies designated as systemically important. In addition, this organisation is the primary federal bank regulator and the supervisor of state banks that are members of the Federal Reserve System; and
  • the National Credit Union Association (NCUA), which charters, regulates, and supervises national credit unions. It also insures the deposit accounts of national and many state-chartered credit unions.

In addition to these federal agencies, the Consumer Financial Protection Bureau (CFPB) is responsible for implementing and enforcing compliance with federal consumer financial laws by large banks (more than USD10 billion in total consolidated assets) and their affiliates and certain other consumer financial services companies. Depending on their activities, banks and their affiliates also may be subject to supervision and regulation by the Securities and Exchange Commission (SEC), the Commodities Futures Trading Commission (CFTC), and state insurance regulators, as well as other state, federal, or non-US regulators.

Important federal legislation that developed and governs the banking system in the US includes the following:

  • The National Banking Act of 1863, as amended in 1864, established a national banking system, authorised national bank charters, and established the OCC.
  • The Federal Reserve Act of 1913 established the Federal Reserve System as the central banking system in the US.
  • The Banking Act of 1933, also known as the “Glass-Steagall Act”, established the FDIC as a temporary agency (later becoming a permanent agency) and separated commercial banking from investment banking.
  • The Bank Holding Company Act of 1956 (BHCA) required the approval of the Federal Reserve Board to establish a bank holding company (BHC).
  • The Gramm-Leach-Bliley Act of 1999 repealed Glass-Steagall’s separation of commercial and investment banking, created financial holding companies that are authorised to engage in underwriting and selling insurance and securities and to conduct merchant banking activities, and restricted disclosures of non-public consumer information.
  • The Dodd-Frank Wall Street Reform and Consumer Financial Protection Act of 2010 (Dodd-Frank Act) established measures to prevent systemic risks to the US financial system, a framework for the regulation of derivatives, and the CFPB.
  • The Economic Growth, Regulatory Relief and Consumer Protection Act of 2018 raised the threshold of coverage of banking organisations subject to enhanced prudential standards under the Dodd-Frank Act.

In addition to these and other federal or state statutes governing bank powers and authorities, banks are subject to the rules of their regulators. Each state and federal bank regulator has implemented its own regulations that set out the licensing requirements, permissible activities and investments, and safety and soundness operating standards applicable to the banks each regulates.

Given the nature of the dual banking system in the US, the specific licensing and application requirements to charter a bank will vary based on the type of bank charter and whether chartered at the state or federal level. The OCC sets out its application and licensing requirements for a national bank in its regulations and a licensing handbook. The process for chartering a national bank is set out below and is generally representative of the process for other bank charter types as well.

General Application Requirements

Organisers of the proposed national bank must apply to, and receive approval from, the OCC before the bank engages in banking business. In reviewing an application, the OCC:

  • will ensure that the application is complete and required organisational documents for the bank have been filed, the required capital stock of the bank has been paid-in, and that the bank has at least five, and generally no more than twenty-five, elected directors;
  • wll take into account the bank’s plans to meet the credit needs of the communities in which it would operate;
  • will consider:
    1. whether the organisers are familiar with applicable bank laws and regulations;
    2. the experience and competency of the proposed management team and directors;
    3. the bank’s business plan and the economic conditions and competitive considerations of the markets in which it plans to operate;
    4. the sufficiency of the projected capital needs of the bank given the risks and complexity of its expected activities;
    5. the reasonableness of the financial and profitability assumptions used in preparing the pro forma financial statements that accompany the application;
    6. the ability of the bank to operate in a safe and sound manner; and
    7. any public comments received in connection with the published notice announcing the filing of the application; and
  • may consider the risks a proposed insured bank would pose to the deposit insurance fund and any questions regarding the permissibility of its corporate powers.

The application should include a request for the bank to exercise fiduciary powers, if needed. A bank that intends for its deposit accounts to be insured must also file an application for deposit insurance with the FDIC. In addition, a BHC (or a company that would become one because of its proposed ownership interest in the new bank) is required to obtain approval from the Federal Reserve Board before the OCC will grant approval.

The Licensing Process

The bank’s organisers will generally hold a meeting with OCC staff to review the plans for the bank and raise any questions on the licensing process before applying for a charter. The organisers will also designate a person for the OCC to contact with questions during the application process. The OCC provides both a preliminary approval for the organisers to continue their organisational efforts and a final approval that is required before the bank can open for business.

Once preliminary approval has been obtained, the organisers can complete any remaining management hires, continue raising capital, and otherwise prepare for opening the bank, including developing internal risk management and operating systems and adopting a written insiders’ policy addressing code of conduct and conflicts of interest. At least 60-days before the bank’s proposed opening and before final OCC approval may be issued, the bank must notify the OCC that organisational efforts have been completed and request that the OCC conduct a pre-opening examination.

For at least the first three years of its operation, the bank is required to receive a non-objection from the OCC before making any significant change to its business plan. The OCC must also review the bank’s hiring of new executive officers or election of new directors for at least the first two years of the bank’s operations.

Powers and Authorities

The powers and authorities of national banks are set out in legislation (including the National Bank Act) and through the OCC’s regulations and interpretive letters, including requirements for when the bank must file a notice or receive approval from the OCC to engage in a new activity.

State-Chartered Banks

The application and licensing process to charter a state bank is governed by the laws of the chartering state. The powers and authorities of a state bank are governed by state law, with many states having provisions in their banking laws, sometimes referred to as “wild card provisions,” providing the state’s banks with the same powers and authorities as national banks. State banks with a primary federal bank regulator (the Federal Reserve Board or the FDIC) are also subject to federal laws and regulations governing their activities.

Acquisitions of control of an insured bank are subject to the Change in Bank Control Act (CBCA) and the BHCA. Notice to the appropriate federal bank regulator is required to be filed at least 60 days before the acquisition of control unless the transaction is exempt or otherwise subject to an after-the-fact notice requirement. Mergers of insured banks are subject to the provisions of the Bank Merger Act and implementing regulations of the appropriate federal bank regulator.

A person or entity (a “person”) controls a bank under the CBCA if it would, directly or indirectly, have the power to either direct the management or policies of the bank, or vote 25% or more of any class of the bank’s voting securities. A rebuttable presumption of control exists if the person, directly or indirectly, has the power to vote 10% or more of any class of a bank’s voting securities if the securities are subject to registration under the Securities Exchange Act of 1934, or immediately after the transaction, no other shareholder would own or have the power to vote a greater percentage of the class. In determining the level of control that the person exercises, the agencies also consider whether the person is acting, or is deemed to be acting, in concert with others.

A 90 day after-the-fact notice requirement applies in circumstances where control is acquired due to circumstances beyond the person’s control, such as acquiring control through inheritance or a bona fide gift, a redemption of the bank’s voting securities, or by acquisition of the securities in satisfaction of a debt. Some acquisitions of control are exempt from the CBCA notice requirements, including for transactions subject to approval under or transactions described in the BHCA and the Bank Merger Act. BHCA requires approval of the Federal Reserve Board for a BHC to either acquire a subsidiary bank, acquire more than 5% of the voting securities of a bank, or acquire all or substantially all of a bank’s assets by one of its nonbank subsidiaries.

Notice of a filing is required to be published in a newspaper in the community where the bank is located. The agencies evaluate several factors in reviewing the notice, including any public comments on the transaction and whether the acquisition will result in a monopoly or substantially lessen competition or threaten the financial stability of the bank, is not in the interest of depositors or the public, or would result in adverse impacts to the deposit insurance fund.

Unless otherwise provided by the agency, a person deemed to have control due to ownership of more than 10% but less than 25% of the bank’s voting securities would be required to file another notice if their ownership interests later increase to 25% or more, but subsequent increases in ownership beyond that point would not be subject to additional filing requirements under the CBCA.

