There are three types of depository institutions in the United States:

• commercial banks;
• savings associations (sometimes called thrifts, which specialise in deposit taking and mortgage lending); and
• credit unions (a cooperative financial institution formed for members of a common group who collectively own the institution, such as a group associated with an employer, business type, or branch of the military).

Charters for the different types of institutions (collectively, “banks”) are available for issuance both by individual US states and at the federal level. As a result, the banking system in the US is often referred to as a “dual” banking system. The decision regarding which charter type is the most appropriate and whether to apply for a state or federal charter is often driven by several considerations, including expected product and service offerings, anticipated customer base, the markets in which the bank will operate, examination costs, preference for or familiarity with a particular primary regulator, and the importance of federal law preemption of certain state laws to the bank’s business plans.

Given the variety of charters available and the option of obtaining a state or federal charter, the US regulatory structure governing banks is correspondingly complex. A state-chartered bank is regulated and supervised at the state level by the chartering state’s banking agency (under state laws and regulations) and by a federal bank regulator as well. The primary federal bank regulators are:

• the Office of the Comptroller of the Currency (OCC), which charters, regulates, and supervises national banks and federal savings associations;
• the Federal Deposit Insurance Corporation (FDIC), which insures deposit accounts and manages the deposit insurance fund; it also serves as the primary federal bank regulator and supervisor of state-chartered banks that have not elected to become members of the Federal Reserve System;
• the Board of Governors of the Federal Reserve System (the “Federal Reserve Board”), which regulates and supervises bank and financial holding companies, foreign banking organisations operating in the US, and any non-bank financial companies that have been designated as systemically important; it is also the primary federal bank regulator and supervisor of state-chartered banks that are members of the Federal Reserve System; and
• the National Credit Union Association (NCUA), which charters, regulates, and supervises national credit unions and insures deposit accounts of national and many state-chartered credit unions.

In addition to these federal agencies, the Consumer Financial Protection Bureau (CFPB) is responsible for implementing and enforcing compliance with federal consumer financial laws by large banks (those with more than USD10 billion in total consolidated assets) and their affiliates and certain other consumer financial services companies. Depending on their activities, banks and their affiliates also may be subject to supervision and regulation by the Securities and Exchange Commission, the Commodities Futures Trading Commission, and state insurance regulators (insurance is not regulated at the federal level in the United States), as well as other state, federal, or non-US regulators.

Important federal legislation that developed and governs the banking system in the United States includes the following:

• The National Banking Acts of 1863 and 1864 established a national banking system, authorised national bank charters, and established the OCC.
• The Federal Reserve Act of 1913 established the Federal Reserve System as the central banking system in the United States.
• The Banking Act of 1933 (also known as the Glass-Steagall Act) established the FDIC and separated commercial banking from investment banking.
• The Bank Holding Company Act of 1956 (BHCA) required the approval of the Federal Reserve Board to establish a bank holding company (BHC).
• The Gramm-Leach-Bliley Act of 1999 repealed Glass-Steagall’s separation of commercial and investment banking, created financial holding companies that are authorised to engage in underwriting and selling insurance and securities and to conduct merchant banking activities, and restricted disclosures of non-public consumer information.
• The Dodd-Frank Wall Street Reform and Consumer Financial Protection Act of 2010 (the “Dodd-Frank Act”) established measures to prevent systemic risks to the US financial system, a framework for the regulation of derivatives, and the CFPB.
• The Economic Growth, Regulatory Relief and Consumer Protection Act of 2018 modified some of the prudential requirements of the Dodd-Frank Act by raising the threshold of coverage of banking organisations subject to enhanced prudential standards.

In addition to these and other federal and state statutes governing bank powers and authorities, banks are subject to the regulations and rules of their regulators. Each federal bank regulator has implemented its own regulations that set out the licensing requirements, permissible activities and investments, and safety and soundness operating standards applicable to the banks each regulates and supervises. These federal banking regulations are set out in Title 12 of the Code of Federal Regulations.

Given the nature of the dual banking system, the specific licensing and application requirements to charter a bank will vary based on the type of bank charter and whether chartered at the state or federal level. The OCC sets out its application and licensing requirements for a national bank in its regulations and a licensing handbook. The process for chartering a national bank is set out below and is generally representative of the process for other bank charter types as well.

General Application Requirements

Organisers of the proposed national bank must apply to, and receive approval from, the OCC before the bank engages in banking business. In reviewing an application, the OCC:

• will ensure that the application is complete and required organisational documents for the bank have been filed, the required capital stock of the bank has been paid in, and the bank has at least five, and generally no more than 25, elected directors;

• will take into account the bank’s plans to meet the credit needs of the communities in which it would operate;
• will consider:
1. whether the organisers are familiar with applicable bank laws and regulations;
2. the experience and competency of the proposed management team and directors;
3. the bank’s business plan and the economic conditions and competitive considerations of the markets in which it plans to operate;
4. the sufficiency of the projected capital needs of the bank given the risks and complexity of its expected activities;
5. the reasonableness of the financial and profitability assumptions used in preparing the pro forma financial statements that accompany the application;
6. the ability of the bank to operate in a safe and sound manner; and
7. any public comments received in connection with the published notice announcing the filing of the application.
• may consider the risks a proposed insured bank would pose to the deposit insurance fund and any questions regarding the permissibility of its corporate powers.

National banks are required to specifically apply to exercise fiduciary powers and should include an application, if needed. A bank that intends for its deposit accounts to be insured must also file an application for deposit insurance with the FDIC. In addition, a BHC (or a company that would become one because of its proposed ownership interest in the new bank) is required to obtain approval from the Federal Reserve Board before the OCC will grant approval.

