There are three types of depository institutions in the United States (“banks”):

• commercial banks;
• savings associations (which specialise in deposit taking and mortgage lending); and
• credit unions (a co-operative financial institution formed for members of a common group who collectively own the institution).

Bank charters are available at the state and federal levels. The selection of the charter type can be driven by expected product and service offerings, anticipated customer base, the markets in which the bank will operate, examination costs, preference for a particular primary regulator, and the importance of federal law pre-emption of certain state laws to the bank’s business plans.

A state-chartered bank is regulated and supervised by both the state’s banking agency and by a federal bank regulator. The primary federal bank regulators are:

• the Office of the Comptroller of the Currency (OCC), which charters and regulates national banks and federal savings associations;
• the Federal Deposit Insurance Corporation (FDIC), which insures bank deposit accounts and serves as the primary federal regulator of state-chartered banks that elected not to become members of the Federal Reserve System;
• the Board of Governors of the Federal Reserve System (the “Federal Reserve Board”), which regulates bank and financial holding companies, foreign banking organisations operating in the USA, and any designated systemically important non-bank financial companies; it is also the primary federal regulator of state-chartered banks that are members of the Federal Reserve System; and
• the National Credit Union Association (NCUA), which charters and regulates national credit unions and insures deposit accounts of credit unions.

In addition to these federal agencies, the Consumer Financial Protection Bureau (CFPB) is responsible for implementing and enforcing compliance with federal consumer financial laws by large banks and certain other consumer financial services companies. Depending on their activities, banks and their affiliates also may be subject to supervision and regulation by the Securities and Exchange Commission (SEC), the Commodities Futures Trading Commission, and state insurance regulators.

Important federal legislation that governs the banking system in the United States includes:

• The National Banking Acts of 1863 and 1864 established a national banking system and national bank charters.
• The Federal Reserve Act of 1913 established the Federal Reserve System as the central banking system.
• The Banking Act of 1933 (the “Glass-Steagall Act”) separated commercial banking from investment banking.
• The Bank Holding Company Act of 1956 (BHCA) required the approval for the establishment of a bank holding company (BHC).
• The Gramm-Leach-Bliley Act of 1999 repealed the Glass-Steagall Act and created financial holding companies authorised to engage in certain insurance and securities activities.
• The Dodd-Frank Wall Street Reform and Consumer Financial Protection Act of 2010 (the “Dodd-Frank Act”) established measures to prevent systemic risks, a framework for the regulation of derivatives, and the CFPB.

Each bank regulator has implemented its own regulations that set out the licensing requirements, permissible activities and investments, and safety and soundness operating standards applicable to the banks each regulates. These federal banking regulations are set out in Title 12 of the Code of Federal Regulations.

The specific licensing and application requirements to charter a bank will vary based on the type of bank charter and whether the bank is chartered at the state or federal level. The OCC sets out its application and licensing requirements for a national bank in its regulations and a licensing handbook. The process for chartering a national bank is set out below and is generally representative of the process for other bank charter types as well.

General Application Requirements

Organisers of the proposed national bank must apply to, and receive approval from, the OCC before the bank engages in banking business. In reviewing an application, the OCC:

• will ensure that the application is complete and required organisational documents for the bank have been filed, the required capital stock of the bank has been paid in, and the bank has at least five, and generally no more than 25, elected directors;
• will take into account the bank’s plans to meet the credit needs of the communities in which it would operate;
• will consider:
1. whether the organisers are familiar with applicable banking laws and regulations;
2. the experience and competency of the proposed management team and directors;
3. the bank’s business plan and the economic conditions and competitive considerations of the markets in which it plans to operate;
4. the sufficiency of the projected capital needs of the bank given the risks and complexity of its expected activities;
5. the reasonableness of the financial and profitability assumptions used in preparing the pro forma financial statements that accompany the application;
6. the ability of the bank to operate in a safe and sound manner;
7. any public comments received in connection with the published notice announcing the filing of the application; and
• may consider the risks a proposed insured bank would pose to the deposit insurance fund and any questions regarding the permissibility of its corporate powers.

National banks are required to specifically apply to exercise fiduciary powers and should include an application, if needed. A bank that intends for its deposit accounts to be insured must also file an application for deposit insurance with the FDIC. In addition, a BHC (or a company that would become one because of its proposed ownership interest in the new bank) is required to obtain approval from the Federal Reserve Board before the OCC will grant approval.

The Licensing Process

The bank’s organisers will generally hold a meeting with OCC staff to review the plans for the bank and raise any questions on the licensing process before applying for a charter. The organisers will also designate a person for the OCC to contact with questions during the application process. The OCC provides both a preliminary approval for the organisers to continue their efforts and a final approval before the bank can open for business.

Once preliminary approval has been obtained, the organisers can complete any remaining management hires, continue raising capital, and otherwise prepare for opening, including developing internal risk management and operating systems and adopting a written insiders’ policy addressing code of conduct and conflicts of interest. At least 60 days before the bank’s proposed opening and before final OCC approval may be issued, the bank must notify the OCC that organisational efforts have been completed and request that the OCC conduct a pre-opening examination.

