On October 7, 2025, the Office of the Comptroller of the Currency (“OCC”) and Federal Deposit Insurance Corporation (“FDIC,” together, the “Agencies”) published a Notice of Proposed Rulemaking (“NPRM”) to define an “unsafe or unsound practice” under the Agencies’ enforcement statute, section 8 of the Federal Deposit Insurance Act (12 U.S.C. § 1818), and revise the framework for issuing “matters requiring attention” or MRAs. If finalized, the new rule would generally limit the Agencies’ authority to take enforcement action or issue MRAs based on “unsafe or unsound practices” to circumstances posing material harm to the financial condition of the institution or a material risk of loss to the FDIC’s Deposit Insurance Fund (“DIF”).[1]
The Board of Governors of the Federal Reserve System did not join the proposed rulemaking.
The Agencies are requesting comments on a series of questions related to the NPRM, including whether the Agencies should change the components of the proposed definition of the phrase “unsafe or unsound practices,” and whether the agencies should implement any other changes to their supervisory processes more broadly. Comments are due 60 days after publication in the Federal Register.
Here are four things for financial institutions to know.
Section 8 of the Federal Deposit Insurance Act permits the Agencies to take enforcement action when an insured depository institution or institution-affiliated party (“IAP”) is, among other things, “engaging or has engaged, or the agency has reasonable cause to believe . . . is about to engage, in an unsafe or unsound practice in conducting the business of such depository institution.” Section 8 does not define an unsafe or unsound practice, and, until the NPRM, the Agencies had not sought to adopt a definition through formal rulemaking.
The proposed definition would effectuate the Agencies’ policy goals of prioritizing the supervision of banks’ financial condition over “concerns related to policies, process, documentation, and other nonfinancial risks.”[2] Accordingly, under the NPRM, an “unsafe or unsound practice” for purposes of Section 8 would generally be limited to “a practice, act, or failure to act” that “is contrary to generally accepted standards of prudent operation” and (1) “if continued, is likely to (A) materially harm the financial condition of the institution; or (B) present a material risk of loss to the [DIF],” or (2) has already materially harmed institution’s financial condition.
According to the preamble of the NPRM, to establish the required nexus to financial condition, an act or practice must be “likely to directly, clearly and predictably impact an institution’s capital, asset quality, earnings, liquidity, or sensitivity to market risk,” or produce “financial loss.” Acts or practices relevant to an institution’s management, governance, or controls will not be “unsafe or unsound” absent likely financial impact. And non-financial risks are anticipated to come within scope “in limited circumstances,” such as in the case of “critical infrastructure or cybersecurity deficiencies” that are “so severe as to, if continued, be likely to result in a material disruption to the institution’s core operations that prevent the institution, its counterparties, and its customers from conducting business operations.” The financial harm standard does not include potential harm from alleged reputational risks unrelated to financial condition.
The Agencies propose to apply a similar, although less demanding, standard on MRAs. Like the enforcement standard, the NPRM would limit the issuance of MRAs to circumstances where an institution or IAP departs from “generally accepted standards of prudent operation,” with some risk of material harm to the institution’s financial condition or a material risk of loss to the DIF—or commits “an actual violation of a banking or banking-related law or regulation.” However, rather than requiring that any material harm to financial condition be “likely,” the MRA standard would only require that the relevant risk of harm or loss, if continued, “could reasonably be expected to [arise] under current or reasonably foreseeable conditions.”
This difference reflects the agencies’ intention to present a “lower bar” for MRAs than enforcement. The Agencies intend that the standard will continue to permit supervisors to “proactively identify, and require remediation of, material issues . . . . before it is too late,” that is, before weaknesses materialize on a bank’s balance sheet.[3] As drafted, the MRA standard would give discretion to supervisory staff to address potential risks that have not yet materialized, but stand some reasonable chance of posing a material financial harm to the institution in the future.
