The USA has a complex web of laws and regulations governing the banking sector.

The USA operates a “dual banking system”, under which a bank may become licensed under either federal law or the law of one of the 50 US states. (The same concept applies to the licensing of branches or agencies of non-US banks.) The choice of licensing authority affects a bank’s principal regulator, but state-licensed banks also have federal regulators for certain purposes. In addition, federal law regulates the holding companies for most US banks.

The National Currency Act of 1863, now known as the National Bank Act, and the Home Owners’ Loan Act of 1933 (HOLA) are the principal sources of authority for federally licensed US banks and US federal thrifts (a thrift is a charter that focuses on mortgage finance and consumer lending). These statutes are implemented by the Office of the Comptroller of the Currency (OCC), which issues regulations relevant to these entities.

At the state level, New York has the most developed banking law, implemented by the New York Department of Financial Services. California’s banking laws are implemented by the California Department of Financial Protection and Innovation.

The Federal Reserve Act of 1913 governs the activities of state-chartered banks that have elected to become members of the Federal Reserve System. The Bank Holding Company Act of 1956 (“BHC Act”) and the holding company provisions of HOLA apply, respectively, to companies that control FDIC-insured banks and thrifts. These statutory provisions are implemented by regulations of the Board of Governors of the Federal Reserve System (“Federal Reserve”).

The Federal Deposit Insurance Act of 1950 (FDIA) contains provisions relating to federal deposit insurance for banks and thrifts, the resolution of insolvent insured banks and thrifts, and the activities of insured state-chartered banks that are not members of the Federal Reserve System and insured state-chartered thrifts. The Federal Deposit Insurance Corporation (FDIC) has promulgated regulations implementing this statute.

The most important bank safety and soundness regulation is the Federal Reserve’s Regulation W, which implements Sections 23A and 23B of the Federal Reserve Act, and places restrictions on transactions between federally insured banks or thrifts (and uninsured national banks engaged in fiduciary activities) and their affiliates.

The activities of non-US banks operating through branch or agency offices are governed by either state or federal law as a licensing matter (in the latter case, the International Banking Act of 1978 and the regulations of the OCC), and the Federal Reserve is the umbrella regulator of those banks’ overall US activities.

There is a large body of federal consumer law, including the Truth in Lending Act, the Truth in Savings Act, the Equal Credit Opportunity Act, the Fair Debt Collection Practices Act and the Fair Credit Reporting Act. The federal Consumer Financial Protection Bureau has promulgated regulations under these statutes.

As a general matter, a banking licence is required for an entity to take deposits. Both US states and the federal government also require a trust company or national trust bank licence for a non-deposit-taking corporate entity to act as a fiduciary.

An entity seeking to obtain a banking licence (charter) first must determine whether to seek state or federal authorisation. If a state banking charter is selected, the entity must also decide whether to become a member of the Federal Reserve System. Larger entities or entities with sophisticated business plans tend to become Federal Reserve System members.

For a domestic US banking licence, it is possible that three applications may be required: first, to the chartering authority, the state regulator or the OCC; second, to the FDIC for federal deposit insurance; and third, to the Federal Reserve, if the bank is to be a national bank (membership is required for national banks) or if it is to be a state-chartered bank and elects Federal Reserve System membership. In addition, if the bank is to be FDIC-insured – as are all banks except for non-deposit-taking trust companies, national trust banks and a particular type of Connecticut bank – then all entities that control the bank must apply to the Federal Reserve to become bank holding companies or thrift holding companies, depending on whether a bank or thrift charter has been applied for.

If the applicant is a non-US bank seeking to establish a branch or agency office, there will generally be two applications: one to the applicable state regulator or the OCC, and another to the Federal Reserve.

These applications will require information relating to the applicant’s and its parent’s financial and managerial resources, a business plan, pro forma financial statements, and information about proposed management, directors and shareholders, among other requirements. Senior management, directors and principal individual shareholders will likely be subject to background checks and fingerprinting.

