Top financial services regulatory issues for 2022

John Epperson, Dennis Hild
Top financial services regulatory issues for 2022

Banks can expect heightened regulatory scrutiny during 2022 in several critical areas.

As 2022 gets underway, the regulatory environment in the U.S. financial services industry continues to be a bit fragmented, and leadership changes are pending in several agencies.

Nevertheless, it is possible to identify several familiar, recurring regulatory issues where banks and other financial services organizations can expect to see continued focus. Additionally, a handful of emerging areas likely will attract increased regulatory attention in the coming months.

Leadership changes

Although some key positions are still awaiting a permanent appointment, a number of agencies are under new leadership – a condition that generally prompts changes in regulatory policy and priorities. Banks are taking note of several important personnel developments, particularly the resignation of Federal Deposit Insurance Corp. (FDIC) Chair Jelena McWilliams, effective Feb. 4, 2022. FDIC board member Martin Gruenberg is expected to step in as acting chair.

Another agency that remains under temporary leadership is the Office of the Comptroller of the Currency (OCC). After the nomination of Saule Omarova was withdrawn in November 2021, Michael Hsu continues to serve as acting comptroller, the third person to do so since Joseph Otting stepped down in May 2020.

Key positions at the Federal Reserve (Fed) recently have been reaffirmed with the renomination of Jerome Powell as chair and Lael Brainard as vice chair. Additionally, President Biden recently nominated former Fed governor Sarah Bloom Raskin to serve in the pivotal role of vice chair of supervision, along with Lisa Cook and Philip Jefferson to serve as Fed governors. All these nominations are subject to Senate confirmation at the time of this publication.

The September 2021 confirmation of Rohit Chopra as director of the Consumer Financial Protection Bureau (CFPB) is expected to produce a sharpened focus on fair lending and consumer finance issues in 2022, particularly in view of his previous high-profile public statements on these topics. (A deeper discussion of this focus follows later in this report.)

As these various agencies’ leadership positions are finalized, banks can expect an uptick in supervisory policy statements and guidance on a number of regulatory issues as well as refined approaches to supervision in the next exam cycle. While regulators have been slow to resume on-site exam activities more broadly, there have been some targeted visits, and it is reasonable to expect that agencies will resume more on-site exams while maintaining a largely hybrid approach.

Recurring regulatory issues, familiar topics

Notwithstanding the uncertainty surrounding leadership at several agencies, regulators are expected to continue ramping up expectations in several familiar areas. The following topics are likely to garner significant attention in financial services organizations of all charter types and asset sizes:

  • Third-party risk management

In August 2021, an interagency working group from the Fed, OCC, and FDIC issued guidance for community banks to use when conducting due diligence on fintech companies.1 Recognizing that the nature of services provided by fintechs can raise an organization’s risk profile, the guidance provides a good starting point to understand what regulators regard as minimum due diligence standards.

In September 2021, the Fed published a paper that complements the interagency guidance and provides an additional resource for community banks when partnering with fintechs.2

Aside from the issuances specific to fintech partnerships, the agencies are expected to finalize the broader policy statement on third-party risk management that was issued for proposal in September 2021.3 This updated guidance will replace a 2008 FDIC document and separate guidance issued by the Fed and OCC in 2013. The goal is to produce one consistently applied approach for use across the industry for third-party risk management. Agencies currently are reviewing comment letters received on the proposal and are expected to issue final interagency guidance during the next few months.

  • Bank Secrecy Act/anti-money laundering (BSA/AML) compliance

Regulators are certain to continue their ongoing push for financial services organizations to enhance systems and compliance programs to fight increasingly sophisticated financial crimes and money laundering schemes. In fact, there is likely to be even greater pressure on regulated organizations to modernize compliance efforts by taking advantage of enhanced monitoring capabilities powered by many commercially available platforms.

An April 2021 interagency statement on model risk management for bank systems supporting BSA/AML compliance offers some potential insights into regulatory direction.4 The statement was designed to clarify the agencies’ general views regarding appropriate practices for BSA/AML model risk management, recognizing that adopting innovative transaction monitoring tools and applying artificial intelligence can complicate model validation. Additionally, banks will need to pay attention to developing rules associated with the implementation of the Anti-Money Laundering Act of 2020, especially related to beneficial ownership reporting.

