Summary

Situation Overview: Against the backdrop of deregulation, we expect regulators to continue to focus on financial crimes as well as fintech partnerships, digital assets, and artificial intelligence (AI).

What: Firms must keep compliance and risk management programs current.

Who: All federal- and state-chartered banks and trust companies; fintech partners.

When: Now.

In Depth

Key Risk Areas

The federal banking agencies have articulated supervisory priorities that are focused on material financial risks [1]. However, federal and state regulators continue to focus on certain key non-financial risk areas. The areas of focus may vary by agency, but the implication for banks is the same – maintain compliance and risk management frameworks that are responsive to evolving risks to comply with laws and regulations and stay ahead of emerging vulnerabilities.

Below are key non-financial risk areas that are top of mind based on insights from industry contacts:

Financial Crimes Compliance (FCC)

Federal agencies continue to focus on financial crimes compliance.  Areas of focus include sanctions compliance (particularly for newly designated Foreign Terrorist Organizations), Anti-Money Laundering/Bank Secrecy Act (AML/BSA) compliance, elder care fraud prevention, international fraud prevention (e.g., executed through phishing attacks), and white-collar crimes such as credit card skimming and Ponzi schemes.

Fintech Partnerships

Fintech Partnerships can cover a broad range of activities, including payments, lending, and deposits. There is still high demand for bank and fintech partnerships, as fintech firms may not want or be ready for a bank charter, and banks may not want to build a capability from scratch.

Regardless of the product suite, relationships between chartered banks and fintech partners require mature compliance and FCC programs, including the ability to monitor, test, and independently audit compliance with applicable regulations. Often fintech’s, or the banks themselves, outsource independent audit activities to qualified third parties with experience in the fintech’s product suite.

Regardless of the status of the Consumer Financial Protection Bureau (CFPB), fintech’s engaged in consumer lending need to maintain their focus on compliance with consumer protection. Many state regulatory agencies are hiring former CFPB officials, and are focusing on enforcement of state laws related to unfair, deceptive and abusive acts and practices [2].

Digital Assets

With the passage of the Genius Act, traditional and non-traditional banks and trust companies are moving into digital asset activities, including by issuing and/or acting as custodian for stablecoins. Although the GENIUS Act enabling regulations are forthcoming, the OCC’s Interpretive Letters for Digital Assets [3] provide insight into regulatory expectations for acting as a crypto custodian, holding deposits against stablecoins, and AML/KYC requirements.

As firms engage in digital asset activities, risk identification and assessment activities need to evolve with the engagement of qualified first-, second-, and third-lines of defense resources. Applying a risk management framework to digital asset activities might call for:

1. 1. Identifying a comprehensive inventory of risks associated with the firm’s digital asset activities.
   2. Integrating digital asset risk assessments into the firm’s ongoing risk assessment processes.
   3. Identifying, implementing and monitoring risk mitigants – for example, any unique information security protocols (e.g., for storing cryptographic keys).
   4. Reviewing and refreshing governance, as needed, particularly:
      • Board and C-suite awareness of the unique risks and opportunities of digital assets.
      • Talent assessments across the three lines of defense, to help ensure effective risk management.
   5. Engaging regularly with industry groups and external subject matter experts to maintain awareness of digital asset developments and best practices.

Artificial Intelligence (AI)

AI adoption in the banking industry is accelerating. Our earlier AI blog post emphasized the importance of an AI Risk Management Framework. We are increasingly seeing firms formally adopting AI governance practices that include:

• • AI Use Case Inventories, including vendors that provide services using AI;
  • AI Risk Assessments, with prioritization of high- and medium-level risks;
  • AI Policies, with accompanying monitoring and enforcement mechanisms;
  • AI Employee and Board Training;
  • AI Governance Forums, with cross-functional representation, and decision-making authority to address unique AI considerations as they arise; and
  • Incorporation of AI considerations into related governance and control activities, including data management, model risk management, fraud detection and cyber risk management.

What Banks, Trust Companies, and Fintechs Should Do

Banks and trust companies must maintain strong and operational compliance and risk management programs, continually evolving to meet current activities and risks. They should be sufficiently forward-looking, and risk identification processes should keep up with technology changes. Monitoring and escalation protocols should also be sufficient for such activities.

New business and technology activities may require event-driven enhancements to existing frameworks, and in some cases, such as AI and digital assets, the development and implementation of new compliance and risk management frameworks that adapt and enhance existing capabilities.

For their part, fintech partners that provide products and services should be prepared to provide their bank and trust company partners with insights into their products and services that facilitate the partners’ risk and compliance priorities.

Put Patomak’s Expertise to Work

As regulatory expectations continue to evolve, Patomak is well positioned to advise firms on driving enhancements to risk management and compliance capabilities. Our deep expertise enables us to help you navigate complexities and mitigate risks. If you would like to learn more about how Patomak can partner with you, please reach out to Diane Daley at ddaley@patomak.com or Heather Espinosa at hespinosa@patomak.com.

---

[1] See the Board of Governors of the Federal Reserve System Division of Supervision and Regulation’s Statement of Supervisory Operating Principles and Remarks of Jonathan V. Gould, Comptroller of the Currency, at the Financial Stability Oversight Council, December 11, 2025.

[2] American Banker, “As CFPB retreats, state AGs and bank regulators step up”, January 21, 2026.

[3] See https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2025/int1183.pdf, https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2020/int1172.pdf, https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2020/int1170.pdf and https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2020/int1172.pdf.