Obtaining a banking licence is a time-consuming process, and engagement with the relevant regulators is recommended from the start. It is critical to present a persuasive business plan, including plans to raise the necessary initial capitalisation for the bank, and capable management and director candidates. Pre-filing preparation and recruitment can take several months. After filing, the timing to approval of all the applications can run from six to 12 months in most cases. In the case of a domestic US bank, the chartering authority’s approval is conditional and requires the organisers to raise the necessary initial capitalisation, obtain and outfit premises, and undergo a pre-opening examination.

Unless the application is for a limited-purpose non-depository trust charter, approval of a charter application permits the bank or thrift to engage in all activities permissible under the relevant banking statute. In the USA, which has a separation of banking and commerce, banks are, as a general matter, required to be financial intermediaries, and their holdings of equity securities, commodities and non-investment-grade debt are limited. Thrifts generally must concentrate on mortgage and consumer finance, with the amount of their commercial loans limited. Because under the federal securities laws, most securities brokerage and dealing activities must be carried out in a broker-dealer affiliate of a bank, it is common for entities seeking to engage in a wide range of financial services to seek authorisation to establish a broker-dealer entity as a sister affiliate of the newly chartered bank.

The acquisition of “control” of an FDIC-insured US bank or thrift and/or its holding company requires the prior approval of the Federal Reserve under the BHC Act and, if the target institution has a state charter, the approval of its state banking supervisor as well.

For federal purposes, “control” is conclusively deemed to exist upon the acquisition of 25% or more of any class of voting securities or obtaining the ability to control the election of a majority of the target’s board. However, under the Federal Reserve’s “control” regulations, there can be a finding of control at below 5% of a class of voting security ownership if the acquiror controls one-third or more of the target’s total equity – 25% or more in the case of a thrift or thrift holding company – or has an agreement with the target giving it control over the target’s business akin to that of a general partner over a partnership. Between an investment of 5% or more of a class of voting securities and 25% of a class of voting securities, there are additional “control” factors, which become more stringent as the amount of voting securities increases. For US state approvals, where the requirements are jurisdiction-specific, some states define “control” at as low as 10% share ownership.

Applications must contain information that will permit the regulators to analyse the acquisition under the factors required by the relevant statutes. Under the BHC Act, the Federal Reserve is required to consider a number of factors: the financial and managerial resources of the acquiror (including its compliance record); antitrust considerations; the record of the acquiror and the target under the Community Reinvestment Act of 1977, which requires banking institutions to meet the credit needs of lower and middle-income communities; and effects of the acquisition on US financial stability. State regulatory authorities consider similar factors.

In addition, in the case of an acquisition by a non-US entity, the Federal Reserve must find that banking institutions in the home country of the acquiror are subject to comprehensive supervision on a consolidated basis. Because of the US policy on the separation of banking and commerce, an acquiring entity must generally be a bank or a company that is predominantly engaged in financial activities, such as a broker-dealer. It can take six to nine months (or in the case of a very large acquisition, somewhat longer) for the required regulatory approvals to be received.

A company that is not regulated by the Federal Reserve as a bank holding company or thrift holding company before it acquires a US FDIC-insured bank or thrift must register with the Federal Reserve promptly after the acquisition closes. Bank and thrift holding companies are subject to periodic examination by the Federal Reserve, capital and liquidity requirements, restrictions on their activities to banking activities and activities that are financial in nature, and financial reporting requirements, among other requirements.

If the entity in question is not an FDIC-insured one, such as a state non-depository trust company or national trust bank, no application must be filed with the Federal Reserve. However, there will need to be a change-in-control approval by the relevant regulator, either the state chartering authority or, for national trust banks, the OCC. The focus of the approval process will be on the financial and managerial resources of the acquiring entity. A similar process is required in the rare case of an acquisition of an FDIC-insured bank or thrift by an individual.

The duties of directors at US corporations, including at banks, are generally governed by state corporate statutes and common law. The board of directors of a corporation has the ultimate responsibility for the overall direction and strategy of the corporation, and the board carries out this responsibility by approving major decisions throughout the life of the corporation, as well as by selecting, retaining and overseeing the executives who manage and direct its daily operations.

