AFC and IBCA Letter on Confidential Supervisory Information Reform

January 13, 2026

Via Electronic Submission

The Honorable Michelle Bowman
Vice Chair for Supervision
Board of Governors of the Federal Reserve System

The Honorable Travis Hill
Chairman
Federal Deposit Insurance Corporation

The Honorable Jonathan Gould
Comptroller
Office of the Comptroller of the Currency

Re: Modernizing Confidential Supervisory Information to Support Effective Supervision and Responsible Partnerships

Dear Vice Chair, Chairman, and Comptroller:

On behalf of the Independent Community Bankers of America (ICBA) and the American Fintech Council (AFC),  we write to encourage the Federal Deposit Insurance Corporation (FDIC), Federal Reserve Board of Governors (FRB), and Office of the Comptroller of the Currency (OCC)—henceforth referred to as the federal banking agencies (FBAs) —to modernize the framework governing confidential supervisory information (CSI).

Community banks and responsible fintech companies are partners in delivering safe, compliant, and innovative financial services. Community banks in particular depend on technology partners and service providers to support elements of compliance, risk management, onboarding, and customer experience. When aspects of these partnerships are the subject of regulatory supervision and examinations, current CSI practices make it difficult for the parties responsible to respond to regulators’ concerns and meaningfully participate in any necessary remediation. As Vice Chair for Supervision, Michelle Bowman astutely recognized, “[l]abeling information as CSI results in significant restrictions on its disclosure—banks and bank employees are subject to criminal penalties if they disclose CSI without regulatory approval even if doing so would serve beneficial purposes for bank safety and soundness”.

When done well, these partnerships give consumers and small businesses access to modern digital tools, faster and lower-cost payments, and more tailored products delivered through supervised banks. These partnerships can also broaden access to safe, affordable financial services in rural and underserved markets by combining the reach and trust of banks with the technology and product innovation of fintech companies.

We fully support the foundational purpose of CSI: preserving candor between supervisors and banks, protecting depositor confidence, and preventing sensitive findings from moving markets. At the same time, some supervisory practices may be out of step with the realities of a partnership-driven banking ecosystem, and tailored sharing of CSI can help bring them into alignment.

The Challenge in Today’s Partnership Landscape

Supervisory staff are on the front lines with America’s banks, working closely to understand their strategic plans, growth trajectories, and risk management practices. For many community banks, third-party fintech companies are important partners in executing those plans, delivering growth, and managing risks. However, in practice, fintech partners are firewalled from engaging with regulators during bank exams.

This results in inefficient supervisory processes and additional, unnecessary supervisory burden for banks and supervisors alike. For example, in the event an examiner identifies weaknesses in risk management, the bank may be required to remediate with support from a fintech. However, that critical service provider lacks essential context from the supervisory process. These partners must operate without the benefit of constructive relationship building with the exam team that banks develop through direct engagement.

In addition, due to lack of clarity on agency policies, banks may be uncertain about how much of the underlying supervisory information they can share with partners, and in what form. Exam findings and other supervisory feedback can be diluted, delayed, or misinterpreted as they pass through layers of internal translation. Partners working across multiple banks encounter inconsistent expectations about what information can be shared, based on charter type, primary regulator, or supervisory region. This limits examiner insight into how these arrangements function in practice, contributes to inefficiency and undue burden in the supervisory process, and creates friction in bank-fintech relationships.

In summary, the current framework creates three main challenges:

● Critical service providers left out of examinations. Banks are reluctant to ask supervisory staff for permission to allow fintech partners that design and operate key services to provide direct support in examinations.

● A lack of uniformity across agencies. Each banking agency applies its own definitions, standards, and processes, including whether remediation plans, internal notes, or third-party communications are treated as CSI and whether CSI may be shared with agents (including external counsel and accountants) without application and approval.

● Constrained communication with agents and key partners. Because of CSI concerns, banks are often reluctant or unable to share supervisory language directly with their agents (including external counsel and accountants) and partners tasked with remediation, increasing the risk of misunderstanding, delay, and inconsistent implementation.

Resolving these issues is not about expanding the general public’s access to supervisory information or weakening CSI. It is about ensuring that confidentiality rules support, rather than complicate, the shared goal of tailored supervisory processes and effective, timely remediation when issues arise.

The Opportunity: Modernization Within Existing Authority

The agencies can address these challenges within existing statutory authority, without undermining the purpose of CSI or requiring new legislation.