The review period is generally 60 days, but it may be extended. The agencies also may impose conditions on an acquiror, such as not materially changing the bank’s business or committing to providing capital and liquidity support to the bank. In the event of an adverse decision, the person may appeal the decision. If the agency has not acted on the notice before expiration of the waiting period, the person may proceed with the transaction.

State-Chartered Banks

If the target bank is a state bank, the appropriate federal bank regulator provides a copy of the CBCA filing to the chartering state agency. The laws of the applicable chartering state should also be considered for potential state change in control filing requirements.

Federal bank regulators have established standards for the safe and sound operation of a bank. Banks are expected to have internal operational and management systems and capabilities that are appropriate for the bank’s size, complexity, and risk profile, including for internal controls and information systems; audit systems; loan documentation practices; credit underwriting practices; interest rate exposure; asset growth practices; asset quality practices; and earnings practices. The agencies have also set standards for information security practices and, as discussed in 4.3 Remuneration Requirements, to prevent excessive compensation practices.

The OCC has also established guidelines for risk management for insured national banks with at least USD50 billion of total consolidated assets. The guidelines set heightened standards for the establishment of:

  • Framework for the management of risk;
  • Roles and responsibilities of risk-creating units at the bank, independent risk management, and audit;
  • Strategic plans, risk appetites, and concentration limits; and
  • Talent and compensation management programmes.

The guidelines also set standards for the role of the bank’s board of directors with respect to risk management.

At the BHC level, the Federal Reserve Board requires each BHC with at least USD50 billion or more of total consolidated assets to have a global risk management framework establishing policies and procedures for the management of risk at the firm and processes and systems for implementing and monitoring compliance with risk management policies and procedures.

State-Chartered Banks

State banks would be subject to any corporate governance requirements established by applicable state laws and regulations, and, if subject to regulation by a federal bank regulator, the requirements of the primary federal bank regulator.

As part of the licensing process for a national bank charter, the OCC will evaluate the qualifications of the organisers, directors, and executive officers and consider their familiarity with the laws and regulations that govern a bank as well as experience with the expected business activities of the bank. The OCC must also review the hiring of new senior executive officers or election of new directors for at least the first two years of the bank’s operations. Thereafter, the bank must provide the OCC with at least 90 days advance notice in the event of additions or changes to its board of directors and senior executive officers (or adding a new senior executive officer role to the responsibilities of an existing senior executive officer) if the bank is not in compliance with its minimum capital requirements, has been notified in writing by the OCC of a requirement that it do so, or has been determined to be in troubled condition.

Any required notice must include biographical and financial information, employment and compensation arrangements, fingerprint checks, tax check waivers, and consent from the person to a background check. The OCC may disapprove of any member of the board or new senior executive officer (or change in their role) given the OCC’s evaluation of the person’s character, competency, integrity, or experience. Management officials of banks are also generally prohibited from serving as a management official of an unaffiliated bank if the management interlock would likely have an anticompetitive effect.

Residency and Citizenship Requirements for National Bank Directors

Unless a waiver is requested by the bank and granted by the OCC, directors of national banks must be citizens of the US. Waivers of this requirement are discretionary but may not be for more than a minority of the total number of directors on the board. In connection with a citizenship waiver request, the bank must submit biographical, financial, and other information on the director.

A majority of directors must also be a resident of the state where the bank is located or within 100 miles of the location of the bank’s designated main office for at least one year prior to their election and during their term of service. The OCC may waive this requirement in its discretion and with no limit on the number of waivers granted.

Roles and Responsibilities of National Bank Directors and Senior Management

The board of a national bank is accountable for the oversight of the bank’s management, provision of leadership to the bank, and establishment of the bank’s values. The board is also responsible for creating a risk governance framework for the bank and setting the bank’s strategic direction and its appetite for risk.

While the board is responsible for strategic direction and oversight, senior management is responsible for day-to-day bank operations. The board should hold management accountable for accomplishing the bank’s strategic objectives while operating within an approved risk appetite framework. The board carries out its responsibilities by exercising informed and independent judgment and providing a credible challenge to management’s decisions and recommendations.

In addition to having a variety of skills and expertise appropriate for the bank’s activities, the board should include an appropriate mix of executive directors and those who are independent of any familial or business relationships with the bank or its management. The OCC’s heightened standards for banks with total consolidated assets of at least USD50 billion require that at least two members of the board meet designated independence standards.

Expectations for Bank Holding Company Directors and Senior Management

The Federal Reserve Board has also established key attributes for an effective board of directors that are applicable to a BHC with total consolidated assets of at least USD100 billion. Boards are expected to set clear direction for strategy and risk appetite; direct management on the board’s information needs; oversee and hold management accountable; support the independence and stature of independent risk management and audit functions; and maintain a capable board compensation and governance structure.

Regulations of the Federal Reserve Board also require each BHC with at least USD50 billion of total consolidated assets to have a risk committee of its board that is responsible for approving and periodically reviewing the firm’s risk management policies and overseeing the operation of a global risk management framework. The committee must have at least one member with experience in identifying, assessing, and managing risk exposures at large, complex financial firms and be chaired by a director who meets defined independence standards. In addition, the risk committee of a BHC with at least USD100 billion of total consolidated assets must also review and approve a contingency funding plan for the BHC and any material revisions to the plan.

A BHC with at least USD50 billion of total consolidated assets must also have a Chief Risk Officer (CRO) who has experience in identifying, assessing, and managing risk exposures at large, complex financial firms. The CRO is responsible for: overseeing the firm’s establishment and monitoring of enterprise risk limits; implementation and compliance with risk management policies and procedures; and management, monitoring, and testing of controls. The CRO is required to report directly to both the board’s risk committee and to the chief executive officer. The CRO’s compensation must be consistent with its role of providing an objective assessment of risks taken by the BHC.

In 2018, the Federal Reserve Board issued proposed supervisory guidance for effective risk management by senior management, management of business lines, and independent risk management, but the proposal has not been finalised.

State-Chartered Banks

State banks would be subject to any director or senior management registration and oversight requirements established by applicable state laws and regulations.

As part of the safety and soundness standards established by the federal bank regulators, federally regulated banks are required to implement safeguards to prevent excessive compensation, fees, and benefits to officers, employees, directors, or principal shareholders that could lead to material losses. Compensation is considered excessive, and is prohibited as an unsafe and unsound practice, if the amounts are unreasonable or disproportionate to the services performed. When determining compensation, banks should evaluate:

  • aggregate compensation paid (both cash and non-cash benefits);
  • compensation history in comparison to payment to others with comparable expertise;
  • financial condition of the bank;
  • comparable compensation practices at peer banks;
  • projected total costs of benefits; and
  • any connections between the individual and fraudulent acts or insider abuse.

In addition, federal bank regulators have issued guidance to assist banks in developing sound incentive compensation practices. Banks are expected to regularly review their compensation arrangements with senior executives and others responsible for oversight of organisation-wide activities or material business lines and employees who individually, or as part of group, can expose the organisation to material amounts of risk. Compensation arrangements that are tied to achievement of specific metrics should balance risk and reward appropriately, be compatible with effective controls and risk-management, and support strong corporate governance.

State-Chartered Banks

State banks would also be subject to any compensation restrictions or limitations established by applicable state laws and regulations.

Financial institutions are responsible for performing several key functions to combat money laundering and terrorist financing in the US financial system.

Customer Identification and Verification

Every bank must adopt a Customer Identification Program (CIP) with written procedures for opening an account. The CIP must specify the identifying information that will be obtained from each customer and include risk-based procedures for verifying the customer’s identity. It must also include procedures for responding to circumstances in which the bank cannot form a reasonable belief that it knows the true identity of a customer.

