FDIC Supervision Reform Under Travis Hill: What Banks Should Review Now

FDIC supervision reform under Chairman Travis Hill gives banks a clear message: compliance obligations are not going away, but examination focus is shifting toward material financial risk, legal violations, capital resilience, resolution readiness, innovation oversight, and risk-based supervision.

NETBankAudit experts have more than 25 years of experience helping financial institutions address audit, cybersecurity, BSA/AML, third-party risk, compliance, and regulatory readiness. If you have questions after reading this guide, please reach out to our team.

FDIC Supervision Reform Is Moving Toward Material Risk

FDIC Chairman Travis Hill’s June 4, 2026 testimony before the House Financial Services Committee frames supervision reform around material financial risk and violations of law, not process-oriented criticism alone.

That shift does not reduce the need for strong documentation. It changes what the documentation needs to prove. Policies, audit workpapers, committee minutes, board packets, and remediation records should show how management identifies risk, determines materiality, assigns resources, and tracks decisions through completion.

The FDIC and OCC proposed rule on unsafe or unsound practices and matters requiring attention is especially important because it supports a supervisory focus on issues with meaningful safety and soundness impact.

MRAs and supervisory criticism still require disciplined evidence

Hill stated that the FDIC has been reviewing existing matters requiring board attention and supervisory recommendations. The agency has been closing items that do not align with the new supervisory focus, while still requiring remediation for items that present material financial risk.

After the proposed MRA rule is finalized, remaining supervisory criticisms that satisfy the new standard would be converted to MRAs. For banks, the risk is misreading this as a documentation holiday. It is not.

Management should be prepared to explain why an issue is material or not material. The file should connect the issue to financial condition, legal compliance, operational resilience, consumer impact, liquidity, capital, or governance. Unsupported assertions will not be as useful as clear analysis and evidence.

CAMELS Revisions Could Change Examination Discussions

CAMELS remains central to safety and soundness supervision, covering capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk. Hill highlighted proposed changes that would focus rating definitions and evaluation factors on matters most relevant to financial condition.

The FFIEC CAMELS proposal would update the Management component, reduce the outsized influence of Management on the composite rating, and limit specialty examination impact to matters that pose material financial risk.

Management quality still matters, but the proof should be risk-linked

Management will remain a major examination topic. The difference is that governance discussions may become more tied to material risk management than broad process concerns. Board and committee materials should make that connection visible.

Useful evidence includes risk assessments that identify material exposure, minutes that show informed discussion, internal audit reports that prioritize findings, and management responses that explain remediation timing. Compliance teams should also confirm that accepted risks and delayed actions are documented with rationale.

Capital planning should reflect both proposals and final CBLR changes

Hill’s testimony also covered capital initiatives. In March 2026, the federal banking agencies issued two proposals to modernize risk-based capital requirements. One applies to the largest and most complex banks, with optional adoption available to banks of all sizes. The other applies to banks not subject to, and not adopting, the expanded framework.

The proposals are intended to improve risk sensitivity while maintaining strong capital standards. They address areas such as residential mortgages, retail lending, and business lending. Community banks should also evaluate the final Community Bank Leverage Ratio changes, which lowered the CBLR requirement from 9 percent to 8 percent and extended the grace period from two quarters to four quarters.

Capital planning should not be limited to regulatory calculations. Banks should assess how these changes could affect growth plans, merger modeling, internal capital targets, product strategy, lending concentrations, and stress planning.

Resolution Readiness and Deposit Flow Data Are Operational Issues

Resolution readiness is becoming more operational. Hill described FDIC work on large insured depository institution resolution planning, including a focus on information most relevant to supporting rapid, low-cost resolution under the Federal Deposit Insurance Act. The FDIC is also testing whether large IDIs can submit accurate operational and financial data into the agency’s virtual data room in a timely manner.

That matters because data delays can affect failed-bank sale options. A distressed bank may need to provide accurate information to the FDIC and potential acquirers quickly. Resolution readiness is therefore not only a regulatory filing issue.