A director owes certain fiduciary duties to the corporation and its stockholders. The duty of care requires a director to exercise the degree of care that a reasonably prudent person would use under similar circumstances, and the duty of loyalty requires a director to act in good faith, and in the best interests of the corporation and its stockholders (and not in the director’s own personal interest). The business judgement rule provides a defence to directors facing liability for breaching a fiduciary duty, and a court will uphold the decisions of a director as long as they were made in good faith, on an informed basis, and with the reasonable belief that the director was acting in the best interests of the corporation.

Bank directors are subject to a heightened standard with regard to these fiduciary duties, in the sense that they act not only as representatives of the bank’s stockholders but are responsible for overseeing the safe and sound management of the bank. This is particularly the case when banks undergo financial stress, due to the US government’s insurance of depositor funds.

The OCC, the regulator of national banks, has promulgated heightened corporate governance standards for large national banks, namely, those with USD50 billion or more in total consolidated assets. Under these standards, a board of directors is to establish and implement an effective risk governance framework and hold front-line units, risk management and internal audit responsible for their respective obligations under the framework and ensure that each such unit has the necessary stature and resources to carry out its responsibilities under the governance framework.

The OCC has also stated that boards of directors should present a credible challenge to management, by actively overseeing the bank’s risk-taking activities and holding management accountable for adhering to the bank’s framework. Boards of directors should also, either themselves or through their committees, grant unfettered access to the independent risk management function and internal audit.

As a general matter, US bank regulators do not engage in screening directors or senior management. There are certain exceptions. First, in the case of a new bank, in determining whether to grant a charter, the regulators will conduct background checks on the proposed senior management and directors of the bank as well as large individual shareholders. The focus is on whether any such person has a criminal background or has had financial difficulties or improprieties. Second, if a bank’s financial or compliance record deteriorates substantially such that it is in a “troubled condition”, it will generally need to provide advanced notice to its regulator before making changes to its board or senior management team. Finally, under their enforcement authority, bank regulators have the power to remove directors and senior management for violations of law, breach of fiduciary duty, or participation in unsafe or unsound practices at a bank; use of this power, however, is rare.

As a general matter, there are no bank-specific remuneration requirements. Following the 2008 financial crisis, Congress included a requirement in the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank Act”) that authorised the banking regulators to promulgate regulations regarding incentive-based compensation in order to deter excessive risk taking, but those regulations have never been finalised in the more than 15 years since the statute’s enactment.

Banks in the USA are subject to strict requirements relating to money laundering and terrorist financing. The principal statutes are the so-called Bank Secrecy Act of 1970 and the USA PATRIOT Act of 2001, which was enacted in the aftermath of the 11 September 2001 terrorist attacks. Anti-money laundering requirements are imposed by the bank regulators and the Financial Crimes Enforcement Network (FinCEN) at the US Treasury Department.

Under these requirements, banks are required to have anti-money laundering programmes that include a system of internal controls to assure ongoing compliance; independent testing for compliance to be conducted by bank personnel or by an outside party; designation of an individual or individuals responsible for co-ordinating and monitoring day-to-day compliance; training for appropriate personnel; and appropriate risk-based procedures for conducting ongoing customer due diligence. The last of these must include understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile and conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information, including beneficial ownership information on customers that are legal entities.

Banks are further required to have customer identification programmes designed so that they may form a reasonable belief as to the identity of their customers and to determine whether their customers appear on any list of known or suspected terrorists or terrorist organisations. The anti-money laundering rules also impose reporting obligations, such as filing reports on transactions in physical currency and reports of suspicious activities. Heightened due diligence requirements apply to correspondent accounts for foreign financial institutions and private banking accounts.

The USA has had a deposit insurance scheme since the Great Depression. Under the FDIA, US federal deposit insurance is administered by the FDIC. In the normal course, all depositors are insured up to USD250,000 for their deposits in all capacities at a single institution – for example, amounts in a person’s own account and in a joint account with their spouse would be aggregated for purposes of the USD250,000 insurance limit. There is no prohibition, however, on opening accounts at multiple different institutions and thereby increasing deposit insurance. Upon a determination by two-thirds of the Federal Reserve and two-thirds of the board of directors of the FDIC that a particular bank failure would result in systemic risk, as happened in the insolvency of Silicon Valley Bank in 2023, it is possible for the FDIC to cover all of an institution’s deposits, but this is extremely rare.