The Licensing Process

The bank’s organisers will generally hold a meeting with OCC staff to review the plans for the bank and raise any questions on the licensing process before applying for a charter. The organisers will also designate a person for the OCC to contact with questions during the application process. The OCC provides both a preliminary approval for the organisers to continue their efforts and a final approval before the bank can open for business.

Once preliminary approval has been obtained, the organisers can complete any remaining management hires, continue raising capital, and otherwise prepare for opening, including developing internal risk management and operating systems and adopting a written insiders’ policy addressing code of conduct and conflicts of interest. At least 60 days before the bank’s proposed opening and before final OCC approval may be issued, the bank must notify the OCC that organisational efforts have been completed and request that the OCC conduct a pre-opening examination.

For at least the first three years of its operation, the bank is required to receive a non-objection from the OCC before making any significant change to its business plan. The OCC must also review the bank’s hiring of new executive officers and election of new directors for at least the first two years of the bank’s operations.

Powers and Authorities

The powers and authorities of national banks are set out in legislation (including the National Bank Act) and through the OCC’s regulations and interpretive letters, including requirements for when the bank must file a notice to, or receive approval from, the OCC prior to engaging in a new activity.

State-chartered Banks

The application and licensing process for a state-chartered bank are governed by state law. The powers and authorities of a state bank are governed by state law and by federal law and the regulations of its primary federal regulator (the Federal Reserve Board or FDIC). Many states also have provisions in their banking laws, sometimes referred to as wild card provisions, providing state banks with the same powers and authorities as national banks.

Acquisitions of control of an insured bank are subject to the Change in Bank Control Act (CBCA) and the BHCA. Notice to the appropriate federal bank regulator is required to be filed at least 60 days prior to the acquisition of control, unless the transaction is exempt or otherwise subject to an after-the-fact notice requirement.

A person or entity (a “person”) controls a bank if it would, directly or indirectly, have the power to either (i) direct the management or policies of the bank; or (ii) vote 25% or more of any class of the bank’s voting securities. A rebuttable presumption of control exists if the person, directly or indirectly, has the power to vote 10% or more of any class of a bank’s voting securities if: (i) the securities are subject to registration under the Securities Exchange Act of 1934; or (ii) immediately after the transaction, no other shareholder would own or have the power to vote a greater percentage of the class. In determining the level of control that the person exercises, the agencies also consider whether the person is acting, or is deemed to be acting, in concert with others.

A 90-day after-the-fact notice requirement applies in circumstances where control is acquired due to circumstances beyond the person’s control, such as acquiring control through inheritance, a redemption of the bank’s voting securities, or by acquisition of the securities in satisfaction of a debt. Some acquisitions of control are exempt from the CBCA notice requirements, including transactions subject to approval under or transactions described in the BHCA. Under the BHCA, approval of the Federal Reserve Board is required for a BHC to either acquire a subsidiary bank, more than 5% of a class of a bank’s voting securities, or all, or substantially all, of a bank’s assets by one of its non-bank subsidiaries.

The agencies evaluate several factors in reviewing the notice, including any public comments on the transaction and whether the acquisition will result in a monopoly or substantially lessen competition or threaten the financial stability of the bank, is not in the interest of depositors or the public, or would result in adverse impacts to the deposit insurance fund.

Unless otherwise provided by the agency, a person deemed to have control due to ownership of more than 10% but less than 25% of the bank’s voting securities would be required to file another notice if their ownership interests later increase to 25% or more, but subsequent increases in ownership beyond that point would not be subject to additional filing requirements under the CBCA.

The review period is generally 60 days, but it may be extended. The agencies also may impose conditions on an acquiror, such as not materially changing the bank’s business or committing to providing capital and liquidity support to the bank. In the event of an adverse decision, the person may appeal the decision. If the agency has not acted on the notice before expiration of the waiting period, the person may proceed with the transaction.

State-chartered Banks

If the target bank is a state-chartered bank, the laws of the applicable chartering state should also be considered for potential change in control filing requirements.

Federal bank regulators have established standards for the safe and sound operation of a bank. Banks are expected to have internal operational and management systems and capabilities that are appropriate for the bank’s size, complexity, and risk profile, including for:

• internal controls and information systems;
• audit systems;
• loan documentation practices;
• credit underwriting practices;
• interest rate exposure;
• asset growth practices;
• asset quality practices; and
• earnings practices.

The agencies have also set standards for information security practices and, as discussed in 4.3 Remuneration Requirements, to prevent excessive compensation practices.

The OCC has also established guidelines for risk management for national banks with at least USD50 billion of total consolidated assets. The guidelines set heightened standards for the establishment of:

• a framework for the management of risk;
• the roles and responsibilities of risk-creating units at the bank, independent risk management, and audit;
• strategic plans, risk appetites, and concentration limits; and
• talent and compensation management programmes.

The guidelines also set standards for the role of the bank’s board of directors with respect to risk management.

At the BHC level, the Federal Reserve Board requires each BHC with at least USD50 billion or more of total consolidated assets to have a global risk management framework establishing policies and procedures for the management of risk at the firm and processes and systems for implementing and monitoring compliance with risk management policies and procedures.

State-chartered Banks

State-chartered banks would be subject to any corporate governance requirements established by applicable state laws or regulations. In October 2023, the FDIC issued proposed new corporate governance and risk management guidelines that would apply to state banks that are not members of the Federal Reserve System and that have USD10 billion or more in total assets. Influenced by the OCC’s guidelines for large national banks, the proposal seeks to strengthen the corporate governance practices of covered state banks by, among other things, setting out minimum composition standards for the board of directors and requirements for its committees. The proposal sets out expectations for the board’s oversight of compensation practices and for its review and approval of corporate policies. The proposal also includes requirements for the structuring and responsibilities of risk management responsibilities, the types of risk to be covered by the bank’s risk management programme, and processes for identifying and providing internal and external notification of violations of law.

