BPInsights: June 14, 2025

Safeguarding the Vaults: Regulator Data Security Lapses Call for Urgent Solution

BPI, the American Bankers Association, MFA and SIFMA called for significant reforms to how federal financial regulators handle sensitive data following the latest in a series of data breaches that exposed over 148,000 private correspondences containing sensitive supervisory information about U.S. financial institutions. In a letter addressed to Treasury Secretary Scott Bessent, the organizations identified concerns with regulators' data management practices spanning the previous administration. Weaknesses were identified in February 2025; however, growing threats from hostile nation-states targeting U.S. critical infrastructure serve as a reminder of the urgency to address vulnerabilities.

"[G]overnment agencies are increasingly the target of persistent and sophisticated nation-state attacks that could disrupt financial markets and our economy," the organizations wrote. "It is imperative that federal regulators recognize that they are equally a target of malicious actors and implement the same or substantially similar cybersecurity and incident response practices that they expect financial institutions to maintain."

Financial institutions are legally required to share sensitive, proprietary and non-public information with their regulators as part of the supervisory process. This information can range from capital and liquidity management to cybersecurity protocols. However, centralizing large amounts of data can create a prime target for illicit actors seeking to harm U.S. economic security. Government agencies, including regulatory agencies, are increasingly the target of cyberattacks.

Over the past two years, both the Treasury Department and the Office of the Comptroller of the Currency - the Treasury bureau responsible for supervising the U.S. banking system - have suffered significant cyber incidents. The latest dates back to 2023 and was identified in early 2025. Here are the facts:

• Hackers compromised the OCC's systems in May 2023.
• The OCC did not learn of the suspicious activity until February 2025 - meaning, hackers likely had access to the OCC's systems for over a year and a half.
• The breach exposed an estimated 148,000 emails, some of which may have contained highly sensitive supervisory information that could give hostile nation states ample information to harm America's financial institutions.

These weaknesses point to a pattern of problems in how U.S. agencies secure data and are held accountable. To mitigate risk and prevent similar problems in the future, the groups made four recommendations:

1. Hold agencies to the same security and data protection standards as private companies.
2. Avoid centralizing sensitive data that could affect entire economic sectors and instead allow companies to maintain control and access to their data.
3. Require regulatory agencies to notify affected companies when things go wrong.
4. Limit data collection to only what is necessary.

To access a copy of the letter, please click here.

• Bloomberg: 'Cybersecurity Shouldn't Be a Job for Bank Examiners.' A Bloomberg editorial this week called for a "fundamental rethink" of government oversight of bank cyber risks. The editorial decried the conflicting, box-checking and inefficient approach to cyber examination "that is more focused on governance than on technical capabilities," and emphasized the challenge of attracting technically proficient examiners. "More drastic change is needed," the editorial board wrote. "First, cybersecurity shouldn't be the purview of bank examiners, who should stay focused on the industry's financial and business risks." Instead, the government should "replace existing rules and oversight with a joint task force of experienced - and well paid - cybersecurity professionals who can work with banks to monitor emerging threats and technologies." This group could design threat-detection exercises requiring banks to undergo simulated hacks and identify vulnerabilities. "Additionally, the administration should heed the industry's call to ensure that agencies adopt similar standards on security, data protection and incident notification that are required of the companies they supervise." The editorial concludes: "Some might defend the current system, which has withstood even serious breaches at large banks for more than a decade. But credit for that record largely goes to the banks themselves, which have made significant investments in shoring up their digital defenses. Without reform, the federal compliance burden could well threaten that progress."

Five Key Things

1. Potential SLR Changes Sent to White House by FDIC, OCC

Draft proposals to modify the supplementary leverage ratio, a capital measure for large banks, have been submitted to the White House's Office of Information and Regulatory Affairs for review by the FDIC and OCC, according to the OIRA website and media reports. The three prudential banking agencies, the FDIC, OCC and Federal Reserve, are expected to jointly propose changes to the capital requirement, which has constrained banks' ability to intermediate in the Treasury market. The OIRA submissions, in line with the President's recent executive order directing regulatory agencies to send rules for review, mark an initial step forward in that effort.

2. Government Examiners Are Prohibiting Banks from Lending to Some of America's Most Important Companies

A new BPI blog post warns that OCC guidance on venture lending is restricting credit to America's most innovative companies. A 2023 bulletin from Acting Comptroller Hsu effectively bars banks from lending to startups, even those with robust underwriting processes, ample reserves and prudent risk management.

