The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency issued a joint statement setting out a coordinated approach for handling highly sensitive information during bank examinations. The statement does not create new expectations, but aligns supervisory practices across the agencies on how such information should be identified, reviewed and protected. The approach covers data with heightened disclosure risk, including technology and network diagrams, detailed penetration test results, technical details of specific information technology control weaknesses and succession planning materials. Banks are expected to identify requested information they believe is highly sensitive and raise it with examiners or their primary agency contact, after which the agencies may use alternatives such as on-site review, direct digital review from bank systems, or redacted or summarized documents to reduce agency collection and storage. Examiners may still decide, with supervisory approval, that the information is needed for the supervisory record, although redacted or summary versions may be accepted where legal requirements permit. The agencies also committed to notify affected banks of a potential or confirmed material compromise of confidential supervisory information as soon as practicable and no later than 72 hours after the impacted agency has a reasonable basis to believe a compromise occurred and has determined which banks are affected, subject to applicable legal considerations. Implementation will include written guidance and training for examiners. At the start of examination activities, examiners will tell supervised banks that management may identify information it considers highly sensitive and will explain escalation processes for concerns about how that information is classified and handled.
Federal Deposit Insurance Corporation2026-07-16
Federal Deposit Insurance Corporation, Federal Reserve Board and Office of the Comptroller of the Currency set coordinated approach for highly sensitive examination information
The Federal Deposit Insurance Corporation, Federal Reserve Board and Office of the Comptroller of the Currency issued a joint statement aligning how they handle highly sensitive information during examinations, without creating new expectations. Banks may flag materials such as network diagrams, penetration test results, IT control weaknesses and succession planning documents for alternative handling, including on-site or direct system review and redacted or summarized records. The agencies also committed to notify affected banks of a material confidential supervisory information compromise within 72 hours once the impacted agency has a reasonable basis to believe one occurred and identifies the banks affected.