Alston & Bird Consumer Finance Blog

Banking Regulatory Agencies

AVM Quality Control Rule Takes Effect October 1, 2025: Are You Ready?

By

Mortgage originators, servicers, and secondary market participants should take note that the October 1 implementation date for the Interagency AVM Quality Control Rule (the “Rule”)  is fast approaching.

What Happened?

As mandated by the Dodd-Frank Act, on June 20, 2024, the Consumer Financial Protection Bureau, Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve Board, Federal Deposit Insurance Corporation, National Credit Union Administration and the Federal Housing Finance Agency (collectively, the Agencies) adopted a rule addressing the use of AVMs in mortgage origination and secondary market transactions. At a high level, the Rule (mirroring the language of Section 1125 of FIRREA) requires that mortgage originators and secondary market issuers that engage in credit decisions or covered securitization determinations, themselves or through or in cooperation with a third-party or affiliate, must adopt and maintain policies, practices, procedures, and control systems to ensure that automated valuation models used in [subject] transactions adhere to quality control standards designed to:

  1. Ensure a high level of confidence in the estimates produced;
  2. Protect against the manipulation of data;
  3. Seek to avoid conflicts of interest;
  4. Require random sampling testing and reviews; and
  5. Comply with applicable nondiscrimination laws.

Why Does it Matter?

Please see our prior blog post for a more fulsome summary of the Rule.

What To Do Now?

With implementation fast approaching, we have been fielding a lot of implementation questions, such as:

  • How does the rule apply to secondary market issuers, sponsors, or underwriters?
  • Do I need to comply if I rely on a GSE’s property inspection waiver?
  • More broadly, what do I need to do to comply given that the Rule is not prescriptive, but provides entities with flexibility to set quality control standards for AVMs based on the size, complexity, and risk profile of the entity and the transactions covered by the Rule?

Our team is happy to assist companies in prepare and to ensure that your entity has appropriate policies, practices, procedures, and controls in place to ensure compliance with the Rule’s requirements.

Financial Services Advisory | FDIC Takes First Steps in Revising Supervisory Appeals Processes

By , ,

Originally published August 18, 2025 on the Alston & Bird website.

Executive Summary

Our Financial Services Team examines a proposed rule by the Federal Deposit Insurance Corporation (FDIC) that would revise its process for institutions to appeal material supervisory determinations.

  • The FDIC proposes to replace its Supervisory Appeals Review Committee with a new “independent” Office of Supervisory Appeals
  • If finalized, the proposed rule would create a clearer path to challenge exam-based supervisory findings affecting institutions’ ratings, regulatory treatment, and reputational standing
  • Public comments are due 60 days after publication in the Federal Register, with a final rule expected in early 2026

On July 15, 2025, the Federal Deposit Insurance Corporation (FDIC) proposed revising its guidelines for appealing material supervisory determinations. The Proposed Rule reflects an effort to enhance the independence, clarity, and fairness of the FDIC’s internal appeals process in response to years of criticism from regulated institutions and trade groups. If adopted, the revised guidelines would strengthen procedural protections, increase transparency, and replace the FDIC’s existing Supervision Appeals Review Committee (SARC) with a standalone office within the FDIC known as the Office of Supervisory Appeals (OSA). This proposal merits a fresh comparison to the appeals processes of the other prudential agencies: the Office of the Comptroller of the Currency (OCC) and the Board of Governors of the Federal Reserve System.

FDIC’s Current Appeals Framework

Under the FDIC’s current appeals guidelines, an FDIC‐supervised institution may seek review of any “material supervisory determination.” That term broadly covers virtually all major exam ratings and related findings, including CAMELS, IT, trust, Community Reinvestment Act (CRA), and consumer‐compliance ratings; required loan‐loss provisions; significant asset classifications; certain determination relating to violations of law; Regulation Z restitution; decisions relating to informal enforcement actions; compliance with formal enforcement actions; matters requiring board attention; and certain other supervisory determinations as may be deemed appropriate. However, formal enforcement decisions (such as cease-and-desist orders, civil money penalties, placing an institution into conservatorship, or invoking prompt corrective action) are expressly excluded and are not appealable.