• State of play: The bulletin prohibits banks from issuing any venture loans deemed "non-pass" - including loans classified as "special mention," which are loans with potential weaknesses that deserve management's close attention, but don't expose a bank to sufficient risk to warrant adverse classification. The guidance wasn't issued for public comment, lacks supporting data and is now being treated by examiners as binding regulation.
• Why it matters: Startups naturally carry risk, but they also drive job creation and technological advancement. The blanket prohibition undermines banks' ability to make loans that are a key source of credit for growth companies, even where the loan's risks are appropriately managed.
• Problems and solutions: The post urges new OCC leadership to rescind the bulletin and rethink the broader trend of examiners dictating specific credit decision

3. Bessent on the Hill: SLR, Stablecoins, Bond Market

Treasury Secretary Scott Bessent testified at two hearings on Capitol Hill this week - before the House Committee on Ways and Means and the Senate Appropriations Committee. Bessent, who is being considered as a potential successor to Fed Chair Jerome Powell according to media reports, said he is "happy to do what President Trump wants me to do … I would like to stay in my seat through 2029." Powell's term ends in 2026. Here are some highlights on key banking issues.

• SLR: At the Senate hearing, Sen. Bill Hagerty (R-TN) noted the effect of the supplementary leverage ratio on banks' capital requirements for low-risk assets like Treasuries. He asked Bessent about upcoming changes to the ratio and potential effects on Treasury yields. "Risk assets are like cholesterol," Bessent responded. "There's good cholesterol and bad cholesterol, that some risk assets are riskier than others, and the problem with the SLR is it doesn't differentiate. So we have been working via FSOC and the regulators … to coordinate a change in the supplementary leverage ratio for the purchase of Treasuries. We don't know the exact magnitude in terms of how it might affect yields, but what we have seen in the past is that … when this requirement was removed, it had a substantial effect."
• Stablecoin bill and Treasuries: Also at the Senate hearing, Hagerty framed the upper chamber's stablecoin bill (the GENIUS Act) as beneficial to the Treasury market by sparking demand for Treasuries from stablecoin firms using the bonds as reserves. Bessent reiterated the administration's goal of making the U.S. a world leader in digital assets and support for maintaining the U.S. dollar's global reserve currency status. "I believe that stablecoin legislation backed by U.S. Treasuries or T-bills will create a market that will expand U.S. dollar usage via these stablecoins all around the world," Bessent said.
• Treasury market functioning: Asked about the state of the Treasury market at the House hearing, Bessent said the bond market has "functioned very well," even during volatility in April. He added that bond issuance is "going quite well" at Treasury, with an uptick in primary purchasers. He dismissed concerns about a crisis in Treasury yields: "The United States 10-year is the only major 10-year yield in the world that is down on the year… So, for all the 'sky is falling' and cries of 'what's happening' or 'a crisis is inevitable,' the U.S. continues to be the most stable bond market."

4. Supervision's Past, Present and Future - What They're Saying

The Brookings Institution held an event this week on the history of bank supervision and the road ahead. The event featured multiple panels and remarks from former regulators and academic and legal experts. Discussions included what constitutes supervision success, how it can be measured given the secrecy of supervision and constitutional implications for bank supervision. Here are some notable highlights.