As part of the licensing process for a national bank charter, the OCC will evaluate the qualifications of the organisers, directors, and executive officers, considering their familiarity with banking laws and regulations as well as experience with the expected business activities of the bank. The OCC must also review the hiring of new senior executive officers or the election of new directors for at least the first two years of the bank’s operations. Thereafter, the bank must provide the OCC with at least 90 days prior notice in the event of additions or changes to its board of directors and senior executive officers (or adding a new senior executive officer role to the responsibilities of an existing senior executive officer) if the bank is not in compliance with its minimum capital requirements, has been notified in writing by the OCC of a requirement that it do so, or has been determined to be in troubled condition (which results from deficiencies in the institution’s financial condition or risk management capabilities as reflected by its supervisory ratings, enforcement actions directed at its financial condition, or on other grounds as may be determined by the OCC).

Any required notice must include biographical and financial information, employment and compensation arrangements, fingerprint checks, tax check waivers, and consent to a background check. The OCC may disapprove of any member of the board or new senior executive officer (or change in their role) given the OCC’s evaluation of the person’s character, competency, integrity, or experience. Management officials of a bank are also generally prohibited from serving as a management official of an unaffiliated bank if the management interlock would likely have an anti-competitive effect.

Residency and Citizenship Requirements for Directors of National Banks

Unless a waiver is requested by the bank and granted by the OCC, directors of national banks must be citizens of the United States. Waivers of this requirement by the OCC are discretionary, but non-US citizens may not make up more than a minority of the total number of directors on the board. In connection with a citizenship waiver request, the bank must submit biographical, financial, and other information on the director.

A majority of directors must also be a resident of the state where the bank is located or within 100 miles of the location of the bank’s designated main office for at least one year prior to their election and during their term of service. The OCC may waive this requirement in its discretion and with no limit on the number of waivers granted.

Roles and Responsibilities of Bank Directors and Senior Management

The board of a national bank is accountable for the oversight of the bank’s management, provision of leadership to the bank, and establishment of the bank’s values. The board is also responsible for creating a risk governance framework for the bank and setting the bank’s strategic direction and its appetite for risk.

While the board is responsible for strategic direction and oversight, senior management is responsible for the day-to-day running of the bank’s operations. The board should hold management accountable for accomplishing the bank’s strategic objectives while operating within an approved risk appetite framework. The board carries out its responsibilities by exercising informed and independent judgement and providing credible challenge to management’s decisions and recommendations.

In addition to having a variety of skills and expertise appropriate for the bank’s activities, the board should include an appropriate mix of executive directors and those who are independent of any familial or business relationships with the bank or its management. The OCC’s heightened standards for banks with total consolidated assets of at least USD50 billion require that at least two members of the board be independent. The OCC does not require that the chair of the board be an independent director.

Expectations for Bank Holding Company Directors

The Federal Reserve Board has also established key attributes for an effective board of directors that are applicable to a BHC with total consolidated assets of at least USD100 billion. Boards are expected to:

• set a clear direction for strategy and risk appetite;
• undertake direct management of the board’s information needs;
• oversee and hold management accountable;
• support the independence and stature of independent risk management and audit functions; and
• maintain a capable board compensation and governance structure.

Regulations of the Federal Reserve Board also require each BHC with at least USD50 billion of total consolidated assets to have a risk committee on its board that is responsible for approving and periodically reviewing the firm’s risk management policies and overseeing the operation of a global risk management framework. The committee must have at least one member with experience in identifying, assessing, and managing risk exposures at large, complex financial firms and be chaired by a director who meets defined independence standards. In addition, the risk committee of a BHC with at least USD100 billion of total consolidated assets must also review and approve a contingency funding plan for the BHC and any material revisions to the plan.

The BHC must also have a chief risk officer (CRO) with experience in identifying, assessing, and managing risk exposures at large, complex financial firms. The CRO is responsible for:

• oversight of the firm’s establishment and monitoring of enterprise risk limits;
• implementation and compliance with risk management policies and procedures; and
• management, monitoring, and testing of controls.

The CRO is required to report directly to both the board’s risk committee and to the chief executive officer. The CRO’s compensation must be consistent with its role of providing an objective assessment of risks taken by the BHC.

State-chartered Banks

State-chartered banks would be subject to any director or senior management registration and oversight requirements established by applicable state laws or regulations.

As part of the safety and soundness standards established by the federal bank regulators, banks are required to implement safeguards to prevent excessive compensation, fees, and benefits to officers, employees, directors, or principal shareholders that could lead to material losses. Compensation is considered excessive, and is prohibited as an unsafe and unsound practice, if the amounts are unreasonable or disproportionate to the services performed. Factors banks should evaluate include:

• the aggregate compensation paid (both cash and non-cash benefits);
• compensation history in comparison to payment to others with comparable expertise;
• the financial condition of the bank;
• comparable compensation practices at peer banks;
• projected total costs of benefits; and
• any connections between the individual and fraudulent acts or insider abuse.

In addition, federal bank regulators have issued guidance to assist banks in developing sound incentive compensation practices. Banks are expected to regularly review their compensation arrangements with senior executives and others responsible for oversight of organisation-wide activities or material business lines and employees who individually, or as part of group, can expose the organisation to material amounts of risk. Compensation arrangements that are tied to achievement of specific metrics should balance risk and reward appropriately, be compatible with effective controls and risk management, and support strong corporate governance.

State-chartered Banks

State-chartered banks would also be subject to any compensation restrictions or limitations established by applicable state laws or regulations.

Financial institutions are responsible for performing several key functions to combat money laundering and terrorist financing in the US financial system.

Customer Identification and Verification

Every bank must adopt a Customer Identification Programme (CIP) with written procedures for opening an account. The CIP must specify the identifying information that will be obtained from each customer and include risk-based procedures for verifying the customer’s identity. It must also include procedures for responding to circumstances in which the bank cannot form a reasonable belief that it knows the true identity of a customer.