Before submitting a formal appeal request, institutions are encouraged, but not required, to make a good-faith effort to resolve disputes with on-site examiners or the appropriate regional office. If issues remain unresolved, the institution may submit a written request for formal review to the appropriate FDIC division director within 60 calendar days after receiving the exam report or other written notice of the disputed determination. The division director then has 45 days to review the request and must either issue a written ruling on the points raised or refer the matter to the SARC for appellate consideration.

If the institution is dissatisfied with the division director’s decision, it may appeal to the SARC within 30 calendar days of receiving that decision. The SARC is a three‐member intra‐agency panel composed of FDIC board‐affiliated senior officials, with the FDIC general counsel and FDIC ombudsman serving as nonvoting members. The appeal must be filed in writing and include a copy of the division director’s decision and the institution’s full legal and factual arguments. The institution may also request an oral presentation before the SARC. Once an appeal is filed, the SARC independently reviews the record as of the date of the original determination – focusing on consistency with applicable laws, regulations, FDIC policy, and the overall reasonableness of the supervisory action. A hearing on the appeal must be convened within 90 days of filing, and the SARC must issue a written decision within 45 days after such hearing. The SARC’s decision is communicated to the institution in writing and is published in redacted form for precedent.

The Proposed Rule

Chief among the Proposed Rule’s changes is replacing the current SARC structure with a new OSA as the final review body. Under the Proposed Rule, an institution would first appeal a material supervisory determination to the appropriate division director in the same manner as is currently in place. If the matter remains unresolved, the OSA would hear the matter. This independent office is intended to provide a “robust, independent supervisory appeals process” that promotes impartiality and consistency. The ultimate goal of the OSA is to remove appeals decisions from the usual examination management chain and vest them in a standalone entity staffed by objective experts.

The proposed OSA would be a permanent, standalone unit of the FDIC, separate from the examination divisions. The OSA would report directly to the FDIC chairperson’s office and be granted delegated authority by the FDIC board of directors to decide appeals. Decision panels would consist of three reviewing officials, each serving a fixed term. Notably, at least one panelist must have hands-on bank supervisory experience, and, to ensure neutrality, the FDIC plans to recruit from outside its own ranks. The Proposed Rule notes that potential candidates may include former regulators, former bankers, and other industry professionals with relevant expertise. Current FDIC employees would be ineligible for these panelist roles, and appointees would serve as part-time, conflict-checked FDIC staff members bound by FDIC confidentiality rules. The FDIC expects the OSA will be fully staffed and operational as soon as the Final Rule is issued and will replace the SARC as the final appeals forum.

Procedurally, the Proposed Rule otherwise mirrors the existing appeals framework. While an appeal would still originate with the division director, any further appeal would go to an OSA panel. The OSA will then conduct a new review of the contested determination. Like the division director, the OSA must assess the matter solely on legal and policy consistency and “the reasonableness of the support” offered for each side’s position. Importantly, the Proposed Rule explicitly instructs the OSA not to defer to the original examiner’s or the institution’s preferred outcome. By spelling out a nondeference standard, the Proposed Rule underscores that appeals are to be decided independently on their merits.

The FDIC’s ombudsman will continue to have a neutral oversight role under the new rules. As before, the FDIC ombudsman will serve as a nonvoting participant who liaises between the FDIC and appellant institutions; however, under the Proposed Rule, the FDIC ombudsman may submit written views to the appeals panel for its consideration and is tasked with monitoring for examiner retaliation.