At the same time, the new MRA framework, if finalized, portends a potentially significant change to current supervisory practices. First, while the Agencies have previewed future rulemaking to reform the Uniform Financial Institutions Rating System (“UFIRS”), or CAMELS, rating system, the NPRM’s preamble identifies an initial step, consistent with statements of the Agencies’ leaders in recent months. The Agencies “expect that any downgrade in an institution’s composite supervisory rating” to a “3” rating (less-than-satisfactory) or below will “only occur in circumstances in which the institution receives an MRA that meets the standard outlined in the proposed rule or an enforcement action pursuant to the agencies’ enforcement authority.” Put differently, the Agencies expect that a composite rating of “3” or lower will only occur when deficiencies are sufficiently tied to material financial condition risks, and not to management, governance, and controls issues alone.
Second, MRAs for non-financial risks have become commonplace. Going forward, the NPRM preamble indicates that “agency examiners may informally provide non-binding suggestions to enhance an institution’s policies, practices, condition, or operations” that do not pose a reasonably foreseeable material harm to the institution’s financial condition. But the NPRM preamble states that the Agencies would not be permitted to require institution action plans around informal observations, nor could they track adoption or implementation of these “suggestions.”
Third, under current agency practice, an institution’s failure to implement fully the recommendations in an MRA commonly leads to an enforcement action. The NPRM would require Agency staff escalating an MRA to an enforcement action to satisfy the requirements of the “unsafe or unsound practices” definition independently, which would prevent them from using the MRA process as an end-run around the “likely” harm requirement.
The NPRM contains a “tailoring” provision that allows the agencies to “tailor [their] supervisory and enforcement actions . . . and issuance of matters requiring attention based on the capital structure, riskiness, complexity, activities, asset size and any financial risk-related factor that [they] deem[]appropriate.” The provision would require tailoring both with respect to the requirements or expectations set forth in such actions and with respect to whether to bring such actions in the first place. The effect, in the Agencies’ view, would be to establish a “much higher bar for a community bank than for a larger institution when considered against the overall operations of the institution.”
The NPRM’s definition of “unsafe and unsound” practices under Section 8 of the Federal Deposit Insurance Act and corresponding revisions to the MRA regime intentionally leaves several key aspects of the framework undefined. For example, while the proposal would require some evidence that an institution’s practices departed from “generally accepted standards of prudent operation,” the proposal fails to specify how to establish the existence of such a standard. In the past, examiners have at times relied on their individual judgments and experience in lieu of establishing objective evidence of a generally accepted standard.
In addition, the preamble to the NPRM attempts to describe the kinds of financial harm that may be “likely” or qualify as “material.” But the proposed rule does not define either term, or establish any quantitative metrics or benchmarks that might facilitate the terms’ interpretation and implementation. Notably, the NPRM fails to adopt the test established by the D.C. Circuit, which is that a practice is sufficiently material to be “unsafe or unsound” only if the practice threatens the “financial stability” or “financial integrity” of the institution as a whole.[4] The NPRM is also unclear as to whether the financial materiality standard for MRAs reflects a binding legal constraint on the agencies, or an exercise of policy discretion that may in the future be revised.
Among other ambiguities, the NPRM: (i) does not explain the legal or economic basis for its “tailoring” proposal; (ii) does not tie its requirement of “likely” financial impact to any standard legal causation framework; (iii) does not explain whether or how their concept of “materiality” relates to materiality under securities laws or other legal constructs; and (iv) does not establish procedural or other safeguards to ensure that the agencies are complying with the rule before threatening to pursue an enforcement action. The agencies have invited comment on whether the rule requires additional specificity, indicating that more precision may be forthcoming in the final rule.
* * * * *
For more information about the NPRM, please contact the members of Covington’s Financial Services practice.
[1] The NPRM applies to any institution subject to supervision and enforcement by the agencies; accordingly, it appears to apply not only to supervised financial institutions, but also to entities subject to supervision and examination through the Bank Service Company Act.
[3] Statement of Acting Chairman Hill.
[4] Johnson v. OTS, 81 F.3d 195, 204 (D.C. Cir. 1996).