  • Cybersecurity risk

Cybersecurity remains a top concern for financial services organizations and regulators alike, as banks continue to operate in a broadening ecosystem in which data and information sharing becomes more prevalent. In November 2021, federal banking agencies issued a final rule on the prompt reporting of cyberattacks.5 Effective May 1, 2022, banks will be required to notify their primary federal regulator within 36 hours of any computer-security incident that rises to the level of a notification incident, as defined in the rule. The new rule also spells out notification requirements for bank service providers when a computer security incident would cause a material service disruption to their banking clients.

Ransomware risks also are attracting increased regulatory interest, as attacks are occurring with greater frequency at both large and small organizations. The Financial Crimes Enforcement Network (FinCEN) recently updated its ransomware advisory, including a list of red flags to help organizations identify and report suspicious transactions associated with ransomware payments.6 Banks and other financial services organizations can review the advisory to stay informed about the increased sophistication of ransomware attacks.

Other cybersecurity-related issuances from the Federal Financial Institutions Examination Council include guidance that encourages banks to evaluate multifactor authentication for online account access and separate guidance that focuses on the importance of effective risk management practices when using services in a cloud environment.

Emerging regulatory issues, new concerns

This year, we also expect to see increased regulatory focus in some less traditional or emerging areas for financial services organizations, including climate financial risk, crypto assets and stablecoins, operational resilience, consumer compliance, and cannabis.

  • Climate financial risk

In 2021, both the Fed and the OCC sent strong signals of their interest in financial risks stemming from climate issues. Both Fed Governor Brainard and Acting Comptroller Hsu have been particular advocates on the topic in public speeches. Additionally, nominated Vice Chair of Supervision Sarah Bloom Raskin has strong views on the need for supervisory guidance around climate financial risk for banking organizations.7

The Fed also has formed two separate climate-related working groups within the past year. The first of these, the new Supervision Climate Committee, was announced in January 2021 and is led by Kevin Stiroh, the former head of the New York Fed’s Supervision Group.8 A few months after that announcement, the Fed formed the Financial Stability Climate Committee, which is charged with identifying, assessing, and addressing climate-related risks to financial stability.9

Later in 2021, the U.S. Department of the Treasury’s Financial Stability Oversight Council responded to an executive order from the White House and released its own report on climate-related financial risk.10 This report is likely to be followed by additional guidance from member agencies, with initial efforts focused on climate financial risk-related stress testing for larger banks in 2022.

For its part, the OCC named its first-ever climate change risk officer in 202111 and included climate-related risk as a supervisory priority in its Fall 2021 “Semiannual Risk Perspective.”12 In December 2021, the OCC also published a proposal seeking feedback on draft principles designed to support the identification and management of climate-related financial risks that would apply to national banks with more than $100 million in assets.

  • Crypto assets and stablecoins

While the FDIC was less active on this issue than other agencies in 2021, the expectation is that this will change in 2022 with Chairman Jelena McWilliams’ departure in February. Although various agencies issued some conflicting signals on the subject during 2021, it seems certain that crypto assets will be the subject of considerable regulatory action and guidance in 2022. Outgoing FDIC Chair McWilliams had provided several updates emphasizing the importance of allowing insured banks to participate in crypto markets. It is not yet clear how her resignation will affect the agency’s stance going forward.

Meanwhile, Acting Comptroller Hsu has cautioned the industry against moving too quickly into these new areas of risk. Since 2020, the OCC has issued a series of four interpretive letters on the subject. The most recent, issued in November 2021, provided additional clarity to the earlier guidance, and it made a point of “reaffirm(ing) the primacy of safety and soundness.”13 It is worth noting that on Jan. 18, 2022, the OCC conditionally approved the charter application from Social Finance, Inc. to create SoFi Bank, but it placed limitations on SoFi Bank’s crypto activities in an effort to reinforce the bank’s safety and soundness.