Banks also must request beneficial ownership information from all legal entity customers and apply identification and verification protocols to the individual beneficial owners.

Sanctions Controls

Prior to opening an account, banks must screen customers and related parties, as necessary, against the lists of sanctioned persons/entities maintained by the Office of Foreign Assets Control (OFAC), the division of the U.S. Department of the Treasury responsible for administering economic and trade sanctions. Additionally, banks have a continuing obligation to screen existing customers, related parties, and transactions against the OFAC list.

Customer Due Diligence

Banks must establish effective, risk-based customer due diligence (CDD) systems and monitoring programmes to detect potential illicit financial activity. To accomplish this, they must develop customer risk profiles that can then be used as a baseline against which customer activity can be assessed for possible suspicious activity. The CDD programme must include procedures governing “enhanced” customer due diligence – ie, the application of heightened standards for collection and verification of customer information based on known customer risk factors, and ongoing monitoring of customers with higher risk profiles. It must also include procedures for filing Currency Transaction Reports, filing Suspicious Activity Reports, and reporting other necessary information as required. See 7.1 Bank Secrecy Requirements for additional information.

Record-keeping and Retention

Banks must document all identity verification methods, any documents relied on during customer verification, and the resolution of any discrepancies that arose during the identification or verification process for each customer. Banks must securely maintain records, including identifying information and descriptions of the records, for the applicable mandatory retention period.

The FDIC insures deposit products at each insured state or federally chartered bank (deposit accounts at credit unions are insured by the NCUA) up to the applicable insurance coverage limit. Coverage for FDIC insurance is not limited to citizens and residents of the United States and applies automatically when any person opens a deposit account at an insured bank.

Examples of Deposit Products Covered by FDIC Insurance

• checking accounts, negotiable order of withdrawal accounts, and savings accounts;
• Money Market Deposit Accounts;
• Certificates of Deposit; and
• cashier’s checks and money orders;

Examples of Financial Products NOT Covered by FDIC Insurance

• stocks, bonds, mutual fund investments, and municipal securities;
• life insurance policies;
• annuities;
• US Treasury bills, bonds, or notes; and
• cryptocurrency assets;

Coverage for Deposits with Foreign Banks or that are Payable Outside of the United States

Deposits at an FDIC-insured branch of a foreign bank that are contractually payable in the United States are insurable, unless it is a deposit to the credit of the foreign bank or any of its offices, branches, agencies, or any wholly owned subsidiary.

Deposits payable solely at an office of an insured bank located outside of the United States are not considered deposits for FDIC eligibility insurance purposes.

Limits of Coverage

The standard FDIC insurance amount is USD250,000 per depositor at the bank and for each account ownership category (noted below) held at the bank. All accounts held by the depositor at the bank in the same account category are added together and insured up to the USD250,000 limit for each account category. Deposit account categories include:

• single accounts;
• joint accounts;
• designated retirement accounts like IRAs;
• revocable trust accounts;
• corporation, partnership, and unincorporated association accounts;
• irrevocable trust accounts;
• employee benefit plan accounts; and
• government accounts.

In instances involving bank failures that may pose a systemic risk to the financial system, the FDIC and the Federal Reserve Board may seek invocation of an exception from applying the insurance coverage limits. This exception was utilised in March of 2023 when the failure of several large banks led to concerns that their failure could trigger further instability and bank failures.

Treatment of Fiduciary Accounts

Funds deposited by a fiduciary on behalf of an owner in a deposit account are insured as deposits of the funds’ owner if the fiduciary nature of the account is disclosed in the bank’s deposit account records. The name and ownership interest of each owner must be ascertainable either from the deposit account records at the bank or from records maintained by the agent. The FDIC aggregates an owner’s funds deposited by the fiduciary along with other deposits of the owner in the same ownership category at the bank for purposes of determining the aggregate dollar amount of insured deposits.

What Happens to Insured Deposits When the Bank Fails

When an insured bank fails, the FDIC may find another bank that is willing to purchase and assume its deposits. In this case, the insured depositors of the failed bank become depositors of the purchasing bank. To the extent a depositor otherwise already has deposit accounts at the purchasing bank, the new deposits are separately insured for a temporary period to allow the depositor time to move or otherwise restructure how or where their deposits are held.

If a bank cannot be found to purchase the deposits, the FDIC closes the institution and pays depositors their applicable deposit insurance amount. The FDIC also acts as the receiver of the failed institution by collecting and selling the institution’s assets to settle its debts, which include claims by depositors for deposit amounts that exceeded the insurance limit.

Funding Deposit Insurance

The FDIC’s Deposit Insurance Fund (DIF) is funded through assessments on insured banks and interest earned on these assessments through investments in US government obligations. Insured banks are assessed by multiplying the bank’s assessment rate by its assessment base. The assessment rate for each bank considers financial and risk-based measures. A bank’s assessment base is its average consolidated total assets minus its average tangible equity. If a systemic risk exception is invoked during a bank failure, the FDIC recovers losses to the deposit insurance fund through special assessments.

The Bank Secrecy Act (BSA) is a reference to a series of laws and regulations requiring financial institutions to establish programmes, maintain records, and provide reporting to assist US government agencies in detecting and preventing money laundering and the financing of terrorism. The BSA requires banks to undertake ongoing customer monitoring and establish procedures for:

• keeping records of cash purchases of negotiable instruments;
• filing reports for certain cash transactions; and
• filing reports for any transaction activity or patterns that may indicate money laundering, tax evasion, or other illicit financial activity.

Banks are required to have a board-approved BSA/anti-money laundering programme that provides for internal controls and independent testing, the designation of a responsible officer for co-ordinating and monitoring compliance, and for training of employees. Banks are also required to adopt a CIP and establish, with reasonable certainty, the true identity of each customer — or, for legal entity customers, the identities of its beneficial owners — prior to beginning a banking relationship.