The FDIC’s deposit scheme is funded via assessments on all FDIC-insured institutions. After the 2008 financial crisis, the assessment scheme was altered in order to make the amount of the assessments correlate more with particular banks’ risks.

US bank capital requirements are currently very complex, particularly for the largest banks. As a general matter, the USA has adopted Basel III standards, with the exception of the so-called Basel III Endgame, which has yet to be implemented; in addition, small “community” banks are permitted to adhere to a simplified leverage capital framework.

The nation’s largest, most internationally active banks are allowed, with regulatory permission, to use internal models to calculate capital requirements; however, they must also, under the so-called Collins Amendment to the Dodd-Frank Act, calculate their capital under the standardised Basel III risk-weighted approach that generally applies outside of the community bank framework, and then comply with the more conservative of the two approaches.

Outside of the community bank framework, the generally applicable capital rules require adherence to both risk-weighted and leverage requirements. Banks with USD100 billion or more in total consolidated assets are also subject to the Federal Reserve’s supervisory stress tests, which are used to create a required “stress capital buffer” requirement above minimum permissible capital ratios. This buffer, which must be composed of Common Equity Tier 1 (CET1) capital and is set at a minimum of 2.5%, is intended to reflect a particular bank’s economic losses in the severely adverse economic scenario used in the Federal Reserve’s stress tests. In addition, global systemically important banks (G-SIBs) are subject to the so-called “G-SIB Surcharge”, which is an additional amount of required CET1 capital, based on size and complexity factors. The result of all of this is that the minimum CET1/risk-weighted assets ratios of the large banks subject to the stress tests ranges from a low of 7.0% to 16.0% in 2025. Large US banks are also subject to a supplementary leverage ratio (SLR), which considers off-balance sheet exposures in addition to balance sheet assets, with G-SIBs being required to meet the highest, so-called “enhanced”, SLR requirements.

In an effort to reduce regulatory burden, Congress has permitted smaller, “community” banks – banks with fewer than USD10 billion in assets – to elect to comply with a Tier 1 leverage ratio requirement of 9% only, and not to use risk-based capital requirements.

The banking agencies have also adopted minimum liquidity requirements for large US banks, comprising a liquidity coverage ratio (LCR) and a net stable funding ratio (NSFR). The LCR requires these banks to maintain on each business day an amount of unencumbered high-quality liquid assets (HQLA) that are sufficient to meet their total stressed net cash outflows over a prospective 30-calendar-day period, calculated in accordance with banking agency rules. The very largest US banks are required to have a 100% ratio of HQLA to net cash outflows, with the two next tiers of banks being required to meet a modified LCR of 85% and 70%, respectively. The NSFR measures the stability of the funding profile of large banks and requires these banks to maintain minimum amounts of stable funding to support their assets, commitments and derivatives exposures over a one-year time horizon. Like the LCR, the NSFR is tailored to the size and risk profile of the banks to which it is applicable, with the nation’s largest banks having the most onerous NSFR requirements.

The banking agencies’ regulations impose granular requirements for monitoring, testing and reporting liquidity risk as enhanced prudential standards applicable to the USA’s largest banks.

The FDIC is the US banking agency charged with the resolution of an FDIC-insured bank or thrift. In the USA, many banks and thrifts, including all of the largest ones, have holding companies, and, in insolvency, these holding companies are generally subject to the Bankruptcy Code. Following the 2008 financial crisis, however, Congress created a special resolution regime for systemically significant bank holding companies that was modelled on the FDIC bank insolvency regime.

