- Key insight: The Fed, FDIC and OCC promised banks notice within 72 hours of a compromise of their confidential supervisory information.
- Expert quote: Julie Andersen Hill, dean of the University of Wyoming College of Law, said banks "will not be able to sue to enforce the document," and that the pledge's only real force is the trust the agencies build by honoring it.
- What's at stake: The categories in play are the records banks least want loose: network diagrams, penetration test results, specific IT control weaknesses and succession plans.
Overview bullets generated by AI with editorial review.
Federal bank regulators told banks Thursday they may now ask to keep their most sensitive records out of government systems, a move designed to preempt any breach of such records.
The regulators also promised to tell banks within 72 hours if nonpublic records the agencies gleaned from an examination get breached, although the document carrying that promise says it creates no right anyone can enforce.
The Federal Reserve Board, the FDIC and the Office of the Comptroller of the Currency, or OCC, issued the two-page
The statement changes how examiners handle the records banks consider most dangerous to lose. That includes technology and network diagrams and schematics, detailed penetration test results, technical details of specific information technology control weaknesses and succession planning.
Examiners will now consider reading those records directly on a bank's own systems or taking a redacted or summarized version rather than copying them onto government computers.
The new posture still puts banks in a position to assert the sensitivity of their data. The agencies said they "will rely on bank management to identify data and documents requested for an examination that they believe should be considered highly sensitive information."
So, the next time an exam team asks a bank for its penetration test results, that won't come with a presumption that the results warrant special handling; the bank's own management will have to assert that.
Examiners will raise the subject at the start of an exam and tell banks they can flag sensitive material, according to the statement. Banks that think they have something highly sensitive "should discuss their concerns with their examiners or primary agency contact."
However, there is little risk that examiners will punish a bank for flagging truly sensitive records, according to Julie Andersen Hill, dean of the University of Wyoming College of Law, whose research covers the unwritten rules of banking regulation.
A bank that labels everything sensitive may annoy its examiners, Hill told American Banker, but if banks are "somewhat judicious in the use of the designation, supervisory staff will not be overly concerned."
The statement does not give an effective date, and it does not say when examiners will have the guidance they need to run the process.
The statement appears to be a response to an email breach at the OCC last year, in which intruders sat inside the agency's mailboxes for more than a year and a half and read supervisory information about the banks it regulates.
Hackers likely had access to roughly 148,000 emails starting around May 2023, four industry groups wrote in a
The agencies also committed to telling a bank within 72 hours about a "potential or confirmed material compromise of confidential supervisory information."
"Confidential" here refers to all nonpublic information gathered during an exam, not just the highly sensitive material. So, if any material breach of any nonpublic bank information occurs, the agency will tell the bank about it.
The statement "is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against," the three agencies wrote.
The different standards for banks and regulators
Banks are also bound by breach disclosure rules. Under
That rule applies to an incident that threatens a bank's viability, its customers' access to their accounts, or the stability of the financial sector. The agencies' promise covers any material compromise of a bank's supervisory information.
The rule binding banks went through public notice and comment and is codified in federal regulation. The agencies' 72-hour promise sits in a statement that is explicitly unenforceable.
Hill said the disclaimer means what it says. Agency guidance issued without notice and comment "does not have the force of law," she told American Banker, and "banks will not be able to sue to enforce the document, including the 72-hour notification provision."
The promise is based instead on trust.
"Banking supervision works best when banks are forthcoming with their supervisors," and banks are "more likely to be forthcoming if they believe that their information will be handled carefully," Hill said.
That leaves the agencies to keep the promise on their own.
"Talk is cheap," Hill said, "especially when there is no enforcement mechanism for banks. The guidance will only succeed in generating bank trust if the agencies act in accordance with the guidance."
An agency that routinely ignored its own guidance, she added, would render it "ineffective as a regulatory tool."
On the clock's start time
The statement says the 72 hour deadline kicks in "once the agency impacted has a reasonable basis to believe a compromise has occurred and determines the banks affected."
The day a regulator believes a compromise has occurred can be different from the day it works out which banks are affected. This is exactly what happened in the case of the OCC's own breach.
The agency learned of unusual interactions between an administrative account and its user mailboxes on Feb. 11, 2025, and confirmed the next day that the activity was unauthorized, according to
The agency's
On April 7, the agency decided the breach was a major incident, according to
On April 8, the OCC told Congress the exposure included "highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes," the agency said in its news release that day.
More than two months after learning of the intrusion, the OCC still had not worked out what the hackers took, Hood wrote in his letter sent to bank executives on April 14.
The agency and a contractor were "currently working to review the content of all compromised email communications and attachments, including determining whether any of the compromised information has been found on the dark web," Hood wrote.
The statement this week does not say when the 72-hour clock would have started in that breach or whether, had the statement been in place, banks would have heard from the OCC any sooner than they did.
An FDIC spokesperson referred questions about the 72-hour trigger to the interagency statement.
Federal Reserve and OCC spokespeople did not answer questions on the record.
Bankers react positively
The regulators' statement responds to
The letter asked for four things. On Thursday, they got parts of two.
The groups asked that firms be allowed to keep sensitive data on their own systems, with regulators reading it "via on-site review or on firm computers with security controls in place to limit downloading, copying or printing the information," the letter said.
The statement says the agencies will "consider a range of potential options" along those lines. It does not commit to any of them, and it leaves examiners free to decide they need the document anyway.
The groups also asked that agencies notify affected firms within 72 hours. Federal agencies at the time owed nothing faster than "as expeditiously as practicable and without unreasonable delay," according to the groups' letter.
The agencies passed on the groups' other two requests.
The first was that agencies be held to "the same or substantively similar security and data protection standards expected of financial institutions to include transparency and accountability for upholding these standards."
Thursday's enforceability disclaimer rules that out.
The last request, to consolidate overlapping exams and cut the volume of data banks ship to regulators, goes unmentioned in the statement.
The agencies did borrow the industry's vocabulary. The categories the statement lists as highly sensitive track the groups' own list from their letter, which named "penetration testing results, specific control weaknesses and third-party reports," as well as "succession plan documents."
All three groups American Banker asked about the statement welcomed it.
Heather Hogsett, who runs the Bank Policy Institute's technology policy division, said the agencies had made "clear that banks can maintain control of highly sensitive data within their own secure systems," in a
The agencies had committed to "explore approaches that allow such information to remain within banks' own systems whenever possible," said Paul Benda, executive vice president for risk, fraud and cybersecurity at the American Bankers Association, in a
The agencies were "committing to rapidly notifying affected banks of any potential or confirmed compromise" of their supervisory information, Kenneth Bentsen, president and chief executive of the Securities Industry and Financial Markets Association, told American Banker.
The measures are "a practical and balanced approach," Bentsen said.