FDIC leadership emphasizes that the reforms are intended to make the appeals process more independent, apolitical, and consistent. By staffing the OSA with external, term limited officials, the FDIC expects to attract impartial reviewers who have no ongoing career incentives tied to specific supervisory divisions. This “standalone entity” approach allows reviewers to devote their full attention to appeals cases, rather than juggling multiple FDIC duties. The inclusion of former bankers and regulators on appeal panels is meant to ensure that each panel has deep practical knowledge of banking, improving the quality and consistency of decisions. Collectively, these changes aim to reduce any perception of bias (for example, examiners reviewing one another) and to foster uniformity in how policies are applied across regions.

If finalized, these revisions would provide institutions with a clearer and more robust path to challenge exam-based supervisory findings that may affect ratings, regulatory treatment, and reputational standing. Public comments are due 60 days after publication in the Federal Register, with a Final Rule anticipated in early 2026. The promulgation of the Proposed Rule also invites comparisons with similar frameworks maintained by the OCC and the Federal Reserve, both of which have implemented mechanisms aimed at providing independent, impartial review of supervisory determinations.

Appeals at the OCC

The OCC has long maintained an informal appeals process, through the OCC’s supervisory officers, and a formal appeals process through its Office of Enterprise Governance and the Ombudsman or the deputy comptroller. Similar to the Proposed Rule, the OCC ombudsman is housed within the OCC but operates separately from the agency’s supervisory chain of command.

Institutions supervised by the OCC may appeal examination ratings, determination on the adequacy of allowance for credit losses, individual loan ratings, violations of law, Shared National Credit decisions, fair-lending decisions, licensing decisions, and material supervisory determinations in matters requiring attention, compliance with enforcement actions, or other conclusions in a report of examination. Generally, once an institution determines to appeal a decision, the institution may submit an informal appeal to the appropriate OCC supervisory office. Any informal appeal must be submitted within 10 days of receiving a final written agency decision. Once filed, the supervisory office then has 10 days to issue a written appeals decision. If the institution does not agree with the supervisory office’s determination, the institution may seek further resolution through the OCC’s formal appeals process.

Under the formal appeals process, an institution may submit an appeal to either the deputy comptroller or the OCC’s ombudsman. In both cases, the appeal must be submitted within 60 days of receiving the final written agency decision giving rise to the appeal.

If an appeal is filed with the deputy comptroller, the deputy comptroller will review whether the subject decision is appealable and solicit an appeal response from the applicable supervisory office. The deputy comptroller may then engage in discussions with the institution, request supplemental information, and consult with independent OCC staff. Once the review is completed, a final written decision is typically issued by the deputy comptroller within 45 days. If an institution disagrees with the deputy comptroller’s decision, the institution may further appeal the matter to the OCC ombudsman. This second-tier appeal must be submitted to the OCC ombudsman within 15 days of receiving the deputy comptroller’s decision letter. Upon receipt, the OCC ombudsman will review any material considered in the appeal response, including information submitted by the institution at the time of the appeal or any other information considered in making the appeal decision and may seek additional information from the appellant institution. As with the initial appellate decision, the OCC’s ombudsman will generally issue a response to the second-tier appeal within 45 days of acceptance.

If the appeal is filed directly with the OCC ombudsman, rather than seeking an initial determination from the deputy comptroller, the OCC ombudsman will determine whether the subject decision is appealable within seven days of receipt. If the decision is appealable, the supervisory office will submit an appeal response to the OCC ombudsman within seven days of the OCC ombudsman’s acceptance of the appeal. The OCC ombudsman may then engage in discussions with the institution, request supplemental information, and consult with independent OCC staff. In certain cases, the OCC ombudsman may order an independent reexamination, conducted by examiners who were not involved in the original review. Once the review is completed, a final written decision is typically issued within 45 days. Notably, if an appeal is filed directly with the OCC ombudsman, the institution is not eligible for a second-tier review.

As with the Proposed Rule, the OCC’s appeals policy requires the publication of anonymized appeals proceedings and prohibits retaliation against institutions that file appeals.

