OCC and FDIC Codify Prohibition on Reputation Risk in Supervisory Actions

Reference: Bulletin 2026-12

Executive Summary

• The Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) have finalized a rule to eliminate reputation risk as a valid basis for supervisory criticism or adverse actions.
• Regulators are now strictly prohibited from requiring or encouraging financial institutions to close accounts or terminate services based on a customer’s political, social, cultural, or religious beliefs.
• The rule protects lawful but ‘politically disfavored’ business activities from being targeted by regulators solely on the basis of perceived reputation risk.
• Financial institutions must pivot toward objective, data-driven risk assessments—such as credit, liquidity, and operational risk—rather than subjective reputation-based assessments.
• The rule aims to provide greater transparency and predictability in the supervisory process by preventing ‘informal’ regulatory pressure on bank-customer relationships.

What the Regulator Issued

On April 7, 2026, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) issued a significant final rule titled ‘Prohibition on Use of Reputation Risk by Regulators.’ This rule represents a formal codification of a major policy shift intended to limit the subjective power of examiners and ensure that bank supervision remains grounded in objective safety and soundness standards. The official announcement and full text can be found at the OCC Bulletin 2026-12.

For decades, the concept of ‘reputation risk’ was utilized as a broad, often ill-defined pillar of bank supervision. It was frequently cited in the context of the CAMELS rating system, where negative public perception of a bank’s clients or business lines could result in lower ratings or formal enforcement actions. This new final rule effectively strips reputation risk of its teeth, prohibiting agencies from taking adverse action against an institution based on this metric alone. Furthermore, it explicitly bars regulators from using their influence to force the termination of specific products or services based on the political or social views of the customer base.

This move is widely viewed as a response to historical concerns regarding ‘de-risking’ and initiatives such as Operation Choke Point, where financial institutions were allegedly pressured to sever ties with lawful but controversial industries. By codifying these prohibitions into a final rule, the OCC and FDIC have created a higher legal threshold for regulatory interference, making it more difficult for future administrations to reverse these protections without a formal notice-and-comment rulemaking process under the Administrative Procedure Act.

Who Is Impacted

The primary entities impacted by this rule are national banks, federal savings associations, and all state-chartered banks insured by the FDIC. This includes a wide range of institutions from small community banks to global systemically important banks (G-SIBs). Within these organizations, several key departments will need to adjust their procedures:

• Board of Directors and Executive Management: Responsible for overseeing the transition of risk management frameworks away from reputation-centric models.
• Compliance and Risk Management Officers: tasked with auditing existing ‘reputation risk’ policies to ensure they align with the new regulatory boundaries.
• Loan and Credit Officers: Who may now have more leeway to engage with clients in sensitive industries without fearing immediate regulatory blowback based on reputation.
• Legal Counsel: Who must monitor supervisory communications to ensure examiners are not inadvertently (or intentionally) bypassing the new rule through informal ‘nudges.’

Additionally, businesses operating in ‘politically disfavored’ but lawful industries—such as energy production, firearms manufacturing, and certain fintech or cryptocurrency sectors—may find that their banking relationships are more stable under this new framework. While banks still maintain the right to choose their customers, they can no longer cite ‘regulatory pressure’ as a vague justification for de-risking when no objective credit or operational risk exists.

Key Dates and Deadlines

The final rule will be effective 60 days after its publication in the Federal Register. Institutions should use this 60-day window to review their internal policies and prepare for upcoming examinations under the new standard. While the rule is not retroactive in a way that would automatically overturn past enforcement actions, it will apply to all supervisory activities and examinations conducted after the effective date.

Practical Action Checklist

1. Review Internal Risk Policies: Audit all internal risk management frameworks to identify where ‘reputation risk’ is cited as an independent factor for account closure or service denial. Update these documents to ensure decisions are supported by objective metrics.
2. Update Board Reporting: Brief the Board of Directors on the specific prohibitions of the final rule, particularly the shift away from reputation-based supervisory criticism.
3. Refine De-risking Frameworks: Ensure that any decision to exit a business line or terminate a customer relationship is documented with a clear focus on credit, operational, or BSA/AML risks, rather than subjective reputation concerns.
4. Train Front-Line and Compliance Staff: Provide training to staff who handle account opening and closing to ensure they understand that regulatory ‘disfavor’ is no longer a valid reason for adverse action against a client.
5. Analyze Recent Supervisory Findings: Review past examination reports and Matters Requiring Attention (MRAs). If reputation risk was a primary driver, consider whether these findings require clarification or appeal in light of the new rule.
6. Establish a ‘Regulatory Communication’ Protocol: Create a process for documenting all informal suggestions or ‘nudges’ from examiners regarding specific clients or industries. If an examiner suggests closing an account based on reputation, have a mechanism to escalate this as a potential violation of the final rule.
7. Audit BSA/AML Risk Ratings: Ensure that high-risk flags in BSA/AML software are not triggered solely by the ‘controversial’ nature of a client’s lawful business activities.
8. Update Third-Party Risk Management: If your institution uses vendors to assess reputation risk, review their methodology to ensure it does not inadvertently lead the bank into non-compliance with the new rule’s spirit of objective assessment.
9. Document ‘Lawful but Disfavored’ Business Justifications: When engaging with industries protected by the rule, maintain robust documentation of the bank’s independent risk assessment to demonstrate that the relationship is maintained on an objective basis.
10. Monitor State Regulatory Actions: For state-chartered banks, monitor whether state regulators adopt similar prohibitions or if they continue to utilize reputation risk, potentially creating a conflict between state and federal oversight.
11. Review Marketing and Public Statements: Ensure that the bank’s own public-facing statements regarding ‘social responsibility’ or ‘reputation’ do not inadvertently create internal policies that contradict the objective standards now required by the OCC and FDIC.
12. Engage with Trade Associations: Participate in industry dialogues to share best practices on how to navigate the transition away from reputation risk in the CAMELS rating process.

Open Questions / Watch Items

While the final rule provides a clear prohibition, several open questions remain regarding its practical implementation. One significant area of concern is the ‘Safety and Soundness’ overlap. Regulators may still attempt to frame what was once ‘reputation risk’ as ‘operational risk’ or ‘compliance risk.’ For instance, if a bank services a client that attracts significant public protest, an examiner might argue that the potential for physical disruption at bank branches constitutes an operational risk, rather than a reputation risk. Distinguishing between these categories will likely be a point of contention in future examinations.

Another watch item is the role of ‘Constitutionally protected speech.’ The rule explicitly prohibits agencies from encouraging the closure of accounts based on a person’s views. However, the line between protected speech and activities that could lead to financial crimes (such as fraud or money laundering) can sometimes be thin. Banks will need to be careful to ensure they are not ignoring genuine red flags under the guise of protecting a client’s social or political views.

Finally, the longevity of this rule across different political administrations is a key consideration. While a final rule is more durable than mere guidance, a future administration could initiate a new rulemaking process to re-introduce reputation-based metrics. Banks should watch for any legislative attempts to either codify these protections further or to roll them back in favor of more aggressive ‘socially responsible’ banking mandates. The tension between federal standards and potentially differing state-level regulatory philosophies will also require close monitoring, especially in jurisdictions where state regulators may still prioritize reputation risk in their own supervisory programs.

“The final rule… prohibits the agencies from criticizing or taking adverse action against an institution on the basis of reputation risk.”“The final rule also prohibits the agencies from requiring, instructing, or encouraging an institution to close an account… on the basis of a person’s or entity’s political, social, cultural, or religious views or beliefs.”