The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency issued a joint statement setting a coordinated approach for handling highly sensitive information during examinations of supervised banks. The approach is designed to reduce cybersecurity risks while preserving examiners’ access to needed information, including by using alternatives to transferring materials onto agency systems. Bank management will be expected to identify requested data or documents it believes are highly sensitive so the agencies can determine whether additional handling protocols should apply. For information deemed highly sensitive, examiners will consider options such as on-site review, direct digital review from the bank’s systems, redacted or summarized documents, and added controls over transmission and access. The statement cites examples including technology and network diagrams, detailed penetration test results, technical details of specific information technology control weaknesses, and succession planning. After alternative review methods are used, examiners may still decide, with supervisory approval, that information is needed for the supervisory record, although redacted or summary documents may be accepted in some cases if legal requirements are met. The agencies also committed to notify affected banks of a potential or confirmed material compromise of confidential supervisory information as soon as practicable and no later than 72 hours after the affected agency has a reasonable basis to believe a compromise occurred and has determined which banks are affected, subject to applicable legal considerations. Examiners will receive written guidance and training, and supervised banks will be told at the start of examination activities that they may flag information they consider highly sensitive and escalate concerns about handling decisions to their primary federal regulator.
Federal Deposit Insurance Corporation2026-07-16
Federal Reserve Board, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency set coordinated procedures for highly sensitive examination information, including 72 hour breach notification
The Federal Reserve Board, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency issued a joint statement establishing coordinated procedures for handling highly sensitive information in bank examinations. Banks will be able to flag sensitive materials, with examiners using measures such as on-site or direct system review, redacted documents and tighter access controls. The agencies also committed to notify affected banks of material compromises of confidential supervisory information within 72 hours once the affected agency has a reasonable basis to believe a compromise occurred and identifies the banks involved.