For at least the first three years of its operation, the bank is required to receive a non-objection from the OCC before making any significant change to its business plan. The OCC must also review the bank’s hiring of new executive officers and election of new directors for at least the first two years of the bank’s operations.

Powers and Authorities

The powers and authorities of national banks are set out in legislation (including the National Bank Act) and through the OCC’s regulations and interpretive letters, including requirements for when the bank must file a notice to, or receive approval from, the OCC prior to engaging in a new activity.

State-chartered Banks

The application and licensing process for a state-chartered bank are governed by state law. The powers and authorities of a state bank are governed by state and federal law and by the regulations of its primary federal regulator (either the Federal Reserve Board or FDIC). Many states also have provisions in their banking laws, sometimes referred to as wild card provisions, providing state banks with the same powers and authorities as national banks.

A person or entity (a “person”) controls a bank if it would, directly or indirectly, have the power to either (i) direct the management or policies of the bank; or (ii) vote 25% or more of any class of the bank’s voting securities. A rebuttable presumption of control exists if the person, directly or indirectly, has the power to vote 10% or more of any class of a bank’s voting securities if: (i) the securities are subject to registration under the Securities Exchange Act of 1934; or (ii) immediately after the transaction, no other shareholder would own or have the power to vote a greater percentage of the class. The agencies also consider whether the person is acting in concert with others.

A 90-day after-the-fact notice requirement applies in circumstances where control is acquired due to circumstances beyond the person’s control, such as acquiring control through inheritance, a redemption of the bank’s voting securities, or by acquisition of the securities in satisfaction of a debt. Some acquisitions of control are exempt from the notice requirements of the Change in Bank Control Act (CBCA), including transactions subject to approval under or transactions described in the BHCA. Under the BHCA, approval of the Federal Reserve Board is required for a BHC to either acquire a subsidiary bank, more than 5% of a class of a bank’s voting securities, or all, or substantially all, of a bank’s assets by one of its non-bank subsidiaries.

The agencies evaluate several factors in reviewing the notice, including any public comments on the transaction, competitive impacts, and the financial stability of the bank, as well as the interest of depositors, the deposit insurance fund, and the public.

Unless otherwise provided by the agency, a person deemed to have control due to ownership of more than 10% but less than 25% of the bank’s voting securities would be required to file another notice if their ownership interests later increase to 25% or more, but subsequent increases in ownership beyond that point would not be subject to additional filing requirements under the CBCA.

The review period is generally 60 days but may be extended. The agencies may impose conditions on an acquiror, such as not materially changing the bank’s business or committing to providing capital and liquidity support to the bank. In the event of an adverse decision, the person may appeal the decision.

State-chartered Banks

If the target bank is a state-chartered bank, the laws of the applicable chartering state should also be considered for potential change in control filing requirements.

Federal bank regulators have established standards for the safe and sound operation of a bank. Banks are expected to have internal operational and management systems and capabilities that are appropriate for the bank’s size, complexity, and risk profile, including for:

• internal controls and information systems;
• audit systems;
• loan documentation practices;
• credit underwriting practices;
• interest rate exposure;
• asset growth practices;
• asset quality practices; and
• earnings practices.

The agencies have also set standards for information security practices and to prevent excessive compensation. The agencies have not established safety and soundness standards for diversity and inclusion.

The OCC has also established guidelines for risk management for national banks with at least USD50 billion of total assets. The guidelines set heightened standards for the establishment of:

• a framework for the management of risk;
• the roles and responsibilities of risk-creating units at the bank, independent risk management, and audit;
• strategic plans, risk appetites, and concentration limits; and
• talent and compensation management programmes.

The guidelines also set standards for the role of the bank’s board of directors with respect to risk management.

At the BHC level, the Federal Reserve Board requires each BHC with at least USD50 billion or more of total assets to have a global risk management framework establishing policies and procedures for the management of risk at the firm and processes and systems for implementing and monitoring compliance with risk management policies and procedures.

State-chartered Banks

State-chartered banks would be subject to any corporate governance requirements established by applicable state laws or regulations.

As part of the licensing process for a national bank charter, the OCC will evaluate the qualifications of the organisers, directors, and executive officers, considering their familiarity with banking laws and regulations as well as their experience with the expected business activities of the bank. The OCC must also review the hiring of new senior executive officers or the election of new directors for at least the first two years of the bank’s operations. Thereafter, the bank must provide the OCC with at least 90 days prior notice in the event of additions or changes to its board of directors and senior executive officers (or adding a new senior executive officer role to the responsibilities of an existing senior executive officer) if the bank is not in compliance with its minimum capital requirements, has been notified by the OCC to do so, or has been determined to be in troubled condition.

Any required notice must include biographical and financial information, employment and compensation arrangements, fingerprint checks, tax check waivers, and consent to a background check. The OCC may disapprove of any member of the board or new senior executive officer (or change in their role). Management officials of a bank are also generally prohibited from serving as a management official of an unaffiliated bank if the management interlock would likely have an anti-competitive effect.

Residency and Citizenship Requirements for Directors of National Banks

Unless a waiver is requested by the bank and granted by the OCC, directors of national banks must be citizens of the United States. Waivers are discretionary, but non-US citizens may not make up more than a minority of the total number of directors on the board. In connection with a waiver request, the bank must submit biographical, financial, and other information on the director.