Federal Reserve Appeals

Under the Federal Reserve’s appeals framework, institutions are generally encouraged to raise concerns directly with Reserve Bank or Federal Reserve Board staff and resolve disagreements before beginning a formal appeal. Unlike the OCC’s informal framework, the Federal Reserve’s informal resolutions process does not have set timelines or procedural requirements; rather, institutions and regulators are expected to act in good faith. Despite the lack of procedural requirements, during this informal resolution process, institutions may contact the Federal Reserve’s ombudsman for confidential assistance and guidance.

If informal efforts do not resolve the relevant issues, the institution may submit a formal written appeal to the Fed’s ombudsman within 30 calendar days of receiving the supervisory determination. Under the Federal Reserve’s appellate process, institutions may appeal any “material supervisory determination” including material determinations relating to examination or inspection composite ratings, material examination or inspection component ratings, the adequacy of loan loss reserves and/or capital, significant loan classification, accounting interpretation, matters requiring attention or immediate attention, CRA ratings (including component ratings), and consumer-compliance ratings. Upon receipt, an initial review panel is appointed by the appropriate Federal Reserve division director. This initial panel consists of three Reserve Bank employees not involved in the original determination and an attorney adviser. The initial panel reviews the record independently, without deference to prior findings, and may meet informally with the institution. Following a review of the record, the initial panel issues a written decision within 45 days.

If the institution disagrees with the initial panel’s decision, it may request a final review by submitting written notice to the Fed’s ombudsman within 14 days. A final review panel composed of at least three Federal Reserve Board employees, including at least one who is a Federal Reserve associate director or higher, and an attorney adviser will then assess the appeal. This final panel reviews only the record from the initial appeal and applies a “clear error” standard of review. No new evidence may be submitted, but the final panel may determine in its discretion to have an informal appeal meeting at which a representative of the institution or counsel may appear personally to make an oral presentation to the final panel. Following a complete review, the final panel issues its written decision within 21 days of the request.

Unlike the OCC process (but similar to the Proposed Rule’s), the Fed’s ombudsman plays a procedural support role as opposed to a decision-making role. The Fed’s ombudsman advises institutions on how to navigate the process and serves as a confidential point of contact for retaliation concerns. While the ombudsman does not decide appeals, their involvement is intended to provide a valuable safeguard for preserving institutional independence and trust in the process.

Strategic Considerations and Industry Outlook

Supervisory appeals processes across all three federal banking agencies are critically important because they typically represent an institution’s sole administrative remedy. Judicial review of supervisory ratings is generally unavailable unless a finding is incorporated into a formal enforcement action or final agency order. Absent that, courts routinely hold that ratings decisions, and determinations on CAMELS, CRA, and IT assessments, are nonfinal agency actions and therefore ineligible for review under the Administrative Procedure Act.

As a result, institutions facing adverse examination findings must treat the appeals process as their only opportunity to create a formal record, present factual and legal rebuttals, and seek modification or reversal of supervisory conclusions. Additionally, exam findings and related requirements are not stayed as a matter of course when the determinations are appealed. If an institution desires the effects of a determination to be stayed, the institution must formally request action be taken.

The Proposed Rule and an anticipated shift in supervisory focus may encourage greater industry pushback on agency discretion, and banks may be more inclined to challenge material supervisory determinations that impact their growth, capital planning, or reputational profile. These appeals may also be strategically used to preserve a favorable standing ahead of potential mergers or capital offerings.

Nevertheless, appealing a supervisory determination carries certain risks. Institutions must carefully consider the potential impact on their ongoing supervisory relationship, the strength of their factual record, and the likelihood of success based on prevailing agency precedent. For that reason, early preparation is essential – banks should engage legal counsel at the examination stage, ensure contemporaneous documentation of examiner interactions, and begin preparing a factual narrative that supports potential appeal arguments.

If adopted as proposed, the Proposed Rule represents a meaningful shift in the FDIC’s appeals process. If finalized, the revisions would provide institutions with greater transparency and independence. While internal agency appeal remains a nonpublic and nonlitigious process, its significance cannot be overstated, particularly given the limited availability of judicial review.

