OCC and FDIC Eliminate 'Reputation Risk' from Bank Supervision — What Compliance Teams Must Do Now

TL;DR

• OCC and FDIC jointly finalized a rule on April 7, 2026 banning the use of “reputation risk” as a basis for supervisory action against banks
• Regulators can no longer require banks to close accounts, exit business lines, or drop third-party relationships based on perceived reputational concerns unrelated to financial safety and soundness
• Applies to all national banks, federal savings associations, and federal branches — community banks included
• Compliance teams need to update risk frameworks, account management policies, and examination prep materials before the 60-day effective date hits

For years, “reputation risk” was a supervisory catch-all. The customer your bank served, the business line you maintained, the counterparty you cleared — if a regulator decided it looked bad, “reputation risk” showed up in the exam findings. No bright-line standard. No appeal to objective criteria. Just examiner judgment dressed up in risk language.

That’s now officially prohibited for OCC- and FDIC-supervised institutions.

On April 7, 2026, the OCC and FDIC jointly issued a final rule eliminating reputation risk as a valid basis for supervisory action. OCC Bulletin 2026-12 and the FDIC companion press release formalize what both agencies had already directed examiners to implement informally — but now it’s binding rule, not guidance.

Comptroller Gould was direct about it: “Reputation risk is not a sound basis for supervision. Regulators and banks have too often used it as a pretext for decisions that have nothing to do with safety and soundness.”

That quote carries real weight. And for compliance officers updating programs this week, it carries immediate operational implications.

What Prompted This: The Debanking Controversy

The rule didn’t emerge in a vacuum. It’s tied directly to Executive Order 14331, “Guaranteeing Fair Banking for All Americans.” The EO reflected years of complaints — voiced loudest by cryptocurrency companies, but not limited to them — that regulators had leveraged reputation risk assessments as cover to pressure banks into cutting ties with lawful but politically disfavored industries.

Crypto exchanges, digital asset platforms, firearms dealers, payday lenders — all reported difficulties maintaining or opening bank accounts during the prior regulatory era. Banks weren’t always the initiators. In documented cases, informal supervisory pressure — the kind that never shows up in a formal order but shapes examiner relationships — directed institutions toward terminating customer relationships that had nothing wrong with them from a credit, BSA/AML, or operational standpoint.

The rule takes a clear position: objective safety-and-soundness criteria only. If an examiner’s concern traces back to a customer’s industry, political affiliation, or public profile rather than measurable risk metrics, that’s not a valid supervisory basis anymore.

For context on the parallel Fed action: the Federal Reserve proposed a similar rule in February 2026 covering state member banks. The direction across the entire federal banking regulatory apparatus is consistent — reputation risk as a supervisory tool is being wound down. When the Fed finalizes its rule, the prohibition will effectively span all major federal banking regulators.

What the Rule Prohibits

Here’s the practical breakdown of what OCC and FDIC examiners are now explicitly forbidden from doing:

The rule’s definition of “reputation risk” is precise: the risk that an institution’s actions could negatively impact public perception for reasons unrelated to its financial or operational condition. That carve-out is important. Objective risk metrics still govern. Subjective perception concerns no longer do.

What Doesn’t Change

This rule is not a get-out-of-jail-free card on compliance. Safety and soundness examination criteria remain fully intact. BSA/AML compliance, fair lending obligations, UDAAP, sanctions screening, capital and liquidity requirements — all of that is exactly as required as it was yesterday.

If your bank is running a sloppy AML program, an examiner can still ding you for it. What they can’t do is add a reputation risk overlay that cites the type of customers you serve as an independent basis for adverse action.

The practical effect: if your institution was managing compliance partly around avoiding examiner discomfort with your customer mix, that’s no longer a regulatory requirement. You’re now working against objective standards — which, for well-run programs, is actually a simpler problem.

Compliance Program Implications: Five Things That Need Updating

If your program documentation references “reputation risk” in a supervisory context, work through this list before the 60-day effective date:

1. Risk Assessment Methodology

Review your enterprise risk assessment and any CAMELS-adjacent risk taxonomy maintained for examination purposes. If “reputation risk” appears as a standalone risk category driving supervisory compliance actions, update the framework. Reputation concerns remain legitimate for internal business strategy and board-level discussions — what’s changing is their status as a regulatory compliance driver. The assessment needs to reflect that distinction.

2. Account Opening and Closing Policies

Any policy that references supervisory feedback, examiner input, or regulatory pressure as a basis for account review needs revision. Account closure decisions must trace to documented, objective risk criteria — not to perceived examiner discomfort with a customer’s industry or public profile. This is especially important if your institution has historically cited “reputation risk” as a secondary justification alongside BSA/AML findings. Keep those rationales separate and documented correctly.

3. Third-Party Risk Management Policy

If your vendor management or third-party risk program includes any language permitting vendor exit based on regulatory feedback about reputation, flag it for revision. The same prohibition covering customer accounts extends to third-party business relationships. Documented, objective offboarding criteria remain required — reputation-based supervisory pressure is not a compliant exit justification.

4. Examiner Prep and Board Materials

If your examination management materials include a dedicated “Reputation Risk” section framed around supervisory compliance, that section needs to be rethought. How you communicate reputational issues internally remains your call. But preparing for exam findings around a criterion that no longer exists is wasted preparation — and including it in board materials creates confusion about what your actual regulatory exposure looks like.

5. Regulatory Change Log

This rule is a material compliance program change. Log it. Assign an owner — the CCO or Chief Risk Officer. Set a target date for completing the policy review (aim for 45 days, ahead of the 60-day effective date). Document what was reviewed, what was updated, and what was determined to require no change. Regulators expect evidence that institutions track and respond to rule changes. A documented compliance review of this rule is exactly that evidence.

30-Day Checklist

Working backward from the effective date:

• Identify all policies and procedures that reference reputation risk in a supervisory context
• Update enterprise risk assessment methodology to reflect the rule’s scope
• Review account opening and closing procedures; remove language tying decisions to supervisory reputational pressure
• Audit recent account closures that cited reputation risk — ensure documentation reflects objective criteria
• Revise third-party risk management policy if it references reputation-based exam pressure
• Update examiner prep materials and management reports
• Brief board and relevant committees on the regulatory change
• Track the Federal Reserve’s parallel proposed rule and extend updates to state member bank operations when finalized

What This Means for Your Next Exam

For institutions under OCC or FDIC supervision: examiners have already been directed to implement this informally. The final rule makes the prohibition enforceable both ways. If you receive an exam finding that traces to reputation concerns rather than objective safety-and-soundness criteria, you now have a regulatory basis to push back.

Document your compliance with the final rule. Maintain airtight BSA/AML and risk management programs — those standards are unchanged. But the layer of subjective examiner impression management that reputation risk created? That’s no longer a compliance obligation.

For context on the broader OCC regulatory shift in 2026, see OCC Kills Recovery Planning Requirements for Large Banks — another significant rollback from earlier this month. And for a current benchmark on what genuine enforcement looks like when objective criteria drive the case, the FinCEN Record $80M BSA Penalty Against Canaccord Genuity remains the clearest recent example.

If you’re working through the policy updates this rule requires — tracking the regulatory change, assigning owners, documenting what was reviewed and updated — the Issues Management Tracker & Template gives you a structured system for managing exactly this kind of compliance program work.