One highly anticipated development in this area is the Fed’s review of the potential benefits and risks of issuing a U.S. digital currency, as central banks around the world experiment with the concept. The Fed issued its long-awaited report on Jan. 20, 2022, which includes more than 20 questions on which it is soliciting comments and responses through May 20. The Fed is specifically interested in input on whether and how a central bank digital currency might improve the domestic payments system.

Banks and other financial services organizations will need to pay particularly close attention to various agencies’ positions and guidance regarding the risks associated with cryptocurrencies.

  • Operational resilience

Operational resilience – that is, a bank’s ability to withstand and recover from disruptions and continue operations – does not always generate headlines, but the subject has become a part of examination dialogue in a growing number of banks over the past 12 to 18 months. The focus began to intensify after August 2020, when the Basel Committee issued a consultative paper outlining principles for operational resilience across seven categories.14 Two months later, U.S. agencies issued their own document, “Sound Practices to Strengthen Operational Resilience,”15 which is largely consistent with the Basel publication.

Although the U.S. guidance applies only to banks with more than $250 billion in assets, the agencies have been discussing many of the same principles with smaller organizations. The guidance outlines seven categories that are similar – but not identical – to those in the Basel paper, and it offers a list of 37 practices for specifically managing cybersecurity risk.

More recently, the FDIC conducted a “tech sprint” event on operational resilience in October 2021. Intended to be the first of several such events, this tech sprint involved three weeks of brainstorming and meetings with FDIC and community bank subject matter experts to identify data, tools, or other capabilities to help banks develop a greater understanding of their true resilience to any hazard.

The increased emphasis on operational resilience signals a potentially broader application of similar principles in banks under $250 billion in assets. The agencies are particularly interested in how well financial services organizations are prepared to handle threats and emerging advances to their information technology systems, operations, people, and facilities.

  • Consumer compliance

With director Chopra now at the helm of CFPB, that agency’s supervisory efforts are likely to accelerate in several key areas. The bureau’s impact, even in banks with less than $10 billion in assets, could grow as it continues to work closely with the prudential regulators who conduct on-site consumer compliance exams in those smaller banks.

Fair lending issues have been a primary area of focus since the CFPB’s earliest days, and the emphasis in this area almost certainly will increase in 2022. The bureau continues to expand and refine the complaint database on its website. This database often is a starting point for supervisory efforts and an area where the CFPB interacts extensively with the other banking agencies if it detects trends in complaints or has concerns about an organization’s efforts to respond and remediate. With the CFPB’s sharpened focus on financial services organizations' marketing strategies, fintech and other third-party partnerships, and consumer complaints, it is important for organizations to perform robust fair lending risk assessments and remedy any gaps.

Other potentially impactful recent actions by the CFPB include new guidance for Home Mortgage Disclosure Act (HMDA) reporting, effective March 1, 2022,16 and the issuance of a proposed new rule on small business lending data collection under the Equal Credit Opportunity Act, which was issued in at the end of August 2021.17 Earlier versions of the rule would have exempted organizations under a certain asset size from this new rule, but the most recent version removes that exemption.

  • Cannabis

A final area of uncertainty is the current lack of clarity regarding the risks associated with providing banking services to marijuana-related businesses (MRBs). Because of the inconsistencies between state and federal marijuana laws, many financial services organizations remain reluctant to establish relationships with state-licensed cannabis distributors and related companies.

For several years, cannabis businesses and other advocates have lobbied for passage of the Secure and Fair Enforcement (SAFE) Banking Act, which would shield national banks from federal criminal prosecution when working with state-licensed MRBs.

In November 2021, the House of Representatives attached the SAFE Banking Act bill to its version of the 2022 National Defense Authorization Act, marking the fifth time the House has tried to advance cannabis banking reform within the past two years. Ultimately, however, the SAFE Banking Act provision was withdrawn from the legislation, so efforts to speed financial transactions by MRBs are expected to resume in 2022.

In the meantime, financial services organizations that want to provide banking services to MRBs should consult with their primary regulator and review related FinCEN guidance around BSA expectations for MRBs.