Beneficial Ownership Reporting

Under the Corporate Transparency Act (CTA), a subdivision of the Anti-Money Laundering Act of 2020, entities organised under US law and any entity registered to do business in the US will be required to self-report the identities of all of its beneficial owners to the Financial Crimes Enforcement Network (FinCEN). The FinCEN rule implementing the CTA is effective 1 January 2024. Once beneficial ownership information is reported to FinCEN, the agency will be responsible for maintaining a non-public national beneficial ownership registry accessible to law enforcement agencies and to financial institutions upon request.

Suspicious Activity Reporting

The BSA requires banks to monitor for, detect, and report suspicious activity that is attempted, conducted by, at, or through the bank. Banks must conduct ongoing monitoring and surveillance of customer accounts to identify and report suspicious transactions.

Banks are required to report suspicious activity (a suspicious activity report, or SAR) upon detection of facts or circumstances indicative of potential money laundering, check fraud, cybersecurity breaches, wire transfer fraud, mortgage and consumer loan fraud, embezzlement, official corruption or self-dealing, identity theft, terrorist financing, or other BSA violations. The SAR should provide sufficient detail to outline who conducted the activity, the nature of the activity and how it was conducted, when and where the activity took place, and why the activity was deemed suspicious. The SAR must be filed within 30 days of detecting the suspicious activity, though a filing may be delayed for an additional 30 days to identify a suspect.

SARs are subject to strict confidentiality requirements preventing disclosure of the fact that a SAR is being prepared, or has been filed, or any information related to the SAR. If a bank is subpoenaed or otherwise directed to disclose the SAR or information within it, banks are required to decline to do so and to notify their regulator. Copies of filed SARs are required to be maintained subject to required retention periods.

Unauthorised disclosure of SARs can result in both civil and monetary penalties.

Currency Transaction Reports

Banks are also required to report a person’s currency transactions that exceed USD10,000 in a single day, whether through one or a series of transactions. A currency transaction report (CTR) must be filed regardless of the reasons for the transaction. Transactions cannot be broken into smaller amounts for the purpose of avoiding reporting requirements. This activity (referred to as “structuring”) constitutes suspicious activity that must be reported.

The CTR requirement is triggered every time a person exceeds the single-daily threshold unless the person is exempt. Exempt persons include banks, government agencies, and certain commercial customers for certain types of transactions.

Violations of BSA reporting requirements can result in both civil and monetary penalties of up to USD100,000 or up to USD250,000, respectively, and imprisonment.

The Basel Committee on Banking Supervision (BCBS) develops prudential regulatory, supervision, and risk management standards to enhance the stability of the global financial system. In 2010, the BCBS announced a framework known as Basel III that was designed to increase the level and quality of capital banks are required to maintain, limit leverage at banks, improve liquidity risk management practices, and limit procyclicality. The United States serves as a participating BCBS member. In 2013, US federal bank regulators adopted capital, liquidity, and leverage requirements for depository institution holding companies and depository institutions (collectively, “banking organisations”) that are considered generally consistent with the BCBS Basel III framework.

The federal banking regulators have continued to adjust the US Basel III requirements since that time, including implementing tailoring approaches to apply the most stringent requirements to subsets of the largest banking organisations (those with USD100 billion or more of total consolidated assets). The failure of several large banks in March of 2023 and the agencies’ efforts to amend the US Basel III capital rules to align them with BCBS reforms to the global Basel III framework resulted in the proposal in 2023 of significant changes to the capital rules, which are discussed in 10.1 Regulatory Developments.

Regulatory Capital Minimums

The US Basel III rules set out the elements of regulatory capital for banking organisations and two methodologies for measuring the organisation’s risk-weighted assets (RWAs): a standardised approach using supervisory developed models for risk weighting, and an advanced approach for large, internationally active banking organisations using the organisation’s internal models. Capital ratios are calculated by dividing the organisation’s regulatory capital by its total RWAs. Minimum regulatory capital ratios are required for Common Equity Tier 1 (CET1) Capital (4.5%), Tier 1 Capital (6.0%), and Total Capital (8.0%). Under US Basel III, institutions using the advanced approaches are required to calculate each ratio under both the standardised and advanced approaches and then use the more binding output calculation of the two. In addition, banking organisations are required to maintain a 4.0% minimum leverage ratio of Tier 1 Capital to average total assets.

To avoid limitations and restrictions on capital distributions and certain discretionary bonus payments, banking organisations must also maintain an additional 2.5% CET1 capital conservation buffer on top of the minimum 4.5% CET1 requirement.

Some smaller banking organisations (those with less than USD10 billion of total consolidated assets and that meet other qualifying conditions) may elect to use a simplified method for calculating their regulatory capital ratio. Organisations using the community bank leverage ratio framework are not required to calculate and report RWAs but instead must have a leverage ratio of more than 9.0%. Provided the organisation’s leverage ratio remains above 9.0% and the organisation remains qualified for use of this framework, the bank will be considered compliant with regulatory capital minimums and the capital conservation buffer.

Additional Requirements for Large Banking Organisations

The largest banking organisations are subject to additional buffers, surcharges, and requirements. The banking regulators currently scale application of these requirements by dividing these organisations into one of four categories:

• Category I: only US BHCs that have been designated as global systemically important banks (GSIBs);
• Category II: banking organisations that are not US GSIBs but have either (i) USD700 billion or more of total consolidated assets, or (ii) USD100 billion or more of total consolidated assets and USD75 billion or more in cross-jurisdictional activity;
• Category III: banking organisations that are not Category I or II having (i) USD250 billion or more of total consolidated assets, or (ii) USD100 billion or more of total consolidated assets and USD75 billion or more of certain risk indicators (short term wholesale funding, non-bank assets, or off-balance sheet exposures); and
• Category IV: banking organisations that are not Category I, II, or III and have USD100 billion or more of total consolidated assets.