Banks must also request beneficial ownership information from all legal entity customers and apply identification and verification protocols to the individual beneficial owners.

Sanctions Controls

Before opening an account, banks must screen customers and related parties, as necessary, against the lists of sanctioned persons/entities maintained by the Office of Foreign Assets Control (OFAC), a division of the US Department of the Treasury responsible for administering economic and trade sanctions.

Customer Due Diligence

Banks must establish effective, risk-based customer due diligence (CDD) systems and monitoring programs to detect potential illicit financial activity. To accomplish this, they must develop customer risk profiles that can then be used as a baseline against which customer activity can be assessed for possible suspicious activity. The CDD programme must include procedures governing "enhanced” customer due diligence, ie, the application of heightened standards for collection and verification of customer information based on known customer risk factors, and ongoing monitoring of customers with higher risk profiles. It must also include procedures for filing Currency Transaction Reports, filing Suspicious Activity Reports, and reporting other necessary information as required. See 7.1 Bank Secrecy Requirements for additional information.

Recordkeeping and Retention

Banks must document all identity verification methods, any documents relied on during customer verification, and the resolution of any discrepancies that arose during the identification or verification process for each customer. Banks must securely maintain records, including identifying information and descriptions, for the applicable mandatory retention period.

The FDIC insures deposit products at each insured state or federally chartered bank (other than deposit accounts at an insured credit union, which are insured by the NCUA) up to the applicable insurance coverage limit. Coverage for FDIC insurance is not limited to US citizens and residents and applies automatically when any person opens a deposit account at an insured bank.

Examples of deposit products covered by FDIC Insurance are as follows:

  • Checking accounts, negotiable order of withdrawal accounts, and savings accounts.
  • Money Market Deposit Accounts.
  • Certificates of Deposit.
  • Cashier’s checks and money orders.

Examples of financial products not covered by FDIC Insurance are as follows:

  • Stocks, bonds, mutual fund investments, and municipal securities.
  • Life insurance policies.
  • Annuities.
  • US Treasury bills, bonds, or notes.
  • Cryptocurrency assets.

Coverage for Deposits with Foreign Banks or that are Payable outside of the US

Deposits at an FDIC-insured branch of a foreign bank that are contractually payable in the US are insurable, unless it is a deposit to the credit of the foreign bank or any of its offices, branches, agencies, or any wholly owned subsidiary.

Deposits payable solely at an office of an insured bank located outside of the US are not considered deposits for FDIC eligibility insurance purposes.

Limits of Coverage

The standard FDIC insurance amount is USD250,000 per depositor at the bank and for each account ownership category (noted below) held at the bank. All accounts held by the depositor at the bank in the same account category are added together and insured up to the USD250,000 limit for each account category. Deposit account categories include:

  • single accounts;
  • joint accounts;
  • designated retirement accounts like IRAs;
  • revocable trust accounts;
  • corporation, partnership, and unincorporated association accounts;
  • irrevocable trust accounts;
  • employee benefit plan accounts; and
  • government accounts.

Treatment of Fiduciary Accounts

For funds deposited by a fiduciary on behalf of an owner to be insured as deposits of the funds’ owner, the bank’s deposit account records must reflect the fiduciary nature of the account. The name of each owner and ownership interest must also be ascertainable from the records of either the bank or the fiduciary. In the event of the bank’s failure, the FDIC will aggregate an owner’s funds deposited by the fiduciary along with other deposits of the owner in the same ownership category at the bank for purposes of determining the aggregate amount of insured deposits.

What Happens to Insured Deposits When the Bank Fails

When an insured bank fails, the FDIC may find another bank that is willing to assume its deposits. In this case, the insured depositors of the failed bank become depositors of the assuming bank. To the extent a depositor otherwise already has deposit accounts at the assuming bank, the new deposits are separately insured for a temporary period to allow the depositor time to move or otherwise restructure how or where their deposits are held.

If a bank cannot be found to assume the deposits, the FDIC closes the institution and pays depositors their applicable deposit insurance amount. The FDIC also acts as the receiver of the failed institution by collecting and selling the institution’s assets to settle its debts, which include claims by depositors for deposit amounts that exceeded the insurance limit.

Funding Deposit Insurance

The FDIC’s deposit insurance fund is funded through assessments on insured banks and interest earned on these assessments through investments in US government obligations. Insured banks are assessed by multiplying the bank’s assessment rate by its assessment base. The assessment rate for each bank takes into account financial and risk-based measures. A bank’s assessment base is its average consolidated total assets minus its average tangible equity.

The Bank Secrecy Act (BSA) is a reference to a series of laws and regulations requiring financial institutions to establish programmes, maintain records, and provide reporting to assist US government agencies in detecting and preventing money laundering and the financing of terrorism. The BSA requires banks to undertake ongoing customer monitoring and establish procedures for:

  • keeping records of cash purchases of negotiable instruments;
  • filing reports for certain cash transactions; and
  • filing reports for any transaction activity or patterns that may indicate money laundering, tax evasion, or other illicit financial activity.

Banks are required to have a board approved BSA/anti-money laundering programme that provides for internal controls and independent testing, the designation of a responsible officer for coordinating and monitoring compliance, and for training of employees. Banks are also required to adopt a Customer Identification Program (CIP) and establish, with reasonable certainty, the true identity of each customer – or, for legal entity customers, the identities of its beneficial owners – before beginning a banking relationship.

Beneficial Ownership Reporting

Under the Corporate Transparency Act (CTA), a subdivision of the Anti-Money Laundering Act of 2020, entities organised under US law and any entity registered to do business in the US will be required to self-report the identities of all of its beneficial owners to the Financial Crimes Enforcement Network (FinCEN). Once beneficial ownership information is reported to FinCEN, the agency will be responsible for maintaining a non-public national beneficial ownership registry accessible to law enforcement agencies and financial institutions upon request.

Suspicious Activity Reporting

Banks are required to report suspicious activity (a suspicious activity report, or SAR) upon detection of facts or circumstances indicative of potential money laundering, check fraud, cybersecurity breaches, wire transfer fraud, mortgage and consumer loan fraud, embezzlement, official corruption or self-dealing, identity theft, terrorist financing, or other BSA violations. The SAR should provide sufficient detail to outline who conducted the activity, the nature of the activity and how it was conducted, when and where the activity took place, and why the activity was deemed suspicious. The SAR must be filed within 30-days of detecting the suspicious activity, though a filing may be delayed for an additional 30-days to identify a suspect.

SARs are subject to strict confidentiality requirements preventing disclosure of the fact that a SAR is being prepared or has been filed or any information related to the SAR. If a bank is subpoenaed or otherwise directed to disclose the SAR or information within it, banks are required to decline to do so and to notify their regulator. Copies of filed SARs are required to be maintained subject to required retention periods.

Unauthorised disclosure of SARs can result in both civil and monetary penalties.

Currency Transaction Reports

Banks are also required to report a person’s currency transactions that exceed USD10,000 in a single day, whether through one or a series of transactions. A currency transaction report (CTR) must be filed regardless of the reasons for the transaction. Transactions cannot be broken into smaller amounts for the purpose of avoiding reporting requirements. This activity (referred to as “structuring”) constitutes suspicious activity that must be reported.

The CTR requirement is triggered every time a person exceeds the single-daily threshold unless the person is exempt. Exempt persons include banks, government agencies, and certain commercial customers for certain types of transactions.

Violations of BSA reporting requirements can result in both civil and monetary penalties of up to USD100,000 or USD250,000, respectively, and imprisonment.

