OCC and FDIC Just Banned Reputation Risk From Bank Supervision — Here's What It Means for Your Compliance Program

TL;DR

• OCC and FDIC jointly finalized a rule prohibiting examiners from using “reputation risk” as a basis for adverse supervisory action, effective June 9, 2026
• Three specific prohibitions: no examiner criticism based on reputation risk, no regulator pressure on customer/vendor relationship decisions, no account closure pressure based on political or religious views
• The rule responds to years of alleged debanking of firearms dealers, crypto businesses, cannabis operators, and payday lenders
• Banks don’t have to onboard new customers — but they need to update exam prep frameworks, account closure policies, and internal documentation

“Reputation risk” has been one of the squishiest, most weaponizable concepts in bank supervision for decades. Examiners could use it to flag almost anything — your customer’s industry, their social media presence, a news story about a third party, political associations. For banks serving firearms dealers, crypto exchanges, or payday lenders, it became an informal debanking lever.

As of June 9, 2026, that lever is gone. At least at federally supervised institutions.

What the Rule Actually Does

The OCC and FDIC published a joint final rule on April 10, 2026 titled “Prohibition on the Use of Reputation Risk by Regulators.” It covers all national banks, federal savings associations, federal branches and agencies of foreign banks, and all FDIC-supervised state-chartered nonmember banks.

The rule has three core prohibitions:

The rule does not restrict banks from making their own business decisions. If your institution chooses not to bank a particular sector for genuinely internal business reasons, that’s still your call. The rule regulates examiner conduct, not bank policy.

BSA/AML enforcement is fully intact. The rule explicitly does not limit agency authority to act on safety and soundness violations, AML failures, or sanctions breaches. The specific prohibition targets “reputation risk” as a standalone supervisory rationale — not the legitimate risk categories that happen to be associated with certain industries.

Why This Rule Exists

The backstory is well-documented. For years, banking regulators — particularly under the prior administration — used informal guidance and examiner pressure to push banks away from customers in industries the regulators found politically objectionable. Firearms dealers, cryptocurrency businesses, payday lenders, cannabis-adjacent operations, and entities associated with certain political activities all reported being told by their banks that their accounts were being closed due to regulatory pressure.

The most prominent example was Operation Choke Point, the Obama-era DOJ initiative that used third-party payment processor pressure to effectively cut off banking access for payday lenders and firearms dealers. That program officially ended in 2017, but critics argued the practice continued through informal examiner messaging under the guise of reputation risk.

The Trump administration’s Executive Order 14331, “Guaranteeing Fair Banking for All Americans,” issued in August 2025, directed financial regulators to end this practice. The OCC and FDIC rulemaking is the formal implementation of that directive.

Comptroller Jonathan V. Gould’s statement on the rule was explicit: “Reputation risk has been misused as a pretext for regulators to advance policy preferences rather than address actual risk at supervised institutions.” FDIC Chairman Travis Hill’s statement was similarly direct.

What Changes in Your Exam Prep

If you’re preparing for an OCC or FDIC safety and soundness examination, this rule changes the playbook starting June 9.

What you used to need to defend:

Prior exam cycles included reputation risk as a core risk category. Examiners evaluated whether your customer mix, third-party relationships, or market positioning created reputational exposure. Banks serving industries like firearms, crypto, or subprime lending often pre-emptively documented their “reputation risk mitigants” — essentially building a file to justify serving customers they had every legal right to serve.

What changes:

Any supervisory finding in your next exam must be grounded in one of the recognized risk categories: credit, market, liquidity, operational, or compliance (including BSA/AML). If an examiner criticizes a customer relationship, they need to connect it to a specific, quantifiable risk — not a generalized concern that the customer makes the bank look bad.

What you should update:

1. Risk classification frameworks — If your RCSA or risk register includes “reputation risk” as a standalone risk category tied to customer type or industry, review whether those items belong under operational, compliance, or third-party risk instead. The rule doesn’t prevent internal reputation risk management; it prevents regulators from weaponizing it against you.

2. Exam management documentation — Any pre-exam briefing materials or management responses that reference “reputation risk mitigants” for customer categories should be reframed around quantifiable risk controls.