Current enhanced requirements for these institutions are set out below.

Stress capital buffers (SCB)

Large banking organisations that are BHCs are subject to annual assessment by the Federal Reserve Board of the effectiveness of the firm’s capital planning processes and of the sufficiency of its regulatory capital both to absorb losses during adverse economic conditions and to allow the organisation to continue meeting its obligations and serving its customers.

The Federal Reserve Board incorporates the results of required stress testing into the regulatory capital requirements of covered BHCs by replacing the capital conservation buffer with the SCB. The size of each firm’s SCB is assessed annually based on the impact on its CET1 from the application of the stress testing, with a floor for the buffer of at least 2.5%.

Countercyclical capital buffer

Category I, II, and III firms would be subject to a countercyclical capital buffer if imposed. This buffer is discretionary.

Surcharges on GSIBs

The Federal Reserve Board applies a capital surcharge to US GSIBs. The amount of a US GSIB’s surcharge, which must be at least a 1.0% add-on to its CET1 requirements, is reassessed annually and based on an evaluation of the GSIBs’ systemic importance during the prior year.

Supplementary leverage ratio

Category I, II, and III organisations are subject to a minimum supplementary leverage ratio (SLR) of 3.0%. The SLR is calculated by dividing Tier 1 Capital by total leverage exposure. A Category I organisation (a GSIB) is also subject to an enhanced SLR requirement that imposes a 2.0% leverage buffer above the minimum 3.0% SLR, for a total effective minimum SLR of 5% for these organisations.

Liquidity requirements

Large banking organisations are subject to liquidity risk management and net stable funding rules. The liquidity risk management rules establish a minimum liquidity coverage ratio (LCR) requiring Category I and II organisations to hold high-quality liquid assets in an amount equal to or greater than the institution’s projected net cash outflows during a 30-day stress period. Category III and IV organisations are subject to the LCR on a reduced basis. The LCR would also apply to the insured bank subsidiary of a Category I, II, III, and IV holding company if the bank has USD10 billion or more of total consolidated assets. The rule also establishes enhanced liquidity risk management testing requirements and standards.

In addition, Category I and II organisations are required to maintain a minimum net stable funding ratio (NSFR) of its available stable funding to its required stable funding of at least 100%. Category III and IV organisations are subject to the NSFR on a reduced basis. The NSFR would also apply to an insured bank subsidiary of a Category I, II, III, and IV holding company if the bank has USD10 billion or more of total consolidated assets.

Prompt Corrective Action

Insured banks are subject to prompt corrective action (PCA) regulations that impose limitations on their activities for failing to meet identified regulatory capital minimums. The PCA framework assigns banks to one of five categories that measure the institution against risk-based capital and leverage ratios:

• well capitalised;
• adequately capitalised;
• undercapitalised;
• significantly undercapitalised;
• and critically undercapitalised.

To be considered well capitalised, a bank must have a minimum CET1 ratio of at least 6.5%, a tier 1 capital ratio of at least 8%, a total capital ratio of at least 10%, and a tier 1 leverage ratio of at least 5.0%. If the bank is a subsidiary of a BHC with more than USD700 billion in total consolidated assets, an SLR of 6.0% is also required for the bank to be considered well capitalised. As a bank falls into lower capital categories, the PCA framework imposes increasingly severe restrictions and limitations on its activities and triggers supervisory response measures and directives.

State-chartered Banks

In addition to applicable federal requirements, a state-chartered bank may also be subject to additional regulatory capital and liquidity requirements that may be imposed by applicable laws or regulations of its chartering state.

The FDIC acts as the receiver or liquidator of failed banks. The determination of whether to close a bank is usually made by the bank’s chartering national or state agency, and the FDIC will then generally be appointed as the receiver of the bank. The FDIC acts to protect the interest of depositors and to preserve and maximise the assets of the bank.

The FDIC’s options to resolve a failed bank include:

• Purchase and assumption transactions: The FDIC markets and receives bids for the failed bank’s assets and liabilities. A healthy bank purchases and assumes the insured deposits of the failed bank and may also purchase other assets. This is the most common resolution method, but the FDIC has indicated through recent proposed rulemakings that purchase and assumption transactions may not be a viable option for some institutions given their size, which limits the number of potential acquirers and increases transactional complexity.
• Deposit payoffs: The FDIC pays the failed bank’s insured depositors up to the maximum insured amount.

Any remaining assets of the bank would then be liquidated and made available to satisfy the claims of the bank’s creditors (including uninsured depositors) according to their relative priority in payment. Uninsured depositors are paid ahead of the bank’s general creditors, with the remaining amounts, if any, then paid to the bank’s stockholders.

The FDIC is required to pursue the least-cost resolution approach in resolving a failed bank. However, if a bank’s failure poses a systemic risk, the FDIC and the Federal Reserve Board may seek to invoke a statutory systemic risk exception and forego these requirements, which may include guaranteeing deposits above the USD250,0000 limit. The systemic risk exception was used in March 2023 to guarantee the deposits of several failed banks based on concerns that their failure presented contagion risk to the financial system.

Although the use of the US bankruptcy code remains the preferred method of resolution for holding companies, the FDIC also has the authority to resolve large, complex holding companies. The FDIC may exercise this authority (its orderly liquidation authority, or OLA) with the agreement of a two-thirds majority of the board of the Federal Reserve Board and the Treasury Security, in consultation with the President. The FDIC is authorised to borrow money from the U.S. Treasury to fund the resolution. To the extent these funds are not recovered during the resolution process, the FDIC will assess any deficit on other large, complex financial institutions.