While the Proposed Rule is not expected to be finalized until 2026, in the interim, regulated institutions should evaluate internal policies for addressing examination disputes, consider designating escalation teams within legal or compliance functions, and familiarize themselves with the appeals frameworks across all three federal banking regulators.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

Financial Services / Investment Funds Advisory | FinCEN Delays Enforcement of Investment Adviser AML/CFT Rule

By ,

Executive Summary
2 Minute Read

Our Financial Services and Investment Funds Teams examine the delay by the Financial Crimes Enforcement Network (FinCEN) of the effective date for the Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) program requirements by two years.

  • The postponement aims to ease compliance costs, reduce uncertainty, and allow for further review of the rule
  • The rule would have included investment advisers in the list of “financial institutions” under the Bank Secrecy Act and required them to implement comprehensive AML/CFT programs
  • FinCEN will provide interim exemptive relief while reviewing the rule’s substance

_________________________________________

The Financial Crimes Enforcement Network (FinCEN) has postponed the effective date of its final rule establishing the Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers Rule. The effective date, previously set for January 1, 2026, is now anticipated to be January 1, 2028.

The so-called “IA AML Rule” would have brought certain investment advisers within the definition of “financial institution” under the Bank Secrecy Act (BSA) and imposed comprehensive AML/CFT program obligations. FinCEN cited several reasons for the deferral, including:

  • Easing potential compliance costs for the industry.
  • Reducing regulatory uncertainty.
  • Allowing FinCEN to undertake a broader review of the rule’s substance and scope.
  • Ensuring the rule is “effectively tailored to the diverse business models and risk profiles” within the investment adviser sector.

FinCEN also indicated its intent to collaborate with the Securities and Exchange Commission (SEC) to revisit the previously proposed rule on customer identification program (CIP) requirements for investment advisers.

What This Means for Advisers

While this postponement provides a two-year reprieve from the compliance obligations of the IA AML Rule, it’s important to understand what these obligations would have entailed. Had the rule become effective in 2026, advisers would generally have been required to:

  • Develop and implement a written, risk-based AML/CFT program.
  • Designate an AML compliance officer.
  • Conduct ongoing training for relevant personnel.
  • Perform independent testing of their AML programs.
  • File suspicious activity reports with FinCEN about suspicious transactions.
  • If the associated CIP rule were finalized, implement customer identification and verification procedures for their clients.

FinCEN intends to revisit the rule’s substance through a future rulemaking process and will provide interim exemptive relief to formally delay the effective date. Firms should continue to monitor FinCEN and SEC announcements for further developments on these AML/CFT and CIP requirements.

_____________________________________________

Originally published July 28, 2025.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services team or one of the attorneys on our Investment Funds team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

Financial Services / White Collar, Government & Internal Investigations Advisory | Financial Institutions Permitted to Use Third Parties to Collect Customers’ Taxpayer Identification Numbers for Identity Verification

By ,

Executive Summary
9 Minute Read

Our Financial Services and White Collar, Government & Internal Investigations Teams examine the Financial Crimes Enforcement Network’s new customer identification program (CIP) exemption that allows banks and credit unions to use third parties to collect customers’ taxpayer identification numbers (TINs).

  • Reflects the view that using third-party sources allows institutions to reasonably accommodate customers’ privacy and data security concerns about submitting TINs electronically
  • Mirrors the flexibility available under existing CIP rules for credit card account opening
  • Continues to require written, risk-based CIP procedures that enable institutions to form a reasonable belief that they know the true identify of each customer

___________________________________________

On June 27, 2025, U.S. federal bank and credit union regulators issued an order, with the concurrence of the Financial Crimes Enforcement Network (FinCEN), granting an exemption from customer identification program (CIP) rules. Under the order, U.S. banks and credit unions are relieved from the requirement to collect taxpayer identification numbers (TINs) (e.g., Social Security numbers (SSNs)), employer identification numbers (EINs), and individual taxpayer identification numbers (ITINs)) directly from customers at account opening. News releases by the Office of the Comptroller of the Currency (OCC) and other agencies generally touted the order as a reasonable exercise of regulatory flexibility that addresses customer privacy concerns without increasing fraud, money laundering, or bank safety and soundness risk.