The Basel Committee on Banking Supervision (BCBS) develops prudential regulatory, supervision, and risk management standards to enhance the stability of the global financial system. In 2010, the BCBS announced a framework known as Basel III that was designed to increase the level and quality of capital that banks are required to maintain, limit leverage at banks, improve liquidity risk management practices, and limit procyclicality. The US serves as a participating BCBS member. In 2013, US federal bank regulators adopted capital, liquidity, and leverage requirements for banks and their holding companies (collectively, “banking organisations”) that are considered generally consistent with the BCBS Basel III framework.

The regulators have continued to adjust the US Basel III requirements since that time, including implementing tailoring approaches to apply the most stringent requirements to subsets of the largest banking organisations (those with USD100 billion or more of total consolidated assets). In addition, US banking regulators have announced their intention to propose new rules that would implement changes to the US. Basel III rules to align them with the 2017 BCBS Basel III reforms. See 10.1 Regulatory Developments.

Regulatory Capital Minimums

The US Basel III rules set out the elements of regulatory capital for banking organisations and two methodologies for measuring the organisation’s risk-weighted assets (RWAs): a standardised approach using supervisory developed models for risk weighting, and an advanced approach for large, internationally active banking organisations using the organisation’s internal models. Capital ratios are calculated by dividing the organisation’s regulatory capital by its total RWAs. Minimum regulatory capital ratios are required for Common Equity Tier 1 (CET1) Capital (4.5%), Tier 1 Capital (6.0%), and Total Capital (8.0%). Under US Basel III, institutions using the advanced approaches are required to calculate each ratio under both the standardised and advanced approaches and then use the more binding output calculation of the two. In addition, banking organisations are required to maintain a 4.0% minimum leverage ratio of Tier 1 Capital to average total assets.

To avoid limitations and restrictions on capital distributions and certain discretionary bonus payments, banking organisations must also maintain an additional 2.5% CET1 capital conservation buffer on top of the minimum 4.5% CET1 requirement.

Some smaller banking organisations (those with less than USD10 billion of total consolidated assets and that meet other qualifying conditions) may elect to use a simplified method for calculating their regulatory capital ratio. Organisations using the community bank leverage ratio framework are not required to calculate and report RWAs but instead must have a leverage ratio of more than 9.0%. Provided the organisation’s leverage ratio remains above 9.0% and the organisation remains qualified for use of this framework, the bank will be considered compliant with regulatory capital minimums and the capital conservation buffer.

Additional Requirements for Large Banking Organisations

The largest banking organisations are subject to additional buffers, surcharges, and requirements. The banking regulators divide these organisation into one of four categories:

  • Category I: only US BHCs that have been designated as global systemically important banks (GSIBs).
  • Category II: banking organisations that are not US GSIBs but that have either USD700 billion or more of total consolidated assets, or USD100 billion or more of total consolidated assets and USD75 billion or more in cross-jurisdictional activity.
  • Category III: banking organisations that are not Category I or II having USD250 billion or more of total consolidated assets, or USD100 billion or more of total consolidated assets and USD75 billion or more of certain risk indicators (short term wholesale funding, nonbank assets, or off-balance sheet exposures).
  • Category IV: banking organisations that are not Category I, II, or III and have USD100 billion or more of total consolidated assets.

Stress capital buffers (SCB)

Large banking organisations that are BHCs are subject to annual assessment by the Federal Reserve Board of the effectiveness of the firm’s capital planning processes and of the sufficiency of its regulatory capital both to absorb losses during adverse economic conditions and to allow the organisation to continue meeting its obligations and serving its customers.

The Federal Reserve Board incorporates the results of required stress testing into the regulatory capital requirements of covered BHCs by replacing the capital conservation buffer with the SCB. The size of each firm’s SCB is assessed annually based on the impact to its CET1 from application of the stress testing, with a floor for the buffer of at least 2.5%.

Countercyclical capital buffer

Category I, II, and III firms would be subject to a countercyclical capital buffer if imposed. This buffer is discretionary.

Surcharges on GSIBs

The Federal Reserve Board applies a capital surcharge to US GSIBs. The amount of a US GSIB’s surcharge, which must be at least a 1.0% add-on to its CET1 requirements, is re-assessed annually and based on evaluation of the GSIBs systemic importance during the prior year.

As noted in the Insolvency, Recovery, and Resolution discussion in 9.1 Legal and Regulatory Framework, US GSIBs are also required to maintain minimum amounts of additional regulatory capital and long-term debt to absorb losses and facilitate their orderly resolution.

Supplementary leverage ratio

Category I, II, and III organisations are subject to a minimum supplementary leverage ratio (SLR) of 3.0%. The SLR is calculated by dividing Tier 1 Capital by total leverage exposure. A Category I organisation (a GSIB) is also subject to an enhanced SLR requirement that imposes a 2.0% leverage buffer above the minimum 3.0% SLR, for a total effective minimum SLR of 5% for these organisations.

Liquidity requirements

Large banking organisations are subject to liquidity risk management and net stable funding rules. The liquidity risk management rules establish a minimum liquidity coverage ratio (LCR) requiring Category I and II organisations to hold high-quality liquid assets in an amount equal to or greater than the institution’s projected net cash outflows during a 30-day stress period. Category III and IV organisations are subject to the LCR on a reduced basis. The LCR would also apply to the insured bank subsidiary of a Category I, II, III, and IV holding company if the bank has USD10 billion or more of total consolidated assets. The rule also establishes enhanced liquidity risk management testing requirements and standards.

In addition, Category I and II organisations are required to maintain a minimum net stable funding ratio (NSFR) of its available stable funding to its required stable funding of at least 100%. Category III and IV organisations are subject to the NSFR on a reduced basis. The NSFR would also apply to an insured bank subsidiary of a Category I, II, III, and IV holding company if the bank has USD10 billion or more of total consolidated assets.

Prompt Corrective Action

Insured banks are subject to prompt corrective action (PCA) regulations that impose limitations on their activities for failing to meet identified regulatory capital minimums. The PCA framework assigns banks to one of five categories that measure the institution against risk-based capital and leverage ratios: well capitalised; adequately capitalised; undercapitalised; significantly undercapitalised; and critically undercapitalised. To be considered well capitalised, a bank must have a minimum CET1 ratio of at least 6.5%, a Tier 1 Capital ratio of at least 8%, a Total Capital ratio of at least 10%, and Tier 1 Leverage ratio of at least 5.0%. If the bank is a subsidiary of a BHC with more than USD700 billion in total consolidated assets, a SLR of 6.0% is also required for the bank to be considered well capitalised. As a bank falls into lower capital categories, the PCA framework imposes increasingly severe restrictions and limitations on its activities and triggers supervisory response measures and directives.

State-Chartered Banks

In addition to applicable federal requirements that may be imposed on an insured state bank or state bank that is a member of the Federal Reserve System by the FDIC or Federal Reserve Board, a state bank may also be subject to regulatory capital and liquidity requirements imposed by applicable state laws and regulations.

The FDIC acts as the receiver or liquidator of failed banks. The determination of whether to close a bank is usually made by the bank’s chartering national or state agency, and the FDIC will then generally be appointed as the receiver of the bank. The FDIC acts to protect the interest of depositors and to preserve and maximise the assets of the bank.

The FDIC’s options to resolve a failed bank include:

  • Purchase and assumption transactions: The FDIC markets and receives bids for the failed bank’s assets and liabilities. A healthy bank assumes the insured deposits of the failed bank and may also purchase other assets. This is the most common resolution method.
  • Deposit payoffs: The FDIC pays the failed bank’s insured depositors up to the maximum insured amount.