A majority of directors must also be a resident of the state where the bank is located or within 100 miles of the bank’s designated main office for at least one year prior to their election and during their service. The OCC may waive this requirement in its discretion and with no limit on the number of waivers granted.

Roles and Responsibilities of Bank Directors and Senior Management

The board of a national bank is accountable for the oversight of the bank’s management, provision of leadership to the bank, and establishment of the bank’s values. The board is also responsible for creating a risk governance framework for the bank and setting the bank’s strategic direction and its appetite for risk.

While the board is responsible for strategic direction and oversight, senior management is responsible for the day-to-day running of the bank’s operations. The board should hold management accountable for accomplishing the bank’s strategic objectives while operating within an approved risk appetite framework. The board carries out its responsibilities by exercising informed and independent judgement and providing credible challenge to management’s decisions and recommendations.

The board should include an appropriate mix of executive directors and individuals who are independent of any relationships with the bank or management. The OCC’s heightened standards for banks with total assets of at least USD50 billion require at least two independent directors. The OCC does not require that the chair be an independent director.

Expectations for Bank Holding Company Directors

The Federal Reserve Board has also established key attributes for an effective board of directors that are applicable to a BHC with total assets of at least USD100 billion. Boards are expected to:

• set a clear direction for strategy and risk appetite;
• undertake direct management of the board’s information needs;
• oversee and hold management accountable;
• support the independence and stature of independent risk management and audit functions; and
• maintain a capable board compensation and governance structure.

The Federal Reserve Board’s regulations also require each BHC with at least USD50 billion of total assets to have a board risk committee responsible for approving risk management policies and overseeing the operation of an enterprise risk management framework. The committee must have at least one member with experience in identifying, assessing, and managing risk exposures at large, complex financial firms and be chaired by a director who meets defined independence standards. In addition, the risk committee of a BHC with at least USD100 billion of total assets must also review and approve a contingency funding plan for the BHC and any material revisions to the plan.

The BHC must also have a chief risk officer (CRO) with experience in identifying, assessing, and managing risk exposures at large, complex financial firms. The CRO is responsible for:

• oversight of the firm’s establishment and monitoring of enterprise risk limits;
• implementation and compliance with risk management policies and procedures; and
• management, monitoring, and testing of controls.

The CRO is required to report directly to both the board’s risk committee and to the chief executive officer. The CRO’s compensation must be consistent with its role of providing an objective assessment of risks taken by the BHC.

State-chartered Banks

State-chartered banks would be subject to any director or senior management registration and oversight requirements established by applicable state laws or regulations.

Banks are required to implement safeguards to prevent excessive compensation to officers, employees, directors, or principal shareholders that could lead to material losses. Compensation is considered excessive if the amounts are unreasonable or disproportionate to the services performed.

In addition, federal bank regulators have issued guidance to assist banks in developing sound incentive compensation practices. Banks are expected to regularly review their compensation arrangements. Compensation arrangements that are tied to the achievement of specific metrics should be compatible with effective controls and risk management and support strong corporate governance.

State-chartered Banks

State-chartered banks would also be subject to any compensation restrictions or limitations established by applicable state laws or regulations.

Financial institutions are responsible for performing several key functions to combat money laundering and terrorist financing in the US financial system.

The FDIC insures deposit products at each insured state- or federally-chartered bank (deposit accounts at credit unions are insured by the NCUA) up to the applicable insurance coverage limit. Coverage for FDIC insurance is not limited to citizens and residents of the United States and applies automatically when any person opens a deposit account at an insured bank.

Examples of deposit products covered by FDIC insurance include:

• checking accounts, negotiable order of withdrawal accounts, and savings accounts;
• Money Market Deposit Accounts;
• Certificates of Deposit; and
• cashier’s checks and money orders.

Examples of financial products NOT covered by FDIC insurance include:

• stocks, bonds, mutual fund investments, and municipal securities;
• life insurance policies;
• annuities;
• US Treasury bills, bonds, or notes; and
• cryptocurrency assets.

Coverage for Deposits with Foreign Banks or that are Payable Outside of the United States

Deposits at an FDIC-insured branch of a foreign bank that are contractually payable in the United States are insurable, unless it is a deposit to the credit of the foreign bank or any of its offices, branches, agencies, or any wholly owned subsidiary.

Deposits payable solely at an office of an insured bank located outside of the United States are not considered deposits for FDIC eligibility insurance purposes.

Limits of Coverage

The standard FDIC insurance amount is USD250,000 per depositor at the bank and for each account ownership category (noted below) held at the bank. All accounts held by the depositor at the bank in the same account category are added together and insured up to the USD250,000 limit for each account category. Deposit account categories include:

• single accounts;
• joint accounts;
• designated retirement accounts;
• revocable trust accounts;
• corporation, partnership, and unincorporated association accounts;
• irrevocable trust accounts;
• employee benefit plan accounts; and
• government accounts.

In instances involving bank failures that may pose a systemic risk to the financial system, the FDIC and the Federal Reserve Board may seek invocation of an exception from applying the insurance coverage limits. This exception was utilised in March of 2023 when the failure of several large banks led to concerns that their failure could trigger further instability and bank failures.