Under CIP rules applicable since 2001, banks have generally been required to collect TINs in addition to names and other identifying information about customers seeking to open accounts.

Significantly, except in the case of credit card accounts, the account-opening institution has been required to obtain this information from the customer. The institution must then apply CIP procedures intended to use this information to verify the customer’s identity, which can include both documentary methods (such as comparison against the customer’s driver’s license or similar government-issued identification) and nondocumentary methods (such as comparison against information obtained from a consumer reporting agency (CRA)).

When the agencies and FinCEN jointly issued final CIP rules in 2003, they acknowledged industry concerns that the requirement to obtain this information from customers directly imposed an undue hardship on institutions in opening credit card accounts. Credit card issuers indicated that new customers were reluctant to provide their TIN information over the telephone and were typically not asked to do so in person. The regulators determined then that allowing banks to continue to rely on third-party sources, such as CRAs, for some of this information would be consistent with existing practices, which had, according to the regulators, “produced an efficient and effective means of extending credit with little risk that the lender does not know the identity of the borrower.”

The USA PATRIOT Act provisions implemented by the CIP rules (statutory authority that is part of what is generally referred to as the Bank Secrecy Act (BSA)) do not prescribe either the minimum information that banks must collect for verifying customer identities or the source of that information. The AML Act of 2020 specifically requires the agencies and FinCEN to review BSA regulations such as the CIP rules for those that may be outdated or that do not otherwise promote risk-based anti-money laundering compliance programs.

In 2024, FinCEN issued a request for information (RFI) soliciting feedback on the potential risks and benefits of permitting banks to obtain TINs from third-party sources instead of from customers as part of their CIP. Within both the RFI and the order, the regulators noted that significant technological changes had occurred within financial services since the CIP rules’ adoption in 2003, both in the ways that customers access such services and in how institutions deliver them. These changes reflect, among other things, innovations in available identity verification methods and tools.

As part of the RFI, the regulators also noted the increasing prevalence of bank partnerships with nonbanks and that these nonbank partners may not be directly subject to CIP or similar compliance requirements. This difference has both compliance and competitive implications for banks. The regulators also acknowledged the need, within the constraints of the existing BSA provisions that the CIP rules implement and other applicable law, to balance CIP requirements intended to prevent and detect fraud, money laundering, and other illegal activity, on the one hand, with bank burdens and customer privacy concerns implicated by account opening processes on the other. At this time FinCEN specifically requested public comment on allowing a bank to obtain partial TIN information from its customer (such as the last four digits of their SSN) and the customer’s full TIN from a third-party service provider.

The Order

The order provides an exemption from the CIP rule requirement for banks subject to the jurisdiction of the agencies (and certain bank subsidiaries) to obtain full TINs directly from the customer prior to opening an account.

The order permits banks, for all account types, to instead use an alternative collection method to obtain TIN information from a third-party source (such as a CRA), provided that the bank otherwise complies with CIP rules, which require written procedures that (1) enable the bank to obtain TIN information before opening an account; (2) are based on the bank’s assessment of the relevant risks; and (3) permit the bank to form a reasonable belief that it knows the true identity of each customer. The agencies stress that reliance on the exemption is optional; banks are not required to begin using an alternative TIN collection method. The order was effective immediately upon its publication, making the exemption it describes available immediately as well.

Basis for the Exemption

In issuing the order, the agencies relied on existing CIP rule authority allowing the bank regulators—with FinCEN’s concurrence—to exempt any entity subject to their supervision or type of account they may open from the rules’ requirements.