With respect to a US FDIC-insured institution, the most common means of resolving a failing bank is for the FDIC to be appointed receiver of the bank – usually, after closing the bank at the end of business on a Friday – and then entering into a purchase-and-assumption agreement under which certain assets and liabilities of the insolvent bank are transferred to a healthy institution over the weekend. (The closing process begins earlier, with the FDIC soliciting bids for the assets to be transferred well before the bank is closed.) Most general unsecured liabilities of the failed bank remain in the receivership, with general unsecured creditors receiving fractional payment of their claims. The FDIC deposit insurance fund makes depositors whole up to USD250,000 for all of their deposits in the failed bank. Depositors with higher balances are most often made whole because the assuming bank agrees to take all of their deposits, but at times such claims may be haircut. Under the FDIA, US domestic depositors have a preference over general unsecured creditors.

An exception to this general approach may occur in the case of an insolvency that threatens systemic risk, such as in the 2023 cases of Silicon Valley Bank and Signature Bank. There, because of the size of the institutions and concerns that their failure could bring down other banks of a similar size and risk profile, the FDIC created a “bridge bank” to operate the institutions for a period of time after they were declared insolvent and guaranteed all of the banks’ deposits. After stabilising the institutions for a period of time, the bridge bank entered into purchase-and-assumption transactions with two healthy banks.

As noted above, the Bankruptcy Code generally applies to the insolvency of a bank or thrift holding company. However, Title II of the Dodd-Frank Act created an “orderly liquidation authority” (OLA) under which the FDIC may be appointed the receiver of a bank or thrift holding company if its insolvency would threaten systemic risk. The application of the OLA requires an affirmative vote of the Federal Reserve and the FDIC’s board of directors. The OLA takes most of its provisions from the FDIC’s bank resolution regime, and at a high level, the process is similar. The FDIC would be appointed receiver of the insolvent holding company, seek to stabilise it, and then transfer its significant operating subsidiaries’ assets and liabilities to healthy institutions.

In order to carry out the goals of the OLA, the largest bank and thrift holding companies are required to create resolution plans to aid the FDIC in the case of a future insolvency. These plans focus on assuring that a holding company’s significant operating subsidiaries have sufficient liquidity to maintain operations notwithstanding the holding company’s insolvency, and that those subsidiaries’ interconnections to other parts of the holding company are well known so as to facilitate eventual transfers by the FDIC. Certain of the largest holding companies have also been required, as part of the resolution planning process, to “pre-position” intercompany liquidity and maintain it in sufficient amounts to allow for an orderly resolution. The OLA has not yet been tested; although the holding company for Silicon Valley Bank had significant assets on a consolidated basis, it entered a Bankruptcy Code proceeding while the bank itself was resolved by the FDIC.

Currently, the US bank regulators have not mandated ESG requirements. For example, early in 2025, the OCC, Federal Reserve and FDIC brought to a halt the climate risk-related measures that they had begun to undertake under the Biden administration.

Moreover, in the current environment, banks have been cautioned not to permit ESG concerns to lead them to deny banking services to disfavoured customer groups, such as digital asset companies, gun manufacturers, or oil and gas companies (so-called “debanking”). This follows the lead of certain US states, such as Florida, which passed their own versions of “anti-ESG” statutes affecting the financial sector during the Biden administration.

In October 2025, the OCC and the FDIC issued a proposed regulation that would formalise their new policy position of not using “reputation risk” to criticise, formally or informally, or take adverse action against, the banks they regulate. The propose regulation would also prevent these agencies from requiring, instructing or encouraging a bank to modify a product or service based on the person’s or entity’s political, social, cultural or religious views or beliefs, constitutionally protected speech, or solely on the basis of the third party’s involvement in politically disfavoured but lawful business activities perceived to present reputation risk.

In addition, in September 2025, the OCC stated in a bulletin to the banks it regulates that it would consider a bank’s past record and current policies and procedures to avoid engaging in politicised or unlawful debanking in licensing matters that required OCC approval, such as the creation of certain new subsidiaries. It further stated that it would assess debanking considerations in determining a national bank’s rating under the Community Reinvestment Act. A less than satisfactory rating can limit a bank’s ability to enter into merger and acquisition transactions.