3. Account closure and relationship exit policies — Pull these policies now. If they reference regulatory guidance, examiner feedback, or “reputationally sensitive industries” as a basis for account actions, that language warrants review. Post-rule, those decisions need independent internal justification, not examiner-directed rationale.

The Documentation Principle You Can’t Skip

Here’s the trap this rule creates for compliance teams if they’re not paying attention:

The rule prohibits regulators from pressuring banks to exit relationships. It does not immunize banks from scrutiny of their own independent decisions. If your institution declines to serve a firearms dealer or exits a crypto exchange relationship, and you can’t show a documented, internally generated business or risk rationale — that’s still potentially problematic under fair lending or non-discrimination frameworks.

The right move: document the reasoning, and make sure it’s yours.

If the risk justification for exiting a particular customer is genuinely yours — not examiner-driven — then articulate it: credit risk, AML complexity, operational capacity constraints, concentration limits. Put it in writing. Own the decision.

If, in a future exam, an examiner does suggest you exit a relationship, document that conversation. Note the date, the examiner’s name, and the specific suggestion. You now have a rule that says regulators cannot do that. An undocumented verbal suggestion from an examiner carries a lot less weight than a documented one you can escalate.

What About the Federal Reserve?

This rule covers OCC-supervised and FDIC-supervised institutions. Federal Reserve-supervised bank holding companies and state member banks are not directly covered by this specific rulemaking.

The Federal Reserve has historically aligned with OCC and FDIC on supervisory frameworks, and the political pressure that produced this rule applies equally to Fed-supervised institutions — but watch for a separate Fed action. As of this writing, no parallel Federal Reserve rulemaking has been announced.

If you’re at a bank holding company, check with your primary federal regulator and confirm whether reputation risk appears in any pending Fed guidance or supervisory expectations at your institution.

The Industries This Helps Most

The preamble to the final rule specifically names the industries whose debanking experiences motivated the rulemaking:

• Firearms dealers and manufacturers — frequently cited as a sector where examiner pressure led to account closures
• Cryptocurrency and digital asset businesses — this tracks with the broader regulatory posture shift toward crypto under the current administration
• Cannabis-adjacent businesses — federally legal state cannabis operations and ancillary businesses that banks historically avoided citing regulatory risk
• Payday and small-dollar lenders — the original Operation Choke Point targets

If your institution has been declining to serve these sectors partly out of concern about examiner reaction, this rule significantly changes your risk calculus. That doesn’t mean the business risks in these sectors have disappeared — AML complexity for crypto remains real, for example — but the “examiner might flag this” rationale just got weaker.

Action Items for Compliance Teams

• Review your RCSA and risk register for “reputation risk” line items tied to customer type, industry, or third-party category. Reclassify those under appropriate operational or compliance risk buckets where relevant
• Pull your account closure and relationship exit policies. Redline any language that references examiner guidance, regulatory pressure, or “reputational sensitivity” as a basis for customer decisions
• Brief your exam management team on the prohibition. If an examiner raises reputation risk in your next cycle, your team should know they can push back and document the conversation
• Audit customer declination records from the past 24 months in historically disfavored sectors. If those decisions were influenced by perceived examiner pressure (not genuine business risk), review whether any are worth reconsidering
• Check your vendor management policies — the rule also prohibits examiner pressure on third-party relationship decisions. If you have vendors in sectors that were formerly flagged as reputationally sensitive, review whether that designation was regulator-driven

The broader compliance lesson from this rulemaking: supervisory standards change, and the risk categories you’ve been optimizing for aren’t static. A risk framework that was built around avoiding examiner reputation risk citations needs to be rebuilt around the risk categories examiners are actually empowered to use.

See how BSA/AML — the one area where examiner authority is explicitly preserved — played out in the FinCEN record $80M penalty against Canaccord Genuity. And for updating how your institution categorizes and assesses risk post-rule, the RCSA Template gives you a structured framework for mapping risk categories and controls across your supervisory risk profile.

Sources:

• OCC/FDIC Joint News Release NR-IA-2026-26
• OCC Bulletin 2026-12: Prohibition on Use of Reputation Risk
• Federal Register: Final Rule, April 10, 2026
• National Law Review: OCC and FDIC Finalize Rule Barring Reputation Risk
• Consumer Financial Services Law Monitor Analysis