The FDIC’s May 2026 staff study on the 2023 failures of Silicon Valley Bank, Signature Bank, and First Republic Bank also matters for liquidity planning. Hill said the study found deposit outflows that were unprecedented in size and speed. The FDIC also found that the top half of one percent of depositors were significantly more likely to run than other depositors, which should sharpen management’s focus on concentration behavior.

Financial institutions should translate these points into practical testing. Liquidity dashboards should answer questions quickly, not only after stress begins. Before the next examination cycle, management should test whether the following data and controls are current, accurate, and usable under pressure.

• Deposit concentration and uninsured balance reporting
  Management should understand uninsured deposit concentrations, top depositor behavior, business deposit dependencies, and potential runoff under stress. The analysis should be available in a format that senior management and the board can use quickly.
• Operational and financial data production
  Resolution readiness depends on accurate deposit, liquidity, vendor, operational, and financial data. Banks should test whether owners, systems, reports, and escalation paths are documented and current.
• Contingency funding and communications
  Contingency funding plans should reflect practical execution, not just policy language. Crisis communication procedures should address customers, employees, counterparties, and board reporting.

Digital Assets Are Becoming a Bank Supervision Issue

The digital asset section of Hill’s testimony is operationally significant for banks considering tokenization, stablecoins, custody, reserve services, or fintech partnerships. These activities touch governance, deposit insurance, BSA/AML, sanctions, cybersecurity, third-party risk, disclosures, and board oversight.

The GENIUS Act established a federal framework for payment stablecoin issuers. The FDIC is responsible for regulating and supervising subsidiaries of FDIC-supervised insured depository institutions that are approved to issue payment stablecoins.

Stablecoin proposals create governance and control questions

The FDIC has proposed an application framework for FDIC-supervised institutions seeking to issue payment stablecoins through a subsidiary. It has also proposed prudential requirements for FDIC-supervised permitted payment stablecoin issuers, including reserve assets, redemption, capital, and risk management standards.

Banks should not treat this only as a crypto product question. The control environment should address application governance, approvals, reserve custody, customer identification, sanctions screening, AML monitoring, cybersecurity, vendor oversight, and management reporting.

Deposit insurance treatment should be clear in product analysis

Hill highlighted two deposit insurance points. Payment stablecoin reserves held as bank deposits would not be insured on a pass-through basis to stablecoin holders under the FDIC prudential proposal. Tokenized deposits that satisfy the statutory definition of a deposit would receive the same deposit insurance coverage as non-tokenized deposits.

That distinction should be reflected in product approval materials and customer-facing disclosures. It should also be considered in legal review, compliance risk assessment, third-party contracts, and customer complaint monitoring.

The agencies also issued FAQs on the capital treatment of tokenized securities. Those FAQs clarify that eligible tokenized securities generally receive the same capital treatment as the non-tokenized form of the security, reflecting a technology-neutral approach.

BSA/AML, Model Risk, and Third-Party Oversight Point Toward Outcomes

The FDIC is participating in broader BSA/AML reform. Hill described an interagency proposed rule to revise AML/CFT program requirements to align with FinCEN’s proposal and the Anti-Money Laundering Act of 2020. The direction is effectiveness, outcomes, and risk-based resource allocation.

This does not mean BSA expectations are relaxed. It means banks should be able to show that their programs focus on meaningful illicit finance risk. Minor, isolated, or technical weaknesses may be treated differently under the proposed rule, but weak governance or ineffective monitoring remains a serious issue.

Model risk management is also moving toward a more tailored approach. In April 2026, the Federal Reserve, FDIC, and OCC issued revised model risk management guidance. Hill said the prior guidance was overly prescriptive, while the revised guidance supports an approach tailored to size, complexity, model reliance, and materiality.

Compliance, audit, and risk teams should align documentation with outcomes. The strongest files will show both risk-based judgment and control testing. Banks should consider the following review areas when updating BSA, model risk, and technology governance documentation.