Treatment of Fiduciary Accounts

Funds deposited by a fiduciary on behalf of an owner in a deposit account are insured as deposits of the funds’ owner if the fiduciary nature of the account is disclosed in the bank’s deposit account records. The name and ownership interest of each owner must be ascertainable either from the deposit account records at the bank or from records maintained by the agent. The FDIC aggregates an owner’s funds deposited by the fiduciary along with other deposits of the owner in the same ownership category at the bank for purposes of determining the aggregate dollar amount of insured deposits.

What Happens to Insured Deposits When the Bank Fails

When an insured bank fails, the FDIC may find another bank that is willing to purchase and assume its deposits. In this case, the insured depositors of the failed bank become depositors of the purchasing bank. To the extent a depositor otherwise already has deposit accounts at the purchasing bank, the new deposits are separately insured for a temporary period to allow the depositor time to move or otherwise restructure how or where their deposits are held.

If a bank cannot be found to purchase the deposits, the FDIC closes the institution and pays depositors their applicable deposit insurance amount. The FDIC also acts as the receiver of the failed institution by collecting and selling the institution’s assets to settle its debts, which include claims by depositors for deposit amounts that exceeded the insurance limit.

Funding Deposit Insurance

The FDIC’s Deposit Insurance Fund (DIF) is funded through assessments on insured banks and interest earned on these assessments through investments in US government obligations. Insured banks are assessed by multiplying the bank’s assessment rate by its assessment base. The assessment rate for each bank considers financial and risk-based measures. A bank’s assessment base is its average consolidated total assets minus its average tangible equity. If a systemic risk exception is invoked during a bank failure, the FDIC recovers losses to the deposit insurance fund through special assessments.

The United States is a participating member of the Basel Committee on Banking Supervision (BCBS). In 2013, US Federal Bank regulators adopted requirements for depository institutions and their holding companies (collectively, “banking organisations” or “organisations”) that are considered generally consistent with the 2010 BCBS Basel III framework. Regulators have adjusted the US Basel III requirements, including tailoring the most stringent requirements to subsets of the largest banking organisations (those with USD100 billion or more of total assets). The failure of several large banks in March of 2023 and efforts to amend the US Basel III capital rules to align them with BCBS Basel III reforms resulted in a 2023 proposal for significant changes to the capital rules, which are discussed in 11.1 Regulatory Developments.

Regulatory Capital Minimums

The US Basel III rules set out the elements of regulatory capital for banking organisations and methodologies for measuring the organisation’s risk-weighted assets (RWAs): a standardised approach using supervisory developed models, and an advanced approach for large, internationally active organisations using its internal models. Capital ratios are calculated by dividing regulatory capital by RWAs. Minimum regulatory capital ratios are required for Common Equity Tier 1 (CET1) Capital (4.5%), Tier 1 Capital (6%), and Total Capital (8%). Under US Basel III, institutions using the advanced approaches are required to calculate each ratio under both approaches and then use the more binding output. In addition, banking organisations are required to maintain a 4% minimum leverage ratio of Tier 1 Capital to average total assets. To avoid restrictions on capital distributions and certain bonus payments, organisations must also maintain an additional 2.5% CET1 capital conservation buffer on top of the minimum 4.5% CET1 requirement.

Organisations with less than USD10 billion of total assets and that meet other qualifying conditions may elect to use a simplified method for calculating their regulatory capital ratio. These organisations are not required to calculate and report RWAs but instead must have a leverage ratio of more than 9% to be considered compliant with regulatory capital minimums and the capital conservation buffer.

Additional Requirements for Large Banking Organisations

The largest organisations are subject to additional buffers, surcharges, and requirements. Regulators currently scale application of these requirements by dividing these organisations into one of four categories:

• Category I: BHCs that have been designated as global systemically important banks (GSIBs);
• Category II: organisations that are not US GSIBs but have either (i) USD700 billion or more of total assets, or (ii) USD100 billion or more of total assets and USD75 billion or more in cross-jurisdictional activity;
• Category III: organisations that are not Category I or II having (i) USD250 billion or more of total assets, or (ii) USD100 billion or more of total assets and USD75 billion or more of certain risk indicators (short-term wholesale funding, non-bank assets, or off-balance sheet exposures); and
• Category IV: organisations that are not Category I, II, or III and have USD100 billion or more of total assets.

Current enhanced requirements for these institutions are set out below.

Stress capital buffers (SCB) and countercyclical buffers

The Federal Reserve Board annually assesses the effectiveness of the organisation’s capital planning processes and the sufficiency of its regulatory capital to absorb losses during adverse economic conditions. The results of stress testing are incorporated into the regulatory capital requirements by replacing the capital conservation buffer with the SCB. The size of each firm’s SCB is assessed annually based on the stress testing impact on CET1, with a floor for the buffer of at least 2.5%.

Category I, II, and III firms would be subject to a discretionary countercyclical capital buffer if imposed.

Surcharges on GSIBs

The Federal Reserve Board applies a capital surcharge to US GSIBs CET1 requirements. The surcharge is evaluated annually based on the GSIB’s assessed systemic importance during the prior year.