The missing piece is a consistent framework that allows supervised banks to share relevant supervisory information with third-party partners like fintech companies that may be contractually responsible to support business-as-usual operations, including regulatory engagements, and to help remediate exam findings when they arise. Any such framework must employ tight safeguards that align with existing protections for CSI, ensuring supervisory information is treated with the utmost care and depositor confidence is never put in jeopardy.

From the perspective of community banks and responsible fintech companies, such a framework would:

● Strengthen supervision by bringing fintech partners into the exam process to explain specific products or services to regulators without broadening the regulatory perimeter.

● Improve remediation by allowing the parties operating affected systems to see and respond to supervisory concerns directly.

● Promote responsible partnerships by embedding supervisory expectations into contractual terms from the outset, rather than relying on ad hoc workarounds.

Recommended Actions

We respectfully ask the FBAs to take coordinated, interagency action in two areas:

1. Clarify and Align the Scope of CSI

Ask: Issue joint guidance or engage in a rulemaking process to adopt a functional definition of CSI that distinguishes supervisory materials from routine business documents, including clear treatment of remediation plans, internal board materials, and third-party communications. Apply this definition consistently across the agencies, reducing uncertainty for institutions supervised by different FBAs.

While this action likely would not alleviate the complexity of varying state frameworks on CSI, it would provide significant clarity for national banks, set the foundation for a clearer operating model for state-chartered banks, and harmonize the federal standards for bank holding companies and their insured depository institution subsidiaries.

2. Enable Inclusion of Agents and Key Partners

Ask: Clarify through guidance or rulemaking that, consistent with existing authorities and subject to approval processes reflected therein, supervised institutions may share narrowly scoped CSI with agents (e.g. external counsel and accountants) and third-party service providers, such as fintech partners, when they are contractually responsible for remediation or operating the affected functions, are subject to robust confidentiality and information-security commitments, and receive only the information necessary to perform those tasks.

Examiners should also be able, at the bank’s request and at their discretion, to include these agents and key service providers in relevant supervisory discussions so expectations are conveyed directly and remediation can proceed more efficiently.

This approach should be framed as purpose-limited and non-transferable, with explicit prohibitions on using supervisory information for competitive purposes or for any activities unrelated to the bank’s supervisory relationship. Importantly, this effort should not be understood as an examination requirement, but simply as an option for banks and their key service providers to improve the efficiency of the examination process through more direct engagement between examiners and key service providers.

Clarification should also recognize strong contractual safeguards as a leading practice for protecting supervisory information and may offer non-binding, illustrative language (for concepts such as access controls, retention limits, breach notification, and restrictions on secondary use) that institutions can incorporate into their third-party risk management frameworks as appropriate, while retaining full discretion over the tools they use to meet confidentiality expectations.

By recognizing contracts as a key tool, regulators can maintain strict confidentiality standards while enabling the information flows necessary for modern supervision, without imposing overly prescriptive requirements on bank-fintech relationships.

Conclusion

When supervisory expectations are filtered or paraphrased rather than shared in a controlled way, oversight and remediation can be slower and less precise, and both banks and fintechs are left uncertain about how best to align. Modernizing supervisory information sharing offers a targeted way to engage the full compliance ecosystem without expanding the regulatory perimeter, making supervision more effective while preserving confidentiality.

ICBA and AFC are united in the view that confidentiality and collaboration are not in tension—they are mutually reinforcing. The goal is simple and shared: a safe, sound, and innovative banking system in which supervisors, banks, and partners can work together to identify and mitigate risks quickly and completely.

We encourage the Federal Reserve, FDIC, and OCC to launch an interagency effort to modernize CSI rules and guidance consistent with the approach described above, including a public process for input from community banks, fintechs, and other stakeholders. We stand ready to collaborate with you and your staff on the technical details of such a framework and to provide additional examples from our members’ experiences.

Thank you for your attention to this important issue and for your ongoing commitment to a resilient, well-supervised financial system.

Sincerely,

Michael Emancipator
Senior Vice President, Regulatory Counsel
Independent Community Bankers of America

Ian P. Moloney
Chief Policy Officer
American Fintech Council

‍
[1]American Fintech Council’s (AFC) membership spans EWA providers, lenders, banks, payments providers, loan servicers, credit bureaus, and personal financial management companies.
The Independent Community Bankers of America® has one mission: to create and promote an environment where community banks flourish. We power the potential of the nation’s community banks through effective advocacy, education, and innovation.
[2]Michelle W. Bowman, "Modernizing Supervision and Regulation: 2025 and the Path Ahead," (Speech at California Bankers Association Bank Presidents Seminar, Laguna Beach, California, Jan. 7, 2026).

‍