Ultimately, the agencies concluded that the risks associated with relaxing the CIP rules to permit banks to obtain TINs from third parties as described in the order did not outweigh the associated benefits. In particular, the agencies relied on (1) evidence of wide availability of alternative TIN collection methods; (2) an increase in electronic and other non-face-to-face account opening; and (3) the success of the existing credit card exemption. They also cited BSA legislative history for the proposition that these rules should not impose requirements that are burdensome, prohibitively expensive, or impractical.

While the agencies acknowledged fraud and identity theft risks associated with non-face-to-face account opening, they concluded that unauthorized TIN information exposure—from data breaches not specifically attributable to account opening or even to banks—has diminished the importance of the specific method of TIN collection used by banks for identity verification purposes. According to the agencies, this exposure has also contributed to consumer hesitancy to provide TINs at account opening. In light of this hesitancy and the increasing availability of alternative identity verification resources (including those using email address, geolocation, and internet protocol (IP) address location information), the agencies determined that the order provided meaningful regulatory relief consistent with safe and sound banking practices.

Risks Related to the Exemption and Other Considerations

The primary risk the agencies focused on within the order is that this exemption may result in weaker account opening processes and therefore increases in identity theft, fraud, and other illegal activity that the CIP rules are intended to prevent. In this regard, the agencies took care to reinforce not only that reliance on the exemption is optional but also that, to take advantage of it, institutions must still support their practices as part of a CIP program that reflects the bank’s assessment of the relevant risks and includes procedures enabling the bank to form a reasonable belief that it knows the true identity of each customer. The agencies asserted that the resulting banking practices will not be contrary to generally accepted standards of prudent banking operation or give rise to abnormal risk of loss or damage to an institution or its shareholders.

Public comments cited by the agencies also raised a concern that smaller institutions may not have the resources to implement third-party TIN collection methods or may be forced to increase fees or take other steps that negatively impact their customers or prospective customers (including the “unbanked”) to do so. The agencies did not specifically address this concern other than by reinforcing that implementation of these alternative methods is optional. Being an order pursuant to existing rules, the agencies did not have to consider these concerns in the same way that they would have had to as part of regulation changes.

The agencies also did not address concerns raised by commenters about the intersection of CIP rule requirements and Internal Revenue Service (IRS) backup withholding requirements. Banks relying on the order to collect TINs from third-party sources may need to align these procedures with procedures used to satisfy these withholding rules. Under these requirements, banks are generally required to implement backup withholding on customer accounts for which the bank is a payer of income (such as interest) for IRS purposes if the customer fails to either furnish accurate TIN information to the bank or fails to certify, under penalties of perjury, that the TIN information furnished to the bank is correct.

Banks frequently satisfy these requirements by collecting a Form W-9 (or substitute W-9 in accordance with IRS rules) from their customers. While backup withholding requirements are distinct considerations and are not implicated by all account types, many banks have streamlined their account opening requirements to satisfy both sets of requirements concurrently (and to streamline future account opening processes, such as a customer’s opening of a non-interest-bearing account and subsequent addition of an interest-bearing account). Similarly, broker-dealers and certain other entities subject to CIP rule requirements are not subject to the order, and institutions deploying joint account opening processes (such as within an affiliate or referral program structure) will need to ensure that reliance on the order does not result in compliance gaps or poor customer experience outcomes.

Banks will also need to consider how reliance on the order could impact sanctions compliance (for example, to the extent that sanctions screening is conducted based on customer-provided information before the completion of CIP identity verification); compliance with other BSA rules (such as legal entity customer beneficial ownership rules or the so-called Travel Rule, under which separate TIN collection requirements apply that are arguably not impacted by the order); and compliance with the federal Fair Credit Reporting Act and similar state laws that may apply to various third-party identity verification services used to do so.

Finally, the order also may compel banks and their program managers or other fintech partners to put a finer point on who is considered the bank’s CIP “customer” for BSA purposes for a particular program or product and what information is required about them under their anti-money laundering programs and partnership terms. As noted in the RFI, CIP standards among these entities may vary, and the order may allow them to better align onboarding practices and deliver a better overall customer experience.

