The 2024 regulatory environment for financial institutions

The failures of several larger banks in 2023 pushed regulators to propose several rules that, if finalized, would apply to larger financial institutions, primarily those with more than $100 billion in assets. At the same time, federal financial institution regulators also issued final guidance and proposals in October 2023 for other areas that will affect risk management and compliance efforts at organizations of all sizes. Regulators are expected to continue ramping up supervisory activities through 2024 around liquidity, third-party risk, anti-money laundering (AML), cybersecurity, and operational resilience.

Financial institutions find themselves navigating renewed challenges, particularly with liquidity risk and interest rate risk management. Competitive forces continue to press increased deposit rates amid sluggish loan growth that is keeping margins razor thin at most institutions.

In July 2023, the federal financial institution regulators issued an addendum to the longstanding “Interagency Policy Statement on Funding and Liquidity Risk Management.” The 2023 statement places a significant emphasis on contingency funding plans.

In 2024 examinations, examiners continue to closely monitor financial institutions’ approaches to fortifying their liquidity positions and managing exposure to interest rate risk. In accordance with the 2023 guidance, organizations should be testing and confirming access to contingency funding sources as part of their broader liquidity risk management strategy.

The current environment has enhanced the importance of asset-liability committees and risk committees in the reporting and monitoring of liquidity risk management strategies. Regulatory scrutiny has intensified in recent examinations, as indicated through some recent enforcement actions in which liquidity and asset-liability management are receiving heightened attention to confirm the effectiveness of risk mitigation measures. Further evidence of this focus on liquidity risk management has also been observed in remarks presented in recent regulatory speeches by agency officials.

As financial institutions navigate the increasingly complex regulatory landscape, the spotlight remains firmly on third-party risk management. Financial institution regulators continue to refine their focus, driven by updated guidance that raises the bar for organizations to maintain robust and mature risk management programs throughout the entire life cycle of third-party relationships.

• Historical focus and banking regulatory milestones. Third-party risk management has been an emerging focus for regulators since the Office of the Comptroller of the Currency (OCC) and the Federal Reserve (Fed) issued separate guidance in 2013.
• Evolving expectations and continued challenges. Regulators are particularly focusing on fintech partnerships and banking-as-a-service relationships.
• Key governance roles outlined. The updated 2023 interagency guidance that replaces the previous Fed and OCC guidance delineates crucial governance roles, necessitating an assessment of whether third-party relationships align with the banking organization's strategic goals and risk appetite in compliance with applicable laws and regulations. Bank regulators issued a related joint statement in July 2024 reminding banks of potential risks related to third-party relationships to deliver bank deposit products.

In the current financial institution regulatory landscape, the refined focus on Bank Secrecy Act (BSA) and AML compliance efforts unveils an environment shaped by ongoing investigations and heightened regulatory scrutiny.

The growing sophistication of financial crimes and money laundering schemes requires a proactive stance by financial institutions of all sizes to combat emerging threats. This requires financial institutions to continually enhance their systems and programs to fortify their defenses, recognizing the imperative of staying ahead in the battle against illicit activities.

As technology advances, the integration of AI into financial systems makes compliance programs even more challenging. Regulators are closely monitoring the impact of AI on the AML landscape, acknowledging the benefits of innovation coupled with the required risk management.

In navigating BSA and AML compliance, the convergence of technological advancements and regulatory updates underscores the strategic imperative for financial institutions. Staying ahead is not only a regulatory compliance requirement but a proactive risk management measure to safeguard the integrity of an organization and the broader financial system in the face of evolving threats.

Cybersecurity remains a critical joint effort among the agencies, as underscored by more than a decade of collaboration through the formation of the Cybersecurity and Critical Infrastructure Working Group by the Federal Financial Institutions Examination Council (FFIEC).

Even as financial institutions continually refine their capacity to allocate resources for preventing cyberattacks and bolster readiness to respond when such incidents occur, the evolving complexity of cybersecurity risk requires a nuanced understanding of each institution’s threat response capabilities.

While attention has traditionally focused on preventive controls, there is a growing emphasis on recovery capabilities and broader cyber resilience measures. In June 2023, the OCC updated its Cybersecurity Supervision Work Program, highlighting the inadequacy of single-factor authentication and directing attention toward systems configurations, patch management, and incident response.

A cyber resilient organization, as outlined by the OCC, demonstrates the ability to adapt to both known and unknown crises, threats, adversities, and challenges. The update also covers guidance on the requirement for notification to the primary regulator and emphasizes transparency and communication in the event of a security incident. The Federal Deposit Insurance Corp.’s (FDIC’s) “2024 Report on Cybersecurity and Resilience” also provided a reminder for banks on the vigilance and agility needed to combat malicious threat actors.

Operational resilience and sustainability are growing areas of focus in the supervisory process, signaling a shift toward heightened attention on board oversight and strategic planning. Boards likely will be under increased attention to ensure institutions are setting the right tone at the top, adhering to risk tolerances, and providing credible challenges to management.

While the 2020 “Interagency Paper on Sound Practices to Strengthen Operational Resilience” has been in effect for larger banks (exceeding $250 billion in assets), there has been a noteworthy expansion of discussions on operational resilience to include organizations well under that threshold. Regulators are engaging in conversations that incorporate elements of business continuity management, reflecting an industrywide effort to fortify operational frameworks and response capabilities.

In addition, the FDIC issued proposed enhanced corporate governance standards in October 2023 that, if finalized, would substantially raise the bar for FDIC-regulated banks with more than $10 billion in assets.

As previously mentioned, a few comprehensive regulatory proposals from 2023, if finalized, would impact financial institutions with more than $100 billion in assets. The federal banking agencies issued a proposal in July 2023 that would substantially revise regulatory capital standards for banks of this size, and essentially serve as the Basel III endgame in the U.S. This proposal has garnered significant discussion among regulators and legislators, with a revised proposal likely to be re-issued for an additional public comment period before the end of 2024.

In August 2023, the agencies issued proposed long-term debt requirements that would also apply to banks with more than $100 billion in assets. Lastly, the FDIC board approved a final rule in June 2024 to finalize amended resolution plan requirements that largely apply to banks with more than $100 billion in assets but also extend significant information reporting requirements related to resolution plans to institutions between $50 billion and $100 billion in assets.

We expect supervisory attention and activities for larger institutions to continue to ramp up through the remainder of 2024 and into 2025.