In the USA, banking agencies do impose certain cybersecurity requirements as a prudential regulatory matter. These requirements depend on a particular institution’s primary regulators, but they can include provisions relating to risk assessments; independent audits of the institution’s cybersecurity programme based on the risk assessment; monitoring of anomalous activity; periodic approvals of an institution’s cybersecurity programme by a senior officer or board of directors; date retention; remote access, systems and network security monitoring, security awareness and training; and periodic testing.

Special responsibilities may be placed on an institution’s chief information security officer, such as being required to timely report to an institution’s board of directors on significant cybersecurity events and significant cybersecurity programme changes. Boards of directors, in turn, have the responsibility to exercise effective cybersecurity-related oversight including by requiring that the institution’s executive management develop, implement and maintain the institution’s cybersecurity programme.

In addition, banking institutions must have business continuity and disaster recovery (BCDR) plans that cover such areas as identifying essential documents, data, facilities, infrastructure, services, personnel and competencies; identifying all senior personnel responsible for BCDR implementation; identifying means of communicating with essential persons in the event of a cybersecurity disruption; maintaining procedures for timely recovery of critical data and systems and resumption of operations; maintaining procedures for backing up the information essential to the institution’s operations and storing such information off-site; and identifying third parties necessary to continued operations of the institution’s information systems.

Material cybersecurity incidents, moreover, must be promptly notified to regulators. These include cybersecurity incidents affecting an institution’s third-party service providers.

The principal regulatory developments that should affect banks in the USA in the near term are the finalisation of the so-called Basel III Endgame, the implementation of certain final requirements of the Basel III capital accord; new approaches to the manner in which the Federal Reserve “stress tests” capital at the nation’s largest banks, and the degree to which banking agency heads are successful in realising their goals of streamlining bank supervision.

The USA has still to implement certain requirements of the Basel III Capital Accord that were developed following the 2008 financial crisis – these requirements relate primarily to operational risk, market risk and certain risks relating to derivative contracts. At the end of the first Trump administration, progress had been made by the banking agencies in developing an implementation proposal for this Endgame that would be close to capital neutral – that is, it would not materially increase capital requirements above existing levels. Under the Biden administration, however, the banking agencies issued an Endgame proposed rule that would drastically increase capital requirements for the nation’s largest banks. This proposal met with significant criticism. It is expected that in 2026 the banking agencies will re-propose the rule in a manner that will be more in line with the original proposal on the ground that current levels of capital in the US banking system are adequate (and likely higher than in other developed countries) and that mandating additional capital will constrain lending and economic growth.

Since the 2008 financial crisis, the Federal Reserve has required the nation’s largest banks to undergo annual “stress tests” of their portfolios. This exercise seeks to determine the size of potential losses in the event of a severely adverse economic scenario such as a deep recession with corresponding losses in the financial markets. In recent years, moreover, the performance of the banks subject to the tests has been relevant in setting their capital requirements, because these banks are required to have a capital buffer equivalent to their economic losses in the tests.

The banking industry has criticised the Federal Reserve for a lack of transparency both in creating the severely adverse economic scenario as well as in the models it uses for predicting bank losses, which the industry has described as a “black box”. Responding to a lawsuit filed in December 2024, the Federal Reserve in October 2025 issued a proposed rule under which it would publish more information about the tests and its models in advance and permit interested parties to comment on that information and the Federal Reserve’s assumptions. Depending on how the proposal is finalised, it could result in a reduction in overall capital at the nation’s largest banks.

Finally, during the course of 2025, banking agency heads have outlined in certain of their public statements ambitious goals of streamlining how banks are supervised and examined, in order to reduce regulatory burdens. This has included seeking to reduce the types of risk that bank examiners consider in evaluating institutions, such as the elimination of consideration of reputation risk, and seeking to focus supervision on evaluating material financial risks. In addition, banking agency heads have announced that they will be substantially reducing the number of supervisory staff. Given the discretionary nature of bank supervision, it is too early to tell the extent to which the banking agencies will ultimately fulfil these goals, but it does appear that “lighter touch” regulation is on its way.