To help ensure a credible plan is in place for their orderly resolution, BHCs with total consolidated assets of USD250 billion or more are periodically required to submit resolution plans (also referred to as “living wills”) to the Federal Reserve Board, the FDIC, and the Financial Stability Oversight Council. The Federal Reserve Board is also authorised to apply living will requirements, and other prudential requirements, to a BHC with less than USD250 billion, but more than USD100 billion, of total consolidated assets if the Federal Reserve Board determines that the requirements are appropriate to address or mitigate financial stability risks. Additionally, insured depository institutions with USD50 billion or more in total assets are required to periodically submit resolution plans to the FDIC to provide information demonstrating how the bank could be resolved in an orderly and timely manner. National banks with USD50 billion or more in total consolidated assets must also develop and maintain recovery plans detailing actions the bank could take to remain a going concern when the bank is experiencing financial stress, but resolution is not imminent, and GSIBs are subject to similar requirements under the Federal Reserve Board’s recovery planning guidance.

The Federal Reserve Board and FDIC are required to review the credibility of each BHC’s plan and may make, jointly, a determination that the plan is not credible. The failure of the firm to address identified plan deficiencies may result in more stringent capital, leverage, or liquidity requirements or limits on growth, activities, or operations. If the BHC is ultimately unable to address the deficiencies, the agencies may require the BHC to divest assets or operations.

For US GSIBs, the principal resolution strategy is a single-point-of-entry (SPOE) approach, where only the top-tier parent company enters bankruptcy proceedings while subsidiaries of the holding company continue to operate or are wound down in an orderly manner. To enhance the effectiveness of the resolution strategy, the Federal Reserve Board requires each GSIB to maintain a minimum amount of total loss-absorbing capacity (TLAC) made up of a minimum amount of long-term debt and Tier 1 Capital. A GSIB is also required to maintain a buffer above the minimum TLAC amount. Falling below the buffer may result in limitations on its ability to make capital distributions and certain discretionary bonus payments. GSIBs must also hold a minimum amount of long-term debt to absorb losses and serve as a source of capital in resolution.

While transformational change to the US regulatory framework governing banks occurs on timeframes measured by decades, targeted additions and refinements to the framework are ongoing regulatory developments. Areas of regulatory focus in the near term are expected to include: legislative and regulatory responses to the 2023 failure of several banks; significant revisions to the US Basel III capital rules; and the CFPB’s continued efforts, and legal challenges to its efforts, to curtail some fees and charges imposed by banks and to address discriminatory practices across product and service offerings and in decision-making processes.

Legislative and Regulatory Responses to March 2023 Bank Failures

In early 2023, the US banking sector experienced the failure of several large regional banks. A number of legislative and regulatory proposals have been developed in response to, or were influenced to some degree by, these bank failures.

Long-term debt requirements (LTD)

To improve their resolvability, US GSIBs are subject to a LTD requirement. Following a 2022 advanced notice of proposed rulemaking and acknowledging the March 2023 bank failures, the FDIC, the Federal Reserve Board, and the OCC have proposed a rule that would expand the number of institutions that would be subject to a minimum amount of eligible LTD to include holding companies and insured depository institutions with USD100 billion or more in total assets. Covered companies would be required to issue and hold a minimum amount of eligible LTD equal to the greater of 6% of their risk-weighted assets, 3.5% of their average total consolidated assets, and 2.5% of their total leverage exposure (for those subject to the supplementary leverage ratio). The proposal includes prohibitions on covered companies entering into certain transactions that could impede their orderly resolution and limitations on the amount of their liabilities that are not LTD.

Reversal of 2018’s regulatory tailoring

Legislation in 2018 sought to reduce the regulatory burden on large banking organisations that were not U.S. GSIBs by providing for a rollback of the scope of banking organisations subject to enhanced capital and liquidity and other related prudential requirements put in place under the Dodd-Frank Act. Many requirements originally applicable to larger banking organisations no longer applied or had limited application to non-US GSIBs. Following the March 2023 bank failures, the Biden Administration called for the banking agencies to reinstate enhanced capital and liquidity requirements.

Resolution planning developments

In August 2023, the FDIC and the Federal Reserve Board issued proposed guidance to enhance resolution planning efforts by bank holding companies with at least USD250 billion in total assets and that are not otherwise already subject to resolution planning guidance. The guidance addresses agency expectations for resolution planning elements associated with the company’s specific resolution strategy, capital and liquidity considerations, governance, derivatives and trading activities, and other operational capabilities. For companies that use a SPOE approach, the proposed guidance largely aligns requirements to those applicable to GSIBs. Companies that use a multiple-point-of-entry (MPOE) approach, involving the parent company’s entry into bankruptcy along with resolution of its subsidiaries under their respective regimes, would be subject to certain elements of the GSIB guidance and additional requirements targeted at supporting the bank’s resolution.

Separately, the FDIC proposed a rule that would impose more frequent and substantial resolution planning requirements on insured banks with USD100 billion or more in total assets, requiring them to submit comprehensive resolutions plans every two years (currently every three years), with supplemental submissions to their comprehensive plans in intervening years. Additionally, insured banks with at least USD50 billion, but less than USD100 billion, in total assets have been subject to a moratorium on resolution plan submissions since November 2018. Under the proposed rule, these banks would be required to submit a more limited “information filing”, not including a resolution strategy, with these filings. If finalised as proposed, the first submissions for covered banks are expected in early 2025.

Revisions to the US Basel III Capital Rules

On 27 July 2023, the FDIC, the Federal Reserve Board, and the OCC jointly published proposed rules to amend the regulatory capital framework for large banking organisations (those with USD100 billion or more of total assets), including revisions to implement BCBS reforms to the global Basel III capital rules (sometimes referred to as Basel III Endgame). These reforms will have a significant impact on the regulatory capital framework applicable to large banking organisations through revisions to requirements associated with credit risk, market risk, operational risk, and credit valuation adjustment risk and changes made to enhance the transparency of the capital framework and to promote consistency across banking organisations.

