- Key insight: Regulators are setting up a coordinated process to reduce the risk of breaches in storing highly sensitive bank information for bank examinations.
- Supporting data: Federal financial agencies suffered at least two major breaches early on in the second Trump administration.
- Forward look: The agencies will train examiners on the new procedures, though supervisors may still require sensitive materials for official examinations.
The federal banking agencies on Thursday said they are moving in sync to reduce the amount of sensitive bank examination data they collect and store, to reduce possible vulnerabilities.
In a joint statement, the Federal Reserve, Federal Deposit Insurance Corp. and Office of the Comptroller of the Currency said they are committed to protecting sensitive information and will consider alternatives to transmitting certain highly sensitive materials during examinations.
"The [federal banking agencies] have committed to notify affected banks of a potential or confirmed material compromise of confidential supervisory information as soon as practicable and within no more than 72 hours, once the agency impacted has a reasonable basis to believe a compromise has occurred and determines the banks affected, subject to applicable legal considerations," they
Looking ahead, banks will be expected to identify requested examination materials they believe qualify as highly sensitive, allowing examiners to determine whether additional safeguards should apply, saying banks that have information "they believe could be highly sensitive in nature should discuss their concerns with their examiners or primary agency contact."
The agencies said certain categories of information — tech diagrams and schematics, detailed cyber-vulnerability test results and succession planning data — warrant particular caution.
Rather than being required to routinely transmit copies of sensitive information, examiners will consider alternatives like "on-site review, direct digital review from the systems of the supervised bank, redacted or summarized versions of documents" aimed at reducing exposures related to agencies' direct possession of the data.
Examiners may still conclude that certain highly sensitive materials are necessary for the supervisory record, subject to supervisory approval. The agencies plan to provide examiners training and written guidance on the new approach.
"Examiners will notify supervised banks upon the beginning of examination activities that bank management may identify to examiners any information that bank management considers highly sensitive," the statement goes on. "Examiners will also notify supervised banks of the specific processes through which they may escalate any concerns to their primary federal regulator regarding examiner determinations of how to appropriately identify and handle highly sensitive information."
Data security and cyber threats have been a big concern for agencies in recent years. The Office of the Comptroller of the Currency said it experienced a significant email system security breach in early 2025, and
According to an agency release, a high-level user account with administrative privileges over the OCC's email system was breached, revealing highly sensitive information about one of the banks regulated by the OCC.
Not long before the OCC breach,
The January breach was significant for the hackers' use of an advanced persistent threat method of attack, allowing them to remain undetected within a system for months, gradually transferring sensitive information from the system. Both incidents highlight the ongoing risk of vulnerabilities in federal cybersecurity systems, particularly in the reliance on third-party services.