Supplementary leverage ratio (SLR)

Category I, II, and III organisations are subject to a minimum SLR of 3%. The SLR is calculated by dividing Tier 1 Capital by total leverage exposure. GSIBs are also subject to an enhanced SLR minimum requirement of 5%.

Liquidity requirements

Banking organisations are subject to liquidity risk management and net stable funding rules. The liquidity risk management rules establish a minimum liquidity coverage ratio (LCR) for Category I and II organisations to hold enough high-quality liquid assets that at least equal its projected net cash outflows during a 30-day stress period. Category III and IV organisations are subject to the LCR on a reduced basis. The LCR would also apply to large insured bank subsidiaries (at least USD10 billion of total assets) of a Category I, II, III, and IV holding company. The rule also establishes enhanced liquidity risk management testing requirements and standards.

In addition, Category I and II organisations are required to maintain a minimum net stable funding ratio (NSFR) of its available stable funding to its required stable funding of at least 100%. Category III and IV organisations are subject to the NSFR on a reduced basis. The NSFR would also apply to large insured bank subsidiaries (at least USD10 billion of total assets) of a Category I, II, III, and IV holding company.

Prompt Corrective Action

Insured banks are subject to prompt corrective action (PCA) regulations that impose limitations on their activities for failing to meet identified regulatory capital minimums. The PCA framework assigns banks to one of five categories (from well-capitalised to critically undercapitalised) measuring the institution against risk-based capital and leverage ratios. As a bank falls into lower capital categories, the PCA framework imposes increasingly severe restrictions and limitations on its activities and triggers supervisory response measures and directives.

State-chartered Banks

A state-chartered bank may also be subject to additional regulatory capital and liquidity requirements imposed by applicable laws or regulations of its chartering state.

The FDIC acts as the receiver or liquidator of failed banks. The decision to close a bank is usually made by the bank’s chartering agency. The FDIC will generally be appointed as the bank’s receiver and acts to protect the interest of depositors and to preserve and maximise the bank’s assets.

The FDIC’s options to resolve a failed bank include:

• Purchase and assumption transactions: The FDIC markets and receives bids for the failed bank’s assets and liabilities and assumption of its insured deposits. The FDIC has recently indicated that these transactions may not be a viable option for some large institutions due to a limited number of potential acquirers and transactional complexity.
• Deposit payoffs: The FDIC pays insured depositors up to the maximum insured amount. The FDIC liquidates remaining assets to satisfy the claims of the bank’s creditors according to their relative priority in payment. Uninsured depositors are paid ahead of the bank’s general creditors, with any remaining amounts paid to the bank’s stockholders.

Although the FDIC is required to pursue the least-cost resolution approach, an exception exists if the FDIC and the Federal Reserve Board determine the bank’s failure may pose a systemic risk, allowing for a guarantee of uninsured deposits. This exception was used in March 2023 to guarantee uninsured deposits of several failed large banks.

The preferred method of resolution for holding companies is through the US bankruptcy code, but the FDIC is authorised to resolve large, complex holding companies with the agreement of a two-thirds majority of the board of the Federal Reserve Board and the Treasury Security, in consultation with the President, and may borrow money from the US Treasury to fund the resolution. To the extent borrowed funds are not recovered through the resolution process, the FDIC will assess any deficit on other large, complex financial institutions.

BHCs with total assets of USD250 billion or more are periodically required to submit resolution plans (“living wills”) to the Federal Reserve Board, the FDIC, and the Financial Stability Oversight Council. The Federal Reserve Board is authorised to apply living will and other prudential requirements to a BHC with less than USD250 billion, but more than USD100 billion, of total assets upon a determination that the requirements are appropriate to address financial stability risks. In response to the 2023 bank failures, the Federal Reserve Board and the FDIC issued final guidance enhancing resolution plan submissions by “triennial full filers” (Categories II and III firms). The guidance generally mirrors the requirements on GSIBs where the firm uses a single-point-of-entry (SPOE) resolution approach, involving the top-tier parent company’s entry into bankruptcy proceedings while its subsidiaries continue to operate or are wound down. Companies that use a multiple-point-of-entry (MPOE) approach, involving the parent company’s entry into bankruptcy along with resolution of its subsidiaries under their respective regimes, are subject to certain elements of the GSIB guidance and additional requirements targeted at supporting the bank’s resolution.

The FDIC also recently enhanced the requirements on insured depository institutions (IDIs) with USD50 billion or more in total assets to periodically make resolution submissions to the FDIC. Following recently effective revisions to the FDIC’s resolution planning rule, IDIs with USD100 billion or more in total assets are required to submit resolution plans, and IDIs with between USD50 billion and under USD100 billion in total assets are required to submit informational filings, to the FDIC. Full submissions are filed every three years, except for IDI affiliates of US GSIBs, which submit every other year. In addition, IDIs not affiliated with US GSIBs must submit supplemental information in the years in which they do not make a full submission. The content requirements for resolution plans and informational filings are largely the same, except that only the larger institutions are required to specify an identified strategy, address failure scenarios and describe their valuation analysis.