Any remaining assets of the bank would then be liquidated and made available to satisfy the claims of the bank’s creditors (including uninsured depositors) according to their relative priority in payment. Uninsured depositors are paid ahead of the bank’s general creditors, with remaining amounts, if any, then paid to the bank’s stockholders.

Although the use of the US bankruptcy code remains the preferred method of resolution for holding companies, the FDIC also has the authority to resolve large, complex holding companies. The FDIC may exercise this authority (its orderly liquidation authority, or OLA) with the agreement of a two-thirds majority of its board and of the board of the Federal Reserve Board as well as the agreement of the Treasury Secretary, in consultation with the President. The FDIC is authorised to borrow money from the US Treasury to fund the resolution. To the extent these funds are not recovered during the resolution process, the FDIC will assess any deficit on other large, complex financial institutions.

To help ensure a credible plan is in place for their orderly resolution, BHCs with total consolidated assets of USD250 billion or more are periodically required to submit resolution plans (also referred to as “living wills”) to the Federal Reserve Board, the FDIC, and the Financial Stability Oversight Council. The Federal Reserve is also authorised to apply living will requirements, and other prudential requirements, to a BHC with less than USD250 billion, but more than USD100 billion, of total consolidated assets if the Federal Reserve Board determines that application of the requirement is appropriate to address or mitigate risk to financial stability.

The Federal Reserve Board and FDIC are required to review the credibility of each BHC’s plan and may make, jointly, a determination that the plan is not credible. The failure of the firm to address identified deficiencies in its plan may result in the firm being subject to more stringent capital, leverage, or liquidity requirements or to limits on its growth, activities, or operations. If the BHC is ultimately unable to address deficiencies in its resolution plan, the agencies may require the BHC to divest assets or operations.

For US GSIBs, the principal resolution strategy is a single-point-of-entry (SPOE) approach, where the FDIC is appointed as the receiver of the holding company and subsidiaries of the holding company continue to operate. The FDIC would transfer assets and some liabilities to a bridge company capitalised by pre-arranged debt that converts into equity. To enhance the effectiveness of the resolution strategy, the Federal Reserve Board requires each GSIB to maintain a minimum amount of total-loss absorbing capacity (TLAC) made up of a minimum amount of long-term debt and Tier 1 Capital. A GSIB is also required to maintain a buffer above the minimum TLAC amount to avoid limitations on its ability to make capital distributions and certain discretionary bonus payments.

While transformational change to the regulatory framework governing banks in the US has generally occurred on timeframes measured by decades, additions to the framework and refinements to its existing components are ongoing regulatory developments.

Areas of regulatory focus in the near-term are expected to include:

  • the CFPB’s efforts to curtail some fees and charges imposed by banks and to address discriminatory practices across product and service offerings and in decision-making processes;
  • proposed rulemaking efforts to implement the 2017 Basel III reforms;
  • heightened scrutiny of potential anti-competitive effects of proposed bank mergers;
  • establishment of a regulatory framework to govern crypto assets and related product and service offerings;
  • amendments to update core banking regulations; and
  • the potential for federal privacy legislation or rulemaking.

CFPB Supervisory and Enforcement Priorities: Bank Fees and Charges, Buy Now – Pay Later Products, and Discriminatory Practices

The CFPB is expected to continue its work focusing on fees and charges for consumer financial products, consumer protections for buy now - pay later loans, and discrimination in the provision or offering of consumer financial products and services. While the CFPB focuses on these and other areas, it faces increasing constitutional challenges to its foundational authority such as the following:

  • Fees and Charges. The CFPB has focused its attention on what it characterises as “junk fees” by seeking public comment on bank practices with respect to certain bank account, credit card, and other financial product fees and charges, such as late payment fees and non-sufficient funds fees. With respect to credit card late payment fees, the CFPB issued an advanced notice of proposed rulemaking requesting information to understand how late payment charges are set and related to actual costs and whether these fees play a role in meeting revenue or profitability goals for card issuers. These studies and advance rulemaking proposals are expected to result in future CFPB rulemaking, industry guidance, and supervisory and enforcement actions focused on fees and charges.
  • Buy Now - Pay Later. The CFPB has initiated a study around the sharp growth in buy now - pay later lending during the COVID-19 pandemic. The study looks to focus on the inconsistent consumer protections applied to these lending products as well as data aggregation practices of buy now - pay later lenders. The study may lead to CFPB interpretive guidance or rulemaking that results in consumer protections for these products that are similar to those required for credit card lending and that may place limitations on the industry’s data surveillance practices.
  • Discriminatory Practices. In 2022, the CFPB updated its examination manual for unfair, deceptive or abusive acts or practices (UDAAP) to provide direction to examiners in evaluating discriminatory practices as potential unfair practices prohibited by the Dodd-Frank Act. The updated manual directs CFPB examiners to evaluate whether the institution has internal processes to prevent discrimination in its offering or provision of consumer financial products or services and whether the institution reviews, tests, and monitors its decision-making processes for discrimination.

The CFPB’s assertion through release of the manual that discriminatory practices may be UDAAP violations under the Dodd-Frank Act resulted in a legal challenge by several trade associations. The trade associations argued, among other things, that the UDAAP prohibitions, unlike other statutory authorities the CFPB enforces addressing credit offerings and products, are not directed at discriminatory practices. As a result, the trade associations argued that the CFPB had exceeded its statutory authority. The trade associations also argued the examination manual should be set aside as the CFPB had failed to follow administrative procedural requirements by issuing the manual without first seeking public review and comment and had acted arbitrarily and capriciously. In addition, the lawsuit alleged that the funding structure for the CFPB under the Dodd-Frank Act violated the US Constitution.

With respect to the constitutionality of the CFPB’s funding structure and in a separate lawsuit focused on the CFPB’s 2017 payday lending rule, a federal appellate court held that the funding structure violates the US Constitution’s Appropriations Clause and vacated the payday lending rule. A final resolution of the constitutional challenges to the CFPB’s structure will, depending on the ultimate outcome, have implications beyond any one specific CFPB rulemaking or supervisory action that is the subject of the legal proceeding. In the interim, however, the existence of these proceedings should not be expected to impact the CFPB’s pursuit of its supervisory priorities and enforcement efforts.

Implementation of Basel III Reforms

In 2017, the BCBS announced reforms to Basel III. The announced reforms would include changes to: the risk sensitivity under the standardised approach for credit and operational risk; include restrictions on the use of models under the advanced approaches; add a leverage ratio for GSIBs; and create an output floor on regulatory capital benefits for firm’s using the advanced approaches.

Efforts for BCBS member nations to implement the Basel III reforms have been delayed due to the COVID-19 pandemic, and the BCBS extended the expected implementation deadline to 1 January 2023. In the fall of 2022, US banking regulators announced their intention to revise the US Basel III rules for alignment with the 2017 BCBS Basel III reforms. Proposed rules could be issued in 2023.

Bank Merger Reviews

A 2021 executive order from President Biden directed federal banking agencies to assess their current practices for reviewing bank merger applications to ensure consumers have choices among financial services providers and to protect against excessive market consolidation. In response, the FDIC issued a public request for information and comment on the effectiveness of its framework for reviewing proposed merger transactions involving one or more insured banks. The request included an invitation for public comment in several areas, including any needed enhancements to address the impact of proposed transactions on financial stability, the adequacy of current review practices in assessing the impact of transactions on the convenience and needs of local communities, and the extent to which the CFPB should be consulted by the FDIC during reviews. The Acting Comptroller of the Currency has directed OCC staff to work with other agencies to evaluate the OCC’s bank merger review practices.

Formal changes to the merger review process remain pending while the agencies evaluate their reviews. Longer review periods for applications, particularly for larger banking organisations, are expected pending formal agency response to the executive order.