• Need for accountability: Wharton professor Christina Parajon Skinner said that rather than focusing on whether supervision is politically independent, policymakers should question whether it is accountable. "But the point is that rather than focus on this question of whether supervision is independent, what we really should be focusing on is how to make supervision accountable, ultimately, to the people, and that's where I think unitary executive theory is so compelling and constitutionally correct." The unitary executive theory states that the President has sole authority over the executive branch of government. The remarks came amid recent policy debates over the extent of the Fed's independence on bank regulation and supervision and the extent of the presidency's authority over independent agencies.
• Material risks vs. process: Paul Weiss attorney Jarryd Anderson expressed support for Vice Chair for Supervision Miki Bowman's recent call to revisit the post-Global Financial Crisis regulatory framework to gauge whether it makes sense for the present reality. Anderson noted a recent policy debate over which metrics in examination ratings should be overemphasized. "In order to effectively supervise an institution, it's important to have experienced bank examiners who know when to kind of push and pull, and can be transparent and forthcoming in their communications," he said. "…There's a shift from the regulators, as well as from the industry, and kind of pushing and really weighing the material financial risks against some of the operational and process-oriented items that show up in exams."
• Shifts in supervision: University of Glasgow professor Sean Vanatta, coauthor of a recent book on bank supervision, described a shift in supervision in recent decades from a "more dynamic" approach to a focus on compliance.
• Also on supervision: Starling CEO Stephen Scott published an op-ed in American Banker this week calling for the "M" in CAMELS ratings to stand for "modernization." The HUMPS Act, a supervision reform bill recently advanced by the House Financial Services Committee, takes aim at a vulnerability in the CAMELS rating framework that "distorts outcomes and undermines trust in the supervisory process," he wrote - the "M" (Management) rating, which is opaque and subjective. The HUMPS Act directs the Federal Financial Institutions Examination Council to revise the rating system by "establishing clear, objective standards for each component and eliminating or reforming the subjective 'management' component." "In short, the bill demands that supervisory judgment rest on firmer ground, and for that it deserves cautious support. But let's be clear: Eliminating the "M" altogether would be a mistake," Scott wrote. He called for "modernizing" qualitative assessments in bank supervision: "one that allows some degree of supervisory judgment regarding management and governance quality will persist, but that calls for it to be grounded in a common evidentiary basis."

5. Capital, Crypto and Mergers: Q&A with OCC's Hood

OCC Acting Comptroller Rodney Hood participated in a Q&A with POLITICO published this week. Here are some highlights.

• Capital: Hood said the banking agencies are working "in tandem - and in harmony" to advance changes to the supplementary leverage ratio, which has exerted constraints on banks' Treasury market intermediation capacity. Ensuring a robust and active Treasury market is one of the main goals of the policy changes, Hood said. "I think that we are hoping to have something sooner than later," he said. "It's likely to be the first big interagency activity you've seen with the new administration." The agencies are also considering Basel III Endgame, he said, noting the need for a reproposal of the measure. "We were all in Basel, Switzerland recently sharing with that body-and that's all the global regulators-that the Americans are going to be recalibrating. We're not retreating, which was met with a lot of relief," he said. "I think there were those that thought we were going to retreat. But we are going to recalibrate and have a capital plan that does not … eliminate the competitive position of our American banks." He said the goal is "capital neutrality" and called for avoiding gold-plating.
• 'Effective … not excessive' on M&A: Asked about the Capital One-Discover merger approval, Hood declined to comment on specific transactions, but said "there is a regulatory regime now that fosters a streamlined approach to regulation being effective and not excessive when it comes to bank mergers." He noted roadblocks to regulatory approval that had stifled merger activity. The OCC's recent interpretive rule on M&A is meant to convey "a streamlined, expedited approach for well-managed, well-capitalized institutions," he said.
• Crypto: Hood referred to recent OCC actions to reverse ambiguous and overly strict approaches to banks engaging in crypto activities. "If we at the OCC do not give regulatory clarity and guidance to our banks … then they're going to miss out on opportunity to serve their customers. I look at it as a digital frontier," he said. He emphasized the need to address money laundering risks and ensure compliance with Bank Secrecy Act requirements in crypto. With regard to stablecoin legislation under consideration by Congress, Hood said the OCC is prepared to implement it. "We will have a team of examiners in place that will be ready to act when the legislation is passed. … We're going to have to do a rulemaking. We'll do a request for comment and things of that nature. But we're going to make sure that we have all of the components … necessary for a safety and soundness exam."

In Case You Missed It

The Crypto Ledger

Here's the latest in crypto.

• CLARITY advances: The House Financial Services and House Agriculture Committees advanced the lower chamber's crypto market structure bill, known as the CLARITY Act, in votes this week. The bill garnered support on the Financial Services Committee from two Democratic members, with the vote standing at 32-19 following a lengthy markup. The Agriculture Committee advanced the legislation 47-6.
• Senate stablecoin bill moving forward: The Senate invoked cloture - a key procedural tee-up - on Sen. Bill Hagerty (R-TN)'s proposed substitute amendment to the GENIUS Act, a landmark stablecoin bill. The cloture vote attracted bipartisan support. The bill is expected to receive a final vote in the coming days. The White House issued a statement of support for passage of the bill.
• Crypto money laundering: U.S. prosecutors this week charged Iurii Gugnin, the Russian founder of U.S.-based crypto platform Evita, with laundering over half a billion dollars on behalf of sanctioned Russian banks and other entities, primarily through Tether stablecoins. Gugnin faces 22 counts of wire and bank fraud, U.S. sanctions violations and money laundering, among other charges.