The Federal Reserve Board and FDIC must review the credibility of each BHC’s plan and may make, jointly, a determination that the plan is not credible. If the firm fails to address the deficiencies, it may be subjected to more stringent capital, leverage or liquidity requirements or limits on its growth, activities or operations. The agencies may order divestiture of assets or operations if the BHC is ultimately unable to address the deficiencies. The FDIC may also find a material weakness in an IDI’s submission under the FDIC’s resolution planning rule, and the IDI’s failure to address these weaknesses could lead to enforcement action.

The Federal Reserve Board requires each GSIB to maintain a minimum amount of total loss-absorbing capacity (TLAC) made up of a minimum amount of long-term debt and Tier 1 Capital and to maintain a buffer above the TLAC minimum. Falling below the buffer may result in limitations on the ability to make capital distributions and certain discretionary bonus payments. GSIBs must also hold a minimum amount of long-term debt (LTD) to absorb losses and support their resolution. Following the 2023 banking crisis, the agencies issued a proposed rule that would expand the number of institutions subject to the LTD requirements (to IDIs and their holding companies with total assets of USD100 billion or more), prohibit covered companies from entering into transactions that could impede their orderly resolution and limit the amount of their liabilities that are not LTD.

Under the OCC’s current guidelines, national banks with USD250 billion or more in total assets must also develop recovery plans detailing actions the bank could take to remain a going concern when experiencing financial stress, but resolution is not imminent. GSIBs are subject to similar requirements under the Federal Reserve Board’s recovery planning guidance. These requirements were recently increased in response to the 2023 bank failures, with the OCC issuing a final rule that lowers the threshold for the recovery planning requirement to banks with USD100 billion or more in average total assets and adds requirements for testing and consideration of non-financial risks. The revisions become effective in January 2025, with staggered compliance dates.

Recent regulatory developments in the United States addressing environmental, social, and governance (ESG) issues have focused on climate-related risks and legislative responses by some states to counter the actual or perceived implementation of ESG principles by financial institutions.

Climate

In Spring 2022, the SEC issued a proposed rule requiring registrants to include climate-related disclosures in their registration statements and periodic reports and to disclose the registrant’s greenhouse gas emissions. The proposal was subject to extensive public comment, and the SEC issued a final rule in March 2024. The rule applies to all publicly traded companies and requires, among other things, disclosures addressing:

• climate-related risks that have had or that are reasonably likely to have a material impact on the company’s business;
• the risks, with actual or potential material impact, to the company’s business model and strategy, any steps taken to mitigate those risks, and any material expenditures incurred and impacts on financial estimates and assumptions stemming from those risk mitigation activities;
• the role of the company’s board and senior management in overseeing and managing, respectively, climate-related risks and the company’s risk management processes related to these risks;
• any climate-related targets or goals and any material impact on the company’s business or financial condition; and
• costs, expenditures and losses related to severe weather events and impact on any estimates and assumptions the company uses to produce its financial statements if materially impacted by severe weather events.

Certain covered companies are also subject to disclosures on designated emissions. The rule has a phased-in compliance period beginning in fiscal year 2025.

At the state level, California has climate-related disclosure laws that require covered US companies that do business in California to disclose certain greenhouse gas emissions and to publicly disclose, on a biennial basis, their climate-related financial risks and any measures adopted by the company to mitigate or adapt to those risks. New York and other states have also adopted similar climate risk disclosure regimes. Conversely, some states have taken legislative steps to counter ESG principles. For instance, Florida enacted legislation requiring that the state’s chief financial officer make investment decisions without ESG considerations.

During 2023, the Federal Reserve Board conducted a pilot climate scenario analysis exercise involving six large banks. The purpose of the pilot was to enhance the ability of both banks and supervisors to measure and manage the financial risks of climate change. In May 2024, the Federal Reserve Board published a summary setting out how banks are using scenario analysis to assess the resiliency of their business models to climate risks and also set out the data and modelling challenges the banks faced in conducting their impact assessments. The Federal Reserve Board is expected to continue working with these institutions on their capabilities to manage climate-related risks.

The FDIC, the Federal Reserve Board, and OCC have also published principles for large institutions to manage climate risks. The principles apply to financial institutions with over USD100 billion in total assets and provide a framework for the management of exposures to climate-related financial risks. The principles address the following:

• the role of the board of directors and management in managing climate-related risks;
• the need to reflect characteristics of climate risk into policies, procedures, and limits;
• the incorporation of climate-related risks into business strategy, risk appetite, and financial, capital, and operational planning;
• the development and integration of processes to integrate climate-related financial risk exposures into the bank’s existing risk management framework;
• the incorporation of climate-related financial risk information into data aggregation, risk measurement, and reporting; and
• the development of scenario analysis to assess the potential impact on the bank of changes in economic conditions and the financial system from climate-related risks.

The principles also discuss the need for banks to address the impact of climate-related risks on various existing risk types, including credit risk, liquidity risk, financial risk, operational risk, legal and compliance risk, and other non-financial risks like strategic and reputational risk.

In the United States, there is no single source of regulatory requirements or agency guidance governing operational resilience. Instead, the regulatory framework governing expectations for organisations to have the capability to prepare for, adapt to, withstand, and recover from, internal or external operational risks that may cause wide-scale disruptions can be found embedded in various legal requirements or regulatory guidance – such as resolution and recovery planning requirements, information security incident notification requirements, safety and soundness standards for information security, and business continuity and pandemic planning guidance. Collectively, these and related materials set out expectations for organisations to strengthen their operational resilience when faced with technology failures, cyber incidents, pandemics or natural disasters.