Regulation of Crypto-assets and Related Products and Services

Efforts continue in the US to design an appropriate regulatory structure to govern crypto-assets and their related risks. Movement may be seen through existing or future legislative proposals or through recommendations made by various government agencies in response to a 2022 Presidential executive order on the policy objectives of the US with respect to digital assets.

Federal bank regulators have remained cautious in considering the role that banks can and should play with respect to the desire of customers for crypto-related banking products and services. Each regulator has issued supervisory letters or interpretations highlighting the risks of crypto-related activities to banks. Both the Federal Reserve Board and the OCC require their supervised banks to provide regulatory notification before engaging in any crypto-related activities and to demonstrate that the bank has risk management systems and controls capable of allowing the bank to conduct the activity in a safe and sound manner. Additional guidance from the federal bank regulators is expected.

Updating Key Federal Reserve Board Regulations

Banking organisations regulated by the Federal Reserve Board have been expecting the Federal Reserve Board to issue proposed rules updating several of the Federal Reserve Board’s long-standing regulations. The updates could include amendments to the Federal Reserve Board’s regulations that: govern the international operations of US banking organisations and US operations of foreign banking organisations (Regulation K); impose restrictions and requirements for loans to executive officers, directors, and principal shareholders (Regulation O); restrict and limit transactions between banks and their affiliates (Regulation W); and set requirements governing bank and financial holding companies and changes in bank control (Regulation Y).

Potential for Federal Privacy Protections

Although privacy protection legislation has been implemented by some states, comprehensive legislation is absent at the federal level in the US Introduced proposed legislation with preliminary bipartisan support in Congress, the American Data Privacy and Protection Act, would seek to fill that gap, although whether it ultimately passes Congress remains uncertain. In addition to potential future legislation, the Federal Trade Commission (FTC) is evaluating its own potential rulemaking to address commercial surveillance and data security practices. The FTC has issued an advanced notice of proposed rulemaking designed to explore how surveillance practices may harm consumers and children, how the costs and benefits of these practices should be balanced, how harmful practices should regulated, and the effectiveness of consumer consent and disclosure practices.

The most recent regulatory developments in the United States addressing environmental, social, and governance (ESG) issues have been those addressing climate-related risks. In March 2022, the Securities and Exchange Commission (the SEC) issued a proposed rule that would require registrants to include climate-related disclosures in their registration statements and periodic reports and to disclose the registrant’s greenhouse gas emissions. Two banking regulators, the OCC and the FDIC, have also released for public comment draft principles addressing efforts by large banks (those with more than USD100 billion of total consolidated assets) to identify and manage climate-related risks. The Federal Reserve Board has also announced plans for a 2023 pilot climate scenario analysis exercise aimed at the understanding and management of climate-related financial risks.

The OCC’s draft principles, released in December 2021, address:

  • governance roles of board of directors and management in managing climate-related risks;
  • the need to reflect unique characteristics of climate risk into policies, procedures, and limits;
  • the incorporation of climate-related risks into business strategy, risk appetite, and financial, capital, and operational planning;
  • the development and integration of processes to identify, measure, monitor, and control climate-related financial risk exposures into the bank’s existing risk management framework;
  • the incorporation of climate related financial risk information into data aggregation, risk measurement, and reporting; and
  • the development of scenario analysis to assess the potential impact on the bank of changes in economic conditions and the financial system from climate-related risks.

The principles also discussed the need for banks to address the impact of climate-related risks on various existing risk-types, including credit risk, liquidity risk, financial risk, operational risk, legal and compliance risk, and other non-financial risks like strategic and reputational risk. The OCC indicated it planned to issue subsequent guidance that would further elaborate on the principles and address any feedback received from the draft principles generally. The FDIC released an equivalent set of draft principles on 30 March 2022.

In response to the OCC’s and FDIC’s release of the draft principles and the SEC’s proposed climate-related public disclosure rule, the American Bankers Association and the bankers’ associations of every US state and of Puerto Rico issued a letter on 23 June 2022 to Federal financial regulators regarding ESG regulatory policy initiatives. The letter reflected the associations’ position that banks should not be used to effectuate environmental or social policy goals, that regulatory efforts should not seek to reallocate capital or carry-out goals unrelated to safety and soundness, and that banks should be free to lend or not lend, subject to fair lending and anti-discrimination laws, as each individual bank may determine.

In September 2022, the Federal Reserve Board announced plans for a pilot climate scenario analysis exercise involving six large banks. The pilot’s announced purpose was to enhance the ability of both banks and supervisors to measure and manage the financial risks of climate change. The pilot exercise is expected to launch in 2023 and be completed later in the year. The Federal Reserve Board expects to publish results and lessons learned from the exercise at an aggregate, not individual bank, level and has indicated that the pilot exercise will not have capital consequences for the six participating banks.

Moore & Van Allen PLLC

100 North Tryon Street
Suite 4700
Charlotte, NC 28202-4003

+1 (704) 331-1000
Author Business Card

Trends and Developments


Moore & Van Allen PLLC has nearly 400 attorneys and professionals serving clients in over 75 practice areas. Founded and led by former Bank of America Global General Counsel, Ed O’Keefe, and Chambers nationally ranked regulatory lawyer Neil Bloomfield, the firm's Financial Regulatory Advice & Response (FRAR) division assists many of the nation’s most recognisable banks, including global systemically important financial institutions, in connection with their most pressing regulatory concerns. It is one of the few American law firms that place financial services regulation at the centre of its international banking practice. Its interdisciplinary group of over 30 attorneys, includes former regulators, senior in-house practitioners, and attorneys with deep experience in financial regulation. FRAR's work is regularly acknowledged by a number of respected publications, including Chambers and Partners. It serves financial institutions and the industry in the US.

Key Changes in US Banking Regulation

The regulatory landscape in the US is complex and constantly changing. Among the most interesting developments have been the use of the laws intended to address unfair competition to expand the scope of oversight in the consumer protection space, and a growing focus on cryptocurrencies through informal guidance.

Expansion of UDAAP as an Enforcement Tool

The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) prohibits unfair, deceptive, or abusive acts or practices (UDAAP) in connection with the provision or offering of a consumer financial product or service. The Dodd-Frank Act authorises the Consumer Financial Protection Bureau (CFPB) to supervise large depository institutions and their affiliates as well as certain other consumer financial services companies for compliance with federal consumer financial laws. During 2022, the CFPB took several significant steps that purported to expand the reach of its UDAAP authority and the authority of states to bring enforcement actions for federal UDAAP violations.

Discrimination as a potential UDAAP violation

On 16 March 2022, the CFPB released updates to its UDAAP examination manual. These updates included direction to CFPB examiners to evaluate whether an institution has internal processes to prevent discrimination in its offering or provision of consumer financial products or services and whether the institution reviews, tests, and monitors its decision-making processes for discrimination. Utilisation of its UDAAP authority would expand the power of the CFPB to address discriminatory practices with respect to products and services outside of those covered by specific statutes, such as the Equal Credit Opportunity Act (ECOA).

Multiple trade associations filed a lawsuit challenging the release of the UDAAP examination manual update on several grounds. First, the trade associations asserted that the CFPB exceeded its statutory UDAAP authority. They argued that the Dodd-Frank Act’s prohibition against unfair acts or practices does not extend to discriminatory practices. Further, the lawsuit asserted that the CFPB failed to follow administrative procedural requirements by issuing the manual without first seeking public review and comment and that its actions in releasing the manual were arbitrary and capricious. The lawsuit also alleged that the funding structure for the CFPB under the Dodd-Frank Act violates the US Constitution’s Appropriations Clause. The latter claim has been subject of ongoing litigation and the Fifth Circuit, one of the intermediate appellate courts at the federal level, ruled on 19 October 2022, that the CFPB’s independent funding structure violates the US Constitution’s Appropriations Clause in a case striking down the agency’s 2017 Payday Lending Rule.