The proposals would also require all large banking organisations (rather than some of these organisations) to include unrealised gains and losses associated with certain securities in their capital ratios, to comply with a supplementary leverage ratio requirement, and to comply with any imposed countercyclical capital buffer. If finalised as proposed, the rule would require full compliance by 1 July 2028, after a multi-year transition period beginning on 1 July 2025.

CFPB Supervisory and Enforcement Priorities

The CFPB is expected to continue its supervisory and enforcement efforts on fees and charges for consumer financial products that it deems unfair to consumers and on discrimination in the provision or offering of consumer financial products and services. In addition, the CFPB proposed new rules in 2023 to establish customer data access rights to transaction and account information. While the CFPB focuses on these and other areas, it also faces continued legal challenges to its supervisory and enforcement policy objectives as well as to the constitutionality of its funding structure.

Fees and charges

The CFPB has continued focusing its supervisory and enforcement attention on what it characterises as “junk fees” by seeking public comment on bank practices and proposed rules with respect to certain bank account, credit card, and other financial product fees and charges, such as late payment fees and non-sufficient funds fees.

“Open banking” and data protection

In October 2023, the CFPB proposed a Personal Financial Data Rights Rule that would require depository and non-depository entities to make certain financial data regarding a consumer’s transactions and accounts available to the consumer and their authorised third parties at no cost. The proposal would also impose data privacy obligations on third parties authorised to access the consumer’s data. If finalised as proposed, the rule would be implemented with a staggered compliance deadline depending on the size or revenue of the institution.

Legal challenges

The CFPB continues to face legal challenges to its power to regulate consumer financial protection laws. In October 2023, the U.S. Supreme Court heard arguments regarding the constitutionality of the CFPB’s funding structure. In addition, there are other ongoing challenges to the CFPB’s policy objectives.

Discriminatory practices

In 2022, the CFPB updated its examination manual for unfair, deceptive or abusive acts or practices (UDAAP) to provide direction to examiners in evaluating discriminatory practices as potential unfair practices prohibited by the Dodd-Frank Act. The updates direct examiners to evaluate whether the institution has internal processes to prevent discrimination in the offering or provision of its products or services and whether the institution reviews, tests, and monitors its decision-making processes for discrimination.

The CFPB’s assertion that discriminatory practices may be UDAAP violations resulted in a legal challenge by several trade associations. The trade associations argued, among other things, that the Dodd-Frank Act’s UDAAP provisions, unlike other statutory authorities the CFPB enforces, are not directed at discriminatory practices. The trade associations argued that the CFPB had exceeded its statutory authority, failed to follow administrative procedural requirements in issuing the manual without seeking public review and comment, and acted arbitrarily and capriciously in issuing the updated manual. In addition, the lawsuit alleged that the funding structure for the CFPB violated the U.S. Constitution. In September 2023, a federal district court vacated the updates to the manual, holding that the CFPB had exceeded its statutory authority in issuing the revisions.

Small business lending application data collection

In March 2023, the CFPB introduced a rule required by the Dodd-Frank Act requiring lenders to collect and report data on small business credit applications. Issuance of the rule was challenged in a Texas U.S. District Court, and in July 2023, the court ordered the CFPB not to implement or enforce the rule against the plaintiffs. In addition, both the U.S. House and Senate approved resolutions in October 2023 to override Rule 1071. President Biden is expected to veto the resolution.

These litigation matters, even if unsuccessful, reflect ongoing challenges to the CFPB’s efforts to execute its supervisory and enforcement policy objectives.

The most recent regulatory developments in the United States addressing environmental, social, and governance (ESG) issues have centered around climate-related risks and legislative responses by some states to counter the actual or perceived implementation of ESG principles by financial institutions.

Climate

In Spring 2022, the SEC issued a proposed rule that would require registrants to include climate-related disclosures in their registration statements and periodic reports and to disclose the registrant’s greenhouse gas emissions. The proposal would apply to all publicly traded companies. Finalisation of the rule has been delayed, with publication of a final rule expected no earlier than the last quarter of 2023. At the state level, California recently enacted two climate-related disclosure laws that require covered US companies that do business in California to disclose certain greenhouse gas emissions and to publicly disclose, on a biennial basis, their climate-related financial risks and any measures adopted by the company to mitigate or adapt to those risks.

During 2023, the Federal Reserve Board conducted a pilot climate scenario analysis exercise involving six large banks. The purpose of the pilot was to enhance the ability of both banks and supervisors to measure and manage the financial risks of climate change. The Federal Reserve Board expects to publish results and lessons learned from the exercise at an aggregate, not individual bank, level and has indicated the pilot will not result in capital consequences for the participating banks.

In addition, the FDIC, the Federal Reserve Board, and OCC finalised their Principles for Climate-Related Financial Risk Management for Large Financial Institutions in late October 2023. The principles apply to financial institutions with over USD100 billion in total consolidated assets and establish a framework for the management of exposures to climate–related financial risks. The principles address the following:

• the role of the board of directors and management in managing climate-related risks;
• the need to reflect characteristics of climate risk into policies, procedures, and limits;
• the incorporation of climate-related risks into business strategy, risk appetite, and financial, capital, and operational planning;
• the development and integration of processes to integrate climate-related financial risk exposures into the bank’s existing risk management framework;
• the incorporation of climate-related financial risk information into data aggregation, risk measurement, and reporting; and
• the development of scenario analysis to assess the potential impact on the bank of changes in economic conditions and the financial system from climate-related risks.

The principles also discuss the need for banks to address the impact of climate-related risks on various existing risk types, including credit risk, liquidity risk, financial risk, operational risk, legal and compliance risk, and other non-financial risks like strategic and reputational risk.