OCC Rejects State Bank Supervisors' Push to Rescind Preemption Rules

The OCC this week rejected a bid by the Conference of State Bank Supervisors to rescind the agency's preemption rules in light of a White House executive order aimed at reducing regulatory barriers. The rules summarize the OCC's historical assessments of state laws affecting OCC-regulated banks. The state bank supervisor group had argued that the OCC rules enable banks to skirt state consumer financial laws, harm competition and are not based on the "best reading" of the underlying statute. The OCC, in a letter by Acting Comptroller Rodney Hood, rejected these arguments: "The OCC has thoroughly considered the points you raised and, as set forth above, reaffirms that its preemption regulations are valid under applicable law and are critical to ensuring the continued strength of our Nation's banking system." Moreover, the letter indicates the OCC "will continue to vigorously support and defend federal preemption."

• Preemption and prosperity: The OCC in the letter said federal preemption "has proven to be a powerful enabler of local and national prosperity and growth." The principle helps the banking system work efficiently across state lines by allowing them to rely on a uniform set of rules, the OCC noted. "Thus, federal preemption has helped to foster the development of national products and services and multi-state markets, which have benefitted individuals and businesses in every state and powered this Nation's economy."

Traversing the Pond

Here's the latest in international banking policy.

• EU market risk capital rule: The European Commission this week adopted a measure that delays the implementation of the Fundamental Review of the Trading Book - the major market-risk component of the Basel capital rules - to Jan. 1, 2027. This adoption triggers a so-called "scrutiny period" in which the European Parliament and the European Council can deliberate on the measure. The document comes as policymakers expect delays in U.S. implementation of Basel capital revisions and have expressed concerns about competitiveness of EU banks in that context. Clarifications on calculations of the market risk capital requirements given last year by the European Banking Authority and the EC appear to be in place.
• Quarles tapped for FSB task force: Former Federal Reserve Vice Chair for Supervision Randy Quarles was appointed this week to chair a Financial Stability Board task force conducting a strategic review of the FSB's implementation monitoring work. The FSB aims to increase its focus on promoting and monitoring implementation of key reforms in the works. The group will evaluate reform implementation efforts, the effectiveness of FSB tools and processes and recommend improvements in those areas.
• A look at liquidity: FSB Financial Stability Institute Chair Fernando Restoy gave a recent speech on how to improve the liquidity regime to preserve financial stability, in light of the 2023 banking turmoil. Restoy recommended integrating two key dimensions of liquidity regulation: refinement and strengthening of liquidity requirements, and improving banks' readiness to access central bank facilities. "To date, these approaches have largely been pursued independently," he said. "However, I believe that integrating these two dimensions offers a more comprehensive framework for addressing liquidity risk. In doing that, there would be more chances to improve the control of liquidity risks without introducing overly restrictive regulatory requirements that could undermine commercial [banks'] business models." The speech noted the tradeoffs inherent in making the liquidity coverage ratio more stringent, and suggested a "tiered approach" to liquid asset eligibility and incorporating central bank facilities and collateral prepositioning. However, a prepositioning requirement over the current LCR could do more harm than good - embedding the stigma-inducing idea of central bank facilities as backstops.
• Regional integration and fragmentation: A recent Bank for International Settlements paper focusing on Asian emerging markets suggests that strong regional ties can mitigate global regulatory fragmentation. This notion could have implications for the European Union, which has experienced challenges related to fragmentation in policy and regulation. Regional integration among emerging market economies complements global integration rather than substituting for it, the paper concludes, which implies that strong regional ties act as buffers against global fragmentation. Regional payment system integration reduces transaction costs of trade and enables cross-border banking efficiency, the paper suggests.

Federal Circuit Overturns USAA Patent Verdicts, Marking PNC Success

A federal circuit court on Thursday invalidated two jury verdicts that USAA had won against PNC Bank on mobile check deposit patents. The patents cover only abstract ideas, according to the court. The verdicts had totaled nearly $223 million.

Barclays Launches Innovation Hub in London

Barclays announced this week the launch of a new Innovation Hub in London, working with a range of partners including Microsoft and NVIDIA, who will play a key role in shaping the space. The hub will focus on accelerating commercial growth of startups in innovation sectors like AI, deep tech and other areas.