State enforcement of UDAAP and other federal consumer financial laws

Shortly after issuing its updated UDAAP examination manual, the CFPB also issued an interpretive rule holding that individual states have authority to enforce the consumer financial protection provisions of the Dodd-Frank Act and other federal consumer financial laws and the rules or regulations of the CFPB implementing these laws. In issuing the interpretive ruling, the CFPB noted that states are permitted to bring enforcement actions against a broader range of consumer financial providers than those that may be brought by the CFPB. The rule also asserted that actions by the CFPB do not serve to bar a similar action by the states.

Inadequate information security practices as UDAAP violations

On 11 August 2022, the CFPB issued a circular concluding that insufficient data and information security practices can violate the unfairness prong of the Dodd-Frank Act’s UDAAP prohibitions in addition to violating specific federal data security laws, like the Gramm-Leach-Bliley Act (GLBA). The circular highlighted that compliance with GLBA requirements would not necessarily result in a determination that the practice did not violate the UDAAP prohibitions under the Dodd-Frank Act. The CFPB also indicated that the circular was not intended to establish any specific information security practice requirements. The CFPB did, however, cite the failure to offer multi-factor authentication for systems and account access, having inadequate password management policies and procedures, the failure to update systems and software in a timely manner, and the failure to implement “common” data security practices, as increasing the risk of a UDAAP violation.

Prudential Regulatory Approach to Crypto/Digital Asset Activities

Prudentially regulated US banks have historically been – and remain – hesitant to engage in “crypto” or “digital” asset activities. This is primarily due to the lack of federal banking guidance in the crypto space, and also the Office of the Comptroller of the Currency (OCC)’s interpretive letter #1176, which implicitly called into question earlier letters that had addressed certain digital asset activities in a more favorable light. The lack of guidance is also quite notable now, given that in 2021, the Federal Reserve, FDIC, and OCC (the “Agencies”) stated they planned to provide banks with clarity around certain digital asset activities over the course of 2022.

Accordingly, many federally regulated banking organisations continue to avoid offering products or services to customers that would provide direct exposure to digital assets, despite customer requests for such. This hesitation is likely warranted. Federal agency guidance and speeches by agency regulators made throughout 2022 frequently focused on the potential risk that exposure to digital asset markets may pose to a regulated institution, and potentially to the US banking system writ large. Framing digital asset activities as a question of risk management affords the banking regulators increased flexibility in supervising (and prohibiting) the adoption of certain digital asset activities by banks.

Nonetheless, 2021 and 2022 also saw several developments with large, established banking organisations either directly offering digital asset services, such as custody, or partnering with financial technology firms in preparation to provide such products in the future. Firms exploring the feasibility of providing similar services should pay careful attention to the areas of potential risks highlighted throughout the recent interagency reports, guidance and regulator speeches, and be prepared to defend their risk management and compliance framework against heavy scrutiny.

Digital asset related activities as a risk to safety and soundness

During the prior administration, the OCC issued three interpretive letters that favourably addressed national banks providing custody of digital assets, holding the reserve funds backing “stablecoins” (ie, a type of digital asset designed to have a stable value) and engaging in payment-related activities that use blockchains and digital assets. These interpretive letters were almost immediately subject to review when the current administration took office. The results of the review were addressed by interpretive letter #1179 issued on 23 November 2021, in which the OCC confirmed the legal permissibility of such services, but now expressly required that banks receive written supervisory non-objection before engaging in such activities.

The FDIC issued a similar financial institution letter in April 2022. The letter did not address the legal permissibility of engaging in such activities, but instead highlighted potential risks to safety and soundness, financial stability and consumer protection, and then similar to the OCC’s letter, the FDIC made clear it would require FDIC-supervised institutions to provide notice before engaging in digital asset activities.

The Federal Reserve then issued Supervision and Regulation letter SR 22-6/CA 22-6, requiring supervised banking organisations to provide notice of any proposed digital asset-related activity. The SR 22-6/CA 22-6 also noted that banks should determine if engaging in such activities is legal under relevant state and federal banking laws, including whether any filing requirements exist under various federal banking laws, including the Bank Holding Company Act, Federal Reserve Act, Federal Deposit Insurance Act and the Home Owners’ Loan Act.

Although neither the FDIC nor the Federal Reserve required firms receive written supervisory non-objection, the practical effect may well be the same. The notice requirement is at least a delay on many activities due to the Agencies’ perception of inherent risks in this evolving area.

The focus on digital asset-related activities as a risk concern, however, affords the banking regulators increased flexibility in regulating such activities.

Risk areas identified in agency guidance

The focus on digital asset activities as a risk management issue allows the Agencies to heavily rely on the interagency work they have participated in at the direction of the current presidential administration. As background, the Biden administration issued Executive Order 14067 on 9 March 2022, which directed federal financial regulators to, among other things, collaborate on developing an approach to digital asset regulation and also to identify potential systemic risks posed by digital assets.

Although these larger “fact finding” efforts have not resulted in specific rulemakings or guidance to date, the risks identified in the reports clearly inform the Agencies’ view of digital asset-related activities. Today, there is little debate that the current tone from top US financial regulators is more sceptical than supportive of prudentially regulated institutions engaging in digital asset activities. A great example of this scepticism can be found in a recent speech by the acting comptroller of the currency, Michael Hsu, who stated: “While I am sceptical of crypto’s real world utility today and hyper-aware of the risks it poses to consumers and the financial system, I cannot say with certainty that crypto is useless and should go away.” Recent statements by Federal Reserve vice chair for supervision Michael Barr echoed these concerns and used a similar metaphor for the need of appropriate “guardrails” for banking organisations to meet supervisory expectations.

“Guardrails” and “Gates”

The references to guardrails and gates are apt metaphors when applied to digital asset activities. It highlights a potential distinction between digital asset-related activities that the Agencies are focused on, without explicitly highlighting those digital asset activities that would almost by definition be considered a significant risk to safety and soundness.

Those regulated institutions, whether they provide trading, custody, or other services, effectively act as “gates” into the more regulated digital asset markets. For example, market participants entering through these “gates” would be subject to know your customer (KYC) screening consistent with applicable bank secrecy act, anti-money laundering (AML) and sanctions obligations.

The “guardrails” are the limits and controls the banking organisation(s) and other prudentially regulated firms must employ to meet supervisory expectations. Riskier and more novel digital asset activities will require more stringent controls. The sufficiency of the “guardrails” employed by other market participants also factors into the development of a banking organisation’s control framework and the need for more rigorous third-party risk management practices.

Preparing gates, building guardrails

Although the current administration’s tone to-date does much to temper excitement and any belief that a path forward will be presented in short order, it does not serve a bank well to operate under a “wait and see” model. Instead, even today a bank could be building the foundation to prepare the gates and build the guardrails by considering risks, and anticipating the reviews, policies and procedures that could be implicated and/or prepared to address such risks. There are several areas to consider, such as:

  • Regulatory treatment and risks for different digital asset types.
  • KYC and AML laws.
  • Product risks for different digital asset types.
  • Netting/Enforceability Opinion updates.

Here, a bank would be well positioned to begin constructing plans for how to address and consider these items. Without definitive guidance in some spaces, this is difficult, but not impossible. Today, making rough plans based around “If _____, then _____” will not only prepare a bank to be well positioned to act quickly following definitive guidance, but this can build the backbone of a level of internal expertise that can quickly react and adjust to what will continue to be a rapidly changing and evolving market.

Commodity? security? other?

