Eliminating reputational risk oversight was a regulatory mistake

Andrew Harrer/Bloomberg

Trust doesn't collapse all at once. It erodes, quietly, slowly and often without the metrics to track it in real time. That's why the recent decision by the Office of the Comptroller of the Currency to remove "reputational risk" as a standalone supervisory category is more than just an administrative reshuffle. It's a strategic error, and a signal that regulators are drifting away from one of the only forward-looking lenses they've ever had.

In March 2025, the OCC issued guidance removing reputational risk from its bank supervision operating plan. It argued that this category would be better handled through other channels: compliance, legal and operational. The logic was framed around objectivity and clarity, with an emphasis on transparency in supervisory standards. It sounded benign. But eliminating reputational risk as a formal concept doesn't create clarity. It creates a blind spot. And it's one the industry has seen before.

Wells Fargo didn't implode overnight. The fake accounts scandal began as a reputational problem, bad press, customer complaints, internal whistleblowing. No one called it a control failure at the time. But it was. The public backlash revealed the problem before the oversight system did. If reputational risk had been taken seriously as a primary signal, the cultural rot inside that firm might have been addressed sooner, or at least not allowed to metastasize.

Danske Bank was no different. Before regulators acknowledged the scale of its €200 billion money-laundering scandal, the red flags weren't technical. They were reputational. A small Baltic subsidiary with suspicious transaction patterns and a compliance team that kept raising concerns, those weren't internal control failures at first glance. They were reputational anomalies that suggested deeper cracks in risk management and governance. The financial damage came later. The reputational damage showed up first.

And that's the point. Reputational risk may not be precise, but it is often predictive. It reflects discomfort, inconsistency, public perception and internal dissonance, none of which shows up cleanly in spreadsheets, but all of which matter. To remove that category from the regulatory framework is to tell bank examiners: "If you can't quantify it, don't name it." But sometimes, what you can't quantify is exactly what needs to be named.

The OCC insists that reputational concerns can still be addressed through other risk categories. But that's like saying you'll detect smoke only after the fire alarm goes off. Compliance and operational risk frameworks are inherently backward-looking. They catch what's already happened. Reputational risk, when properly framed, helps institutions see what's coming. It allows for soft signals to be taken seriously, and for supervisory judgment to be used before a scandal hardens into enforcement.

OCC

OCC outlines plan for referring regulatory offenses to DOJ

Pursuant to an executive order on "overcriminalization," the OCC said it will revise its guidance for referring regulatory offenses to the Department of Justice for criminal prosecution and will publish a review of criminally enforceable regulations by May 2026.

By Ebrima Santos Sanneh

June 20

By removing reputational risk, the OCC hasn't made the system more objective. It's made it more passive. Supervisors will now be asked to explain discomfort in other terms, or not raise it at all. That changes behavior. That raises the threshold for intervention. And that increases the odds that reputational decay, left unchecked, turns into something that can't be contained.

Bankers know this. So do examiners. Reputation isn't fluff. It's a proxy for integrity, governance and tone. It's the first signal that something is off, too many customer complaints, an executive change that doesn't sit right, a business unit that stops responding to internal audit. These aren't compliance breaches. They're early indicators. And now, they've lost their label.

The OCC's move may look like streamlining. But to those who've studied supervisory failure up close, it looks like regression. It says that discomfort, unless measurable, isn't actionable. It says that perception doesn't belong in risk management. And it says, perhaps most dangerously, that banks will only be held accountable after the damage is done, not when the signals first emerge.

This isn't a call for overreach. It's a call for balance. Reputational risk has always been subjective, and it should never have been a catchall. But it was a necessary check. It gave supervisors room to elevate concerns that didn't fit neatly into a category. And it gave banks the incentive to stay ahead of not just failures, but perception itself.

Now that's gone. And in the long arc of financial oversight, this moment may be remembered not as a cleanup of duplicative language, but as the quiet elimination of one of the few tools that worked.