Operational resilience has become an area of increasing supervisory focus, with the Federal Reserve, OCC and FDIC issuing an interagency paper in 2020 on Sound Practices to Strengthen Operational Resilience that is applicable to large banking organisations (those with at least (i) USD250 billion of total assets or (ii) at least USD100 billion of total assets and USD75 billion of other risk and complexity indicators (such as cross-border activity, short-term wholesale funding, nonbank assets, or off-balance sheet exposures)). Rather than setting new requirements or guidance in this area, the issuing agencies used the paper to serve as a source of reference and to emphasise the need for organisations to prioritise the operational resilience of their critical operations and core business lines for the organisation and its material entities. The paper sets out expectations with respect to:

• corporate governance: the role and accountabilities for the organisation’s board of directors and senior management with respect to risk appetite, staffing and resourcing, independent risk management, identification of critical operations and core business lines, and information systems and controls;
• effective operational risk management practices: the implementation of processes and controls, risk mitigation strategies, risk exposure assessments, testing practices, risk identification, audit assessments, and effective co-ordination between operational risk management functions and business continuity and resolution and recovery planning;
• effective business continuity planning practices: business impact testing and training, periodic reviews and plan updating, plan testing and enhancements, IT systems testing and evaluation, and identification of critical personnel and technologies, remote-access contingency locations, training, recovery and resolution planning, and development of stress scenario response measures;
• effective third-party risk management practices: identification of critical third-party relationships, documentation and ongoing oversight of third-party relationships, periodic reviews and testing, identification of critical infrastructure services, and identification of contingency providers;
• scenario design and analysis: identification and incorporation of risks into scenarios design, independent review of scenario design processes, mapping of interconnections and interdependencies into design scenarios, back-testing, and assessment of risk transmission channels and concentrations and vulnerabilities;
• information system management security: risk identification and recovery programmes, evaluations of information security processes and controls, safeguards for critical data, and consideration of industry best practices; and
• surveillance and reporting: assessment of ongoing risk against risk appetite, timely detection of anomalous activity, and incorporation of continuous surveillance and reporting to senior management and the board.

The interagency release also sets out sound practices for cyber risk management.

In March of 2024, the OCC’s Acting Comptroller issued remarks on operational resiliency suggesting future rulemaking or guidance may be forthcoming. The Acting Comptroller noted the growing risk of operational disruptions and efforts by other jurisdictions to strengthen operational resiliency through rulemaking, citing the European Union’s Digital Operational Resilience Act and similar requirements in the United Kingdom and Japan. The Acting Comptroller noted that the OCC, Federal Reserve and FDIC were considering any changes which may be needed to the current operational resiliency framework and that their current focus was on identifying baseline requirements for large organisations.

While transformational legislative changes to the US regulatory framework governing banks occur on timeframes measured by decades, recent trends reflect agency and litigation factors and actions as influencing more frequent shifting in the application of the requirements governing the industry, as reflected by the below developments.

Consequential Supreme Court Decisions for the Industry

During 2024, the United States Supreme Court issued opinions that are expected to lead to increased litigation over efforts to regulate the industry. These include decisions (i) eliminating precedent that had required judicial deference to an agency’s interpretation of statutory ambiguities; (ii) expanding the time period for administrative challenges to the issuance of regulations; and (iii) addressing the appropriate analysis for applying the 2010 Dodd-Frank Act’s federal pre-emption standard for state consumer financial laws.

Loper v Raimondo, 603 US __ (2024) and Corner Post, Inc. v Board of Governors of the Federal Reserve System, 603 US __ (2024)

In Loper, the Supreme Court overruled the statutory construction principle established in Chevron USA. Inc. v Natural Resources Defense Council, Inc., 467 US 837 (1984) that courts must afford deference to an agency’s reasonable interpretations of an ambiguous statute. The Court held that Chevron is inconsistent with the Administrative Procedures Act’s (APA) requirement that courts must exercise their independent judgement in reviewing all relevant questions of law, interpreting constitutional and statutory provisions, and determining the meaning or applicability of the terms of an agency action. Only days after issuing its opinion in Loper, the Supreme Court issued its decision in Corner Post, holding that the six-year statute of limitations for a plaintiff to bring an APA challenge runs from the time of the plaintiff’s alleged injury from the regulation, rather than the date the regulation was published.

Cantero v Bank of America, N.A., 602 US __ (2024)

In Cantero, the Supreme Court, for the first time, addressed the proper application of the pre-emption standard established by the Dodd-Frank Act for state consumer financial laws under the National Bank Act.  Congress directed that courts should apply a pre-emption standard consistent with the “significant interference” standard established in Barnett Bank of Marion County, N.A. vs. Nelson, 517 US 25 (1996). Courts had differed in their application of this standard, with two US circuit courts reaching different decisions on whether the National Bank Act pre-empted state law requirements on national banks to pay interest on escrow accounts. The Supreme Court held that in analysing the significant interference standard, courts should make a practical assessment that includes: (i) looking to the text and structure of the state law; (ii) conducting a nuanced comparison of prior Supreme Court decisions in Barnett Bank and related precedent that found pre-emption (and laws that were not pre-empted); and (iii) applying “common sense”. Rather than articulate a bright-line standard for the resolution of pre-emption questions, Cantero leaves the practical application of the “significant interference” standard to development by the lower courts over the coming years.