Originally published July 24, 2025.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services team or one of the attorneys on our White Collar, Government & Internal Investigations team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

Federal Banking Agencies Announce Intent to Rescind 2023 Community Reinvestment Act Final Rule and Return to Prior Framework

By , ,

What Happened?

The Federal Deposit Insurance Corporation (“FDIC”), Board of Governors of the Federal Reserve System (“Federal Reserve”) and the Office of the Comptroller of the Currency (“OCC”), (collectively, “federal banking agencies”) announced their intent to rescind the 2023 Community Reinvestment Act Final Rule (“Final Rule”) and to reinstate the CRA framework that existed prior to the 2023 CRA Final Rule.

Community Reinvestment Act (“CRA”)

The CRA was enacted in 1977 to address systemic inequities in access to credit in response to concerns that banks were engaging in redlining to deny credit to customers in low-income, minority areas. The CRA requires federal bank regulators to evaluate a financial institution’s record of meeting the credit needs of a given community, with separate evaluations for each area where the bank maintains a branch office, taking a particular focus on low- and moderate- income (“LMI) communities.

Given changes in technology and financial products since the CRA’s enactment, there have been several failed attempts over the past 30 years to revise and modernize CRA regulations. Before the 2023 CRA Final Rule, the last significant interagency revision to the regulations occurred in 1995.

Why Does it Matter?

Criticisms of the Final Rule

The federal banking agencies’ stated purpose for the Final Rule was to modernize CRA to address technological innovations and new product offerings in banking. However, many within the industry asserted that the Final Rule was contrary to the plain language of the CRA and congressional intent. The Final Rule fundamentally altered the determination of a bank’s assessment area, requiring inclusion of areas where the bank does not maintain any physical presence. The Final Rule set forth new tests, applicable to different banks based on asset size. Application and “scoring” under these tests was complicated and difficult to apply. Additionally, the Final Rule sought to evaluate banks’ deposit practices in addition to lending and investment activities.

Industry participants and trade groups asserted that the Final Rule would drastically and unnecessarily increase the regulatory burden placed on banks. The Final Rule could require banks to use deposits gathered from their local communities to make loans in places potentially thousands of miles away. The formulaic approach to scoring could result in decision-making divorced from the actual convenience and needs of a bank’s community. Banks also argued that the unnecessarily complex evaluation could force banks to close branches or reduce product offerings.

In March 2024, after a number of prominent bank trade groups sued to block the new rule, a Texas judge blocked the Final Rule, finding that the rule surpassed its statutory authority. The court found that the regulators exceeded their authority by expanding the lending test to evaluate banks in geographic areas where they did not maintain physical branches. Moreover, the court rejected the agencies contention that “credit needs” could be construed more broadly to include deposit products. The Final Rule has been on hold since the court’s ruling, and the federal banking agencies’ notice of intent to rescind the Final Rule puts an end to the Final Rule from a practical perspective.

Return to Prior Framework

In light of this litigation and the change in Presidential administration, the federal banking agencies decided to rescind the 2023 CRA Final Rule and return to the 1995 framework that existed prior to the Final Rule. Once the federal banking agencies formally rescind the Final Rule, Banks will not be required to comply with the more stringent and complex tests that the Final Rule would have required. However, it is important to note that the problems that the Final Rule sought to address still remain. The old framework still struggles to address the innovations and changes in the banking industry, including internet and mobile banking.

What Do I Need to Do?

Covered financial institutions should monitor further developments and confirm that the federal banking agencies do formally rescind the Final Rule. Banks should also evaluate their compliance with the existing CRA framework and keep abreast of new efforts to modernize CRA regulations moving forward. Alston & Bird’s Financial Services Group is actively monitoring these developments and is able to assist with any compliance concerns regarding these anticipated changes.