Summary

Situation Overview: In a recent speech, Vice Chair for Supervision Bowman reiterated the Federal Reserve’s supervisory operating principles and described how the Fed’s supervision should work in practice.

What: Firms should remain focused on sound risk management frameworks which mitigate material financial risks, as well as material non-financial risks such as cybersecurity.

Who: Financial institutions regulated by the Federal Reserve

When: Now.

In Depth

The Federal Reserve’s supervisory operating principles direct examiners to prioritize core and material financial risks to safety and soundness.  The Vice Chair, in a recent speech at the 2026 Banking Outlook Conference at the Federal Reserve Bank of Atlanta, described her outlook on supervisory priorities, stating  “when we are identifying and prioritizing risks, we will focus on those that can lead to a deterioration in financial condition or a bank’s failure, rather than paying excessive attention to processes, procedures, and documentation.”  She went on to emphasize that examiners must ask: “What vulnerabilities would lead to the failure of this institution?”

In practice, she indicated that the Federal Reserve examination teams should not focus on “documentation gaps, committee attendance issues, or immaterial limit exceedances,” but rather “What scenarios could cause your [institution’s] strategy to fail, and are you prepared for them?”, and set the expectation that examination teams should utilize more sophisticated analyses and reasoned judgment.  Among her objectives is “more meaningful supervision that truly protects safety and soundness.”

She also indicated that focusing on core and material financial risks does not mean neglecting non-financial risk, emphasizing that cybersecurity (as an example) and strong risk management (more broadly) are essential to safety and soundness, and that the Fed will continue to examine these areas and issue findings as appropriate.

What Fed-Regulated Entities Should Do

The Vice Chair’s remarks underscore the need to continue to maintain and enhance risk management and compliance programs to effectively manage financial and non-financial risks facing regulated entities.  As we’ve highlighted in our recent blogs about non-financial regulatory priorities and “future-proofing” your IT Risk Management Framework, banks and trust companies must maintain compliance and risk management programs that continually evolve with activities and risks.

The “Future-Proofing” blog highlighted the example of emerging risks from quantum computing, and the urgency to adopt post-quantum cryptography solutions.  This urgency is reinforced by a recent report from the Citi Institute, which estimates an approximately $3 trillion indirect impact from a single-day quantum attack on a top-five U.S. bank.

Risk management programs should be sufficiently forward-looking, and risk identification processes should keep up with technology changes.  Monitoring and escalation protocols should also be sufficient for such activities, i.e., operating effectively, analytically rigorous, and evidencing that the institution is prepared for scenarios that could lead to material financial harm, and even failure, of the institution.

Put Patomak’s Expertise to Work

As regulatory expectations continue to evolve, Patomak is well positioned to advise firms on driving enhancements to risk management and compliance capabilities. Our deep expertise enables us to help you navigate complexities and mitigate risks. If you would like to learn more about how Patomak can partner with you, please reach out to Diane Daley at ddaley@patomak.com or Heather Espinosa at hespinosa@patomak.com.