These cases are expected to lead to increased industry litigation challenging agency interpretations and regulations, including the issuance and validity of many long-standing regulations, and increased efforts to impose a greater number of state laws on national banks.

Legislative and Regulatory Responses to March 2023 Bank Failures

In early 2023, the US banking sector experienced the failure of several large regional banks. A number of regulatory proposals have been developed in response to, or were influenced to some degree by, these bank failures, including a recently proposed amendment by the FDIC to its broker deposit rules (which govern deposits obtained through an intermediary whose business is placing, or facilitating, deposits of third parties with an insured bank). Insured banks that are not well-capitalised are prohibited from accepting brokered deposits, and an institution’s use of these deposits may also impact its deposit insurance and liquidity risk management supervisory assessments.

The FDIC had amended the rule in 2020 by narrowing the types of covered brokered activities and expanding exceptions to the deposit broker definition. Given the FDIC’s correlation of higher usage of brokered deposits with a higher probability of failure and citing recent banking failures, the FDIC raised concern that the 2020 amendments resulted in greater risks to institutions and the deposit insurance fund. The 2024 proposal seeks to undo impacts of the 2020 rule by, among other things, expanding the definition of a brokered deposit and narrowing and revoking exceptions.

Revisions to the US Basel III Capital Rules

On 27 July 2023, the FDIC, the Federal Reserve Board, and the OCC jointly published proposed rules to amend the regulatory capital framework for large banking organisations (those with USD100 billion or more of total assets), including revisions to implement BCBS reforms to the global Basel III capital rules. These reforms will have a significant impact on the regulatory capital framework applicable to large banking organisations through revisions to requirements associated with credit, market, operational, and credit valuation adjustment risks and changes to enhance the transparency of the capital framework and promote consistency across banking organisations. The proposals would also require all (rather than some) large banking organisations to include unrealised gains and losses associated with certain securities in their capital ratios and to comply with a supplementary leverage ratio and any imposed countercyclical capital buffer. As proposed, the rule would require full compliance by July 2028, after a multi-year transition period beginning in July 2025.

In September 2024, the Vice Chair of Supervision at the Federal Reserve Board publicly noted that, following extensive public feedback on the proposals and continuing conversations with the OCC and FDIC, the Vice Chair had concluded that broad and material changes to the proposal were warranted, as well as to a companion proposal to adjust the GSIB surcharge. The Vice Chair specifically referenced that banks with assets between USD100 billion and USD250 billion may no longer be subject to the proposed changes, except for requirements to recognise unrealised gains and losses in the securities portfolios in regulatory capital. The statements also suggested that large banks that are not GSIBS, but that have total assets of more than USD250 billion, would be subject to new credit and operational risk requirements, but would only be subject to the market risk and credit valuation adjustment frameworks if they engaged in significant trading activity. The Vice Chair also discussed the 2023 US GSIB surcharge proposal and potential changes to address areas of industry comment, including removing provisions that would increase a GSIB’s surcharge related to client-cleared derivatives, and the need for provisions allowing for the calculation methodology to account for economic growth in measuring a firm’s risk profile.

Legislative and Regulatory Consumer Protections and Rights Initiatives

The CFPB is continuing its supervisory and enforcement efforts on fees and charges for consumer financial products that it deems unfair to consumers and on discrimination in the provision or offering of consumer financial products and services. The agency also finalised its “open banking” proposed rule, which requires depository and non-depository entities to make certain financial data regarding a consumer’s transactions and accounts available to the consumer and their authorised third parties at no cost. The rule also contains data privacy obligations on third parties authorised to access the consumer’s data.

Concerned with the risks and unintended consequences of the use of artificial intelligence models, legislatures and regulators are sharpening their focus in this area. States have begun efforts to legislate a regulatory framework specifically directed at these risks, including expectations for developers to identify, assess and seek to mitigate the risks and harm that usage of certain AI decision-making models may pose to consumers. Colorado passed the Colorado Artificial Intelligence Act in the Spring of 2024, and AI legislation was passed in the Summer of 2024 in California but was vetoed by its Governor. While vetoing the specific legislation, the California Governor issued statements clearly indicating support for a refined legislative measure that incorporated feedback from industry experts. At the federal level, US banking agencies finalised a rule targeted at risk management standards for the use of automated valuation models in connection with certain residential consumer mortgages. More legislative and regulatory measures in this space should be expected.

Impacts from the 2024 Elections

The outcome of the 2024 presidential elections will shape the legislative, regulatory and supervision direction of the industry. A second Trump Administration is expected to result in a de-emphasis on efforts to further increase bank capital requirements and the use of enforcement as a supervisory tool, in efforts to roll back the Biden Administration’s ESG initiatives, and in furthering the integration of crypto-assets into the financial system.