• BSA/AML program documentation: Confirm that risk assessments, monitoring coverage, alert handling, investigations, SAR decisioning, training, and board reporting are tied to illicit finance risk.
• Model inventories and validation: Review model ownership, validation scope, monitoring, change management, vendor-supported models, and limitations.
• AI and automation governance: Determine whether newer analytics, automated workflows, or AI-related tools fall under model risk, technology risk, third-party risk, compliance risk, or another governance process.
• Third-party risk management: Evaluate vendor tiering, due diligence, contracts, ongoing monitoring, access rights, incident notice, business continuity, and termination planning.

Other FDIC Policy Changes Banks Should Track

Hill’s testimony also covered policy areas that may affect compliance, governance, and strategic planning. These items may not require immediate policy rewrites for every institution. They should, however, be tracked through change management and included in board or committee reporting when relevant.

Institutions should assign ownership for monitoring each item. The owner should identify whether the issue affects policies, disclosures, controls, training, risk assessments, or examination preparation. A short written impact analysis can prevent regulatory change management gaps.

Several developments deserve attention because they may affect multiple functions at once. Compliance should not review them in isolation. Legal, operations, risk, IT, finance, and internal audit may all need to participate depending on the institution’s activities.

• Confidential information disclosure: The FDIC expects to propose updates to Part 309, its information disclosure regulation. The current 12 CFR Part 309 disclosure regulation provides the existing framework for disclosure of information maintained by the FDIC.
• Bank merger policy: In 2025, the FDIC rescinded its 2024 Statement of Policy on Bank Merger Transactions and reinstated the prior policy. Hill said the agency is reevaluating the merger review process with a goal of making it more predictable, timely, and transparent.
• De novo bank formation: The FDIC is working with state and federal chartering authorities to better align deposit insurance application review with charter review through joint meetings, improved information sharing, and reduced duplication.
• Re-presentment NSF fees: In April 2026, the FDIC rescinded supervisory guidance on multiple re-presentment NSF fees after finding that it was overly broad and created regulatory uncertainty. Banks still need accurate consumer disclosures under applicable laws and regulations.
• Reputation risk: The FDIC and OCC finalized a rule prohibiting the use of reputation risk by regulators. Hill said the FDIC will not criticize or take action against supervised institutions based on reputation risk, including lawful but politically disfavored business activity.

Practical FDIC Supervision Reform Readiness Steps

Start with open supervisory issues

Classify existing MRBAs, supervisory recommendations, audit findings, and remediation plans by material financial risk, legal or regulatory requirement, owner, due date, and evidence status. This helps management distinguish process clean-up from matters that could affect safety and soundness or legal compliance.

Update board reporting around materiality

Board packets should summarize material policy developments, risk decisions, open remediation items, accepted risks, and planned enhancements. The goal is not longer reporting. The goal is clearer oversight evidence.

Test control evidence before the examination

Internal audit and compliance should test whether documentation supports management’s position. If a risk is immaterial, the file should explain why. If a risk is material, the file should show remediation priority, control testing, and reporting to the right governance body.

Connect innovation to existing risk disciplines

Digital assets, tokenized deposits, tokenized securities, fintech partnerships, AI, and automation should not sit outside established governance. Tie these activities to approvals, controls, disclosures, BSA/AML, sanctions, cybersecurity, vendor management, model risk, and business continuity planning.

How NETBankAudit Can Help

FDIC supervision reform places more weight on whether a bank can prove that management understands material risk, prioritizes remediation, tests controls, and reports meaningful issues to the board. That requires practical audit evidence, not just updated policy language.

NETBankAudit helps financial institutions evaluate regulatory readiness, cybersecurity controls, BSA/AML programs, third-party risk management, IT governance, internal controls, model and AI governance, digital asset readiness, liquidity and operational resilience controls, and examination preparation.

NETBankAudit was formed by IT executives and former regulatory officers to help financial institutions manage technology risk, regulatory complexity, and audit expectations. Our team supports banks with risk-based audits, testing, assessments, and practical documentation that can support management and board oversight.

If your institution needs help translating these FDIC policy developments into audit, compliance, cybersecurity, BSA/AML, third-party risk, or examination readiness work, contact NETBankAudit.

‍