A proactive approach

As the Biden administration enters its second year, regulatory agencies are likely to implement many of the administration’s priorities related to financial services. For banks and other regulated financial services organizations, consistent, careful monitoring of regulatory developments and risk management will be essential.

Taking a proactive approach to strategic planning is a critical part of this effort. Management teams should begin by assessing how their strategic growth and business plans could be affected by anticipated rapid shifts in supervisory policy and exam priorities among different regulators in 2022. Banks will need to carefully evaluate their compliance and risk management capabilities and resources. This evaluation will allow them to quickly pivot while enabling effective change management throughout this uncertainty.

With events occurring quickly and creating both new threats and opportunities, the ability to effectively identify, assess, and respond to market changes will be important in 2022. Investments made to bolster compliance and risk management capabilities can be leveraged to provide a competitive advantage versus employing them exclusively as cost centers.

Navigating the uncertainty and heading off potential challenges while getting to “yes” in a safe and sound way will be critical to the success of financial services organizations in 2022.


Qualified organizations only. Independence and regulatory restrictions may apply. Some firm services may not be available to all clients. Given the continued evolution and inconsistency of various state and federal cannabis-related laws, any company should seek competent legal advice relating to its involvement in the cannabis industry, including when considering a potential public offering as a cannabis-related company.

Explore services

Wondering how your organization can prepare for regulatory issues and updates? Let us know. We’d be happy to chat.
John Epperson
John Epperson
Managing Principal, Financial Services
Dennis Hild
Dennis Hild
Managing Director
1 “Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks,” Federal Deposit Insurance Corp. Financial Institution Letter, August 2021,

2 “Community Bank Access to Innovation Through Partnerships,” Federal Reserve guidance, September 2021,

3 “Proposed Interagency Guidance on Third-Party Relationships: Risk Management,” Office of the Comptroller of the Currency Bulletin 2021-42, Sept. 10, 2021,

4 “Interagency Statement on Model Risk Management for Bank Systems Supporting BSA/AML Compliance,” Office of the Comptroller of the Currency Bulletin 2021-19, April 12, 2021,

5 “Agencies Approve Final Rule Requiring Computer-Security Incident Notification,” Federal Deposit Insurance Corp. press release, Nov. 18, 2021,

6 “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments,” Financial Crimes Enforcement Network, FinCEN Advisory, FIN-2021-A004, Nov. 8, 2021,

7 Sarah Bloom Raskin, “Changing the Climate of Financial Regulation,” Project Syndicate, Sept. 10, 2021,

8 “Kevin Stiroh to Step Down as Head of New York Fed Supervision to Assume New System Leadership Role at Board of Governors on Climate,” Federal Reserve Bank of New York press release, Jan. 25, 2021,

9 Lael Brainard, “Financial Stability Implications of Climate Change,” Board of Governors of the Federal Reserve System, March 23, 2021,

10 “Financial Stability Oversight Council Identifies Climate Change as an Emerging and Increasing Threat to Financial Stability,” U.S. Department of the Treasury news release, Oct. 21, 2021,

11 “OCC Announces Climate Change Risk Officer, Membership in the NGFS,” Office of the Comptroller of the Currency news release, July 27, 2021,

12 Semiannual Risk Perspective, Office of the Comptroller of the Currency National Risk Committee, Fall 2021, p. 2,

13 “OCC Clarifies Bank Authority to Engage in Certain Cryptocurrency Activities and Authority of OCC to Charter National Trust Banks,” Office of the Comptroller of the Currency news release, Nov. 23, 2021,

14 “Principles for Operational Resilience,” Basel Committee on Banking Supervision, August 2020,

15 "Operational Risk: Sound Practices to Strengthen Operational Resilience," Office of the Comptroller of the Currency, Bulletin 2020-94, Oct. 30, 2020,

16 “A Guide to HMDA Reporting – Getting It Right!,” Federal Financial Institutions Examination Council publication, Jan. 1, 2021,

17 “Small Business Lending Data Collection Under the Equal Credit Opportunity Act,” Consumer Financial Protection Bureau proposed rule (Docket No. CFPB-2021-0015), Dec. 13, 2021,