A great example of how this “If ____, then ____” manifests in real terms would be around issues associated with the regulatory treatment of digital assets. Today, enforcement actions and public statements have started to help provide what can be bedrock considerations for policies and procedures. Banks will need to show an appreciation for how digital assets are being viewed whether as a “commodity” subject to regulation by the Commodity Futures Trading Commission or a “security” subject to regulation by the Securities and Exchange Commission. Here, an often under-appreciated “next step”, is the analysis that includes the nuances that there are different types of commodities and the definition of “security” can differ depending on the relevant body of law (eg, the Securities Act of 1933 v the Investment Company Act of 1940). In the context of securities, it impacts whether a certain body of law applies. In the context of commodities, it impacts the availability of exemptions, particularly whether a transaction in the digital asset may qualify as an exempt forward contract, which does not apply to excluded commodities (eg, currencies, debt or equity instrument or a securities). Today, the structure of this analysis may be built out. For example, “If a commodity, then the next step is to consider if the digital asset would qualify as (A)(i) an agricultural commodity, (ii) an exempt commodity or (iii) a nonfinancial commodity or (B) an excluded commodity, and then the implications of this characterisation under the Commodity Exchange Act.”

Stablecoins may also present a unique regulatory analysis, particularly the more closely structured as a money market fund or function similar to bank deposits, and therefore may present banks with novel issues beyond “Is it a commodity or a security?”

The banks should also be aware of the implications if certain digital assets may be regarded as both commodities and securities, were a construct created in the digital asset space similar to a “mixed swap” in the regulation of swaps (commodities) and security-based swaps (securities). If a product is deemed to be both, then a bank may consider leveraging existing policies and procedures associated with a mixed swap.


To comply with KYC and AML laws and regulations, financial institutions must, among other things, keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding USD10,000, identify and assess risk of customers, and report suspicious activity that might suggest money laundering, tax evasion, or other criminal activities. Here, digital assets will have their own unique issues, particularly in the context of hosted versus unhosted wallets.

Also, KYC and AML will extend beyond consideration for bank customers to include bank service providers who would like to reap the benefits of distributed ledger technologies in effecting real-time transactions (eg, T+0 settlements) and maintaining accurate records that are potentially less susceptible to error or deliberate distortion. As with other products, banks will need to oversee their vendors who, in the rush to be first to market, may have failed to fully appreciate the complexities and importance of financial regulations.

When dealing with new technologies, entrepreneurs are often first focused on the product and getting it out, and may be less focused (or less willing to focus) on regulatory requirements. Here, banks will need to consider, if the service provider’s product effects an exchange or transmission of a digital asset or other digital representation of value or a reference asset. They will also need to consider the implications of the Bank Secrecy Act (BSA) and FinCEN regulations for the new product/vendor review since “administrators or exchangers" of digital assets may qualify as money services businesses.

Different products, different risks

Often, discussions about digital assets only focus on their regulatory implications. Overlooked could be the fact that the types and uses of digital assets is continuing to grow and appears to only be limited by the creativity and ingenuity of developers as more and more uses are realised by developers and entrepreneurs. A digital asset could be a currency itself on a particular network/distributed ledger (eg, ETH), a more general store of value or way to exchange value (eg, BTC), but more broadly a digital asset can represent anything from an asset (eg, wrapped tokens), to an access right, right to a board ape picture or fraction of a piece of artwork, or an entry ticket to a concert.

Furthermore, there are several different properties that can be used to classify different token use cases (eg, protocol tokens v application tokens, fungibility, transferability, supply, token flow, stability, etc). For example, stablecoins. A term often used with no other modifier, although this one product could be further described and identified by its underlying collateral structure: fiat-backed, crypto-backed, commodity-backed, and algorithmic. All present unique and very different risks, such as was seen with the collapse of Luna.

Appreciating all of this is also important to understanding that a discussion about “risks” for a bank is not only about risks directly to the institution, but to appreciate risks that these products present to customers and the industry. This then raises issues as to suitability, disclosures and how these products may be presented to customers.

UCC and legal opinions

Last but far from least, banks can now begin to take inventory of existing legal opinions that analyse the Uniform Commercial Code (UCC). Amendments adopted this summer by the American Law Institute (ALI) and Uniform Law Commission (ULC) deal with the rights of private parties in consensual transactions involving digital assets. If/when adopted by states, the changes not only introduce a new “Article 12” to the UCC but also amends Article 8 and Article 9.

As a result, banks may wish to consider starting the process to appreciate the material changes so they can be flagged and confirmed during reviews of closing opinions that may function in some ways similar to a “form” document, in that language that has not traditionally changed or been modified deal to deal, may need to be reconsidered and/or modified based on an updated UCC (which may also have implications on the underlying transaction documents).


The Agencies have spent the better part of 2022 expounding on the various risks posed by crypto-asset-related activities to the banking sector, providing no formal guidance for how firms may potentially address these risks, but that does not mean there is nothing to do today. Banking organisations would be wise to focus on building out compliance and risk controls to specifically address the key areas of risks identified in the reports and be prepared to address each in outreach to their respective regulator. In particular, the following are risk areas that are referenced in one or more of the interagency reports, the Biden administration’s “Framework for Responsible Development of Digital Assets” and/or Agency guidance:

  • Illicit activities and money laundering concerns, including due to a perceived gap in existing federal anti-money laundering laws as applied to certain digital asset service providers. 
  • Consumer protection concerns, including potentially unfair, deceptive or abusive practices.
  • Financial stability concerns caused, in particular, by the potential mass adoption of stablecoins and resulting disruptions to existing payment systems and funding markets.
  • Technology and cybersecurity risks, which may be exacerbated by open, permissionless networks.

Legal and compliance risks, including those stemming from uncertainty regarding the legal status of many crypto-assets (eg, whether a crypto-asset is a security or a commodity); potential legal exposure arising from consumer losses, operational failures, and relationships with crypto-asset service providers; and limited legal precedent regarding how crypto-assets would be treated in varying contexts, including, for example, in the event of loss or bankruptcy and applicable UCC laws.

Moore & Van Allen PLLC

100 North Tryon Street
Suite 4700
North Carolina 28202-4003

+1 (704) 331-1000
Author Business Card

Law and Practice


Moore & Van Allen PLLC has nearly 400 attorneys and professionals serving clients in over 75 practice areas. Founded and led by former Bank of America Global General Counsel, Ed O’Keefe, and Chambers nationally ranked regulatory lawyer Neil Bloomfield, the firm's Financial Regulatory Advice & Response (FRAR) division assists many of the nation’s most recognisable banks, including global systemically important financial institutions, in connection with their most pressing regulatory concerns. It is one of the few American law firms that place financial services regulation at the centre of its international banking practice. Its interdisciplinary group of over 30 attorneys, includes former regulators, senior in-house practitioners, and attorneys with deep experience in financial regulation. FRAR's work is regularly acknowledged by a number of respected publications, including Chambers and Partners. It serves financial institutions and the industry in the US.

Trends and Development


Moore & Van Allen PLLC has nearly 400 attorneys and professionals serving clients in over 75 practice areas. Founded and led by former Bank of America Global General Counsel, Ed O’Keefe, and Chambers nationally ranked regulatory lawyer Neil Bloomfield, the firm's Financial Regulatory Advice & Response (FRAR) division assists many of the nation’s most recognisable banks, including global systemically important financial institutions, in connection with their most pressing regulatory concerns. It is one of the few American law firms that place financial services regulation at the centre of its international banking practice. Its interdisciplinary group of over 30 attorneys, includes former regulators, senior in-house practitioners, and attorneys with deep experience in financial regulation. FRAR's work is regularly acknowledged by a number of respected publications, including Chambers and Partners. It serves financial institutions and the industry in the US.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.