This article was developed using publicly available responses submitted to Requests for Information issued by banking regulators. It summarizes and synthesizes themes, perspectives, and information reflected in those public submissions for informational purposes only. The article does not represent the views of any regulator, respondent, institution, or the Firm, and should not be interpreted as legal, regulatory, or compliance advice.
Executive Summary
Most respondents affirm that the proposed definition of unsafe or unsound practice equips agencies to act before risks trigger a precipitous decline in financial condition, including liquidity events and cybersecurity incidents. With 93.33% responses, support centers on a materiality-based standard tied to prudent operation and risks to the Deposit Insurance Fund. A smaller cohort warns that the “likely” and “material financial harm” thresholds could constrain forward-looking action on low-probability, high-impact threats. The core challenge is ensuring clarity and consistency without unduly narrowing supervisors’ ability to address emerging operational and cyber risks.
Key takeaways:
- Supporters cite the two-prong standard: contrary to generally accepted standards of prudent operation and, if continued, likely to materially harm the institution or present material risk of loss to the Deposit Insurance Fund.
- Proponents emphasize a risk-based, forward-looking supervisory approach, including appropriate use of MRAs.
- Some commenters argue the “likely” material harm requirement could prevent supervisors from proactively addressing even severe risks.
- Critics warn the proposal may prevent addressing low-probability, high-impact risks and could narrow longstanding precedent.
- Several commenters highlight nonfinancial problems, cyberattacks, vendor failures, operational breakdowns, can cause rapid financial losses and need clear linkage to material harm.
- Others note clarity will help management prioritize risks, but undefined terms risk inconsistent interpretations.
- Some recommend explicitly including cybersecurity incidents and third-party dependencies within the scope of unsafe or unsound practices.
Bottom line:
Most respondents believe the proposed definition provides adequate authority to proactively address precipitous-risk scenarios, including liquidity and cybersecurity incidents. However, several warn that the “likely”/”material harm” threshold and undefined terms could limit timely intervention for low-probability, high-impact threats unless clarified.
The Question (Ref #3)
Does the proposed definition of unsafe or unsound practice (focus on material risks to the financial condition of an institution and would generally require that an imprudent practice, act, or failure to act, if continued, would be likely to materially harm the institution’s financial condition) provide the agencies with adequate authority to proactively address risks that could cause a precipitous decline in an institution’s financial condition, such as a liquidity event or a cybersecurity incident?
Direct Response to the Catalog Question
The balance of responses (93.33% answers) indicates broad agreement that the proposed definition equips agencies to act when practices are contrary to prudent standards and likely to materially harm financial condition or the Deposit Insurance Fund.
Supporters state the definition aligns supervision with substantive financial risk and supports forward-looking use of MRAs for institutions that are exceptionally vulnerable to shocks.
Multiple comments affirm that nonfinancial risks, including cyberattacks and vendor failures, can rapidly translate into material financial harm, fitting the proposed standard when linked to financial impact.
Several respondents argue the “likely” material harm threshold could impede proactive responses to low-probability, high-impact threats, narrowing preventive supervision.
Some commenters call for explicit inclusion of cybersecurity incidents and third-party dependencies to ensure timely action under the definition.
Others emphasize the need to tie material risk to objective, demonstrable impacts on solvency and liquidity to sustain consistent, risk-based enforcement.
Introduction
Question 3 asks whether the proposed definition of unsafe or unsound practice provides agencies adequate authority to proactively address risks that could cause a precipitous decline in an institution’s financial condition, such as a liquidity event or a cybersecurity incident. Across the record, respondents weighed in on whether a materiality-based standard tied to prudent operation and risks to the Deposit Insurance Fund enables forward-looking supervision.
Historic Lessons in the Evidence
Respondents underscore that supervisory authority should remain forward-looking and grounded in generally accepted standards of prudent operation, with flexibility to escalate concerns before they crystallize. They note that tying actions to likely material harm can enhance consistency, yet warn that overly narrow thresholds or ambiguous terminology can undermine preventive supervision. Several emphasize that operational breakdowns and cyber events quickly become financial, reinforcing the need to connect nonfinancial deficiencies to material harm for timely intervention.
The Challenge
The record reveals a practical tension between clarity and flexibility: defining unsafe or unsound practice tightly around material financial harm supports consistent application, but risks under-capturing low-probability, high-impact exposures. Terms like “generally accepted standards of prudent operation” remain debated, and commenters caution that undefined language may yield inconsistent interpretations. Linking cyber and third-party operational risks to demonstrable financial harm before escalation is another recurring challenge.
Evolving Metrics
Respondents repeatedly assess adequacy through the materiality lens, “likely to materially harm” the institution or present “material risk of loss” to the Deposit Insurance Fund, and by referencing objective impacts on solvency and liquidity. They also weigh the forward-looking standard via MRAs, emphasizing when a firm is “exceptionally vulnerable” to shocks. Critics question whether the “likely” threshold misses low-probability, high-impact risks, while supporters view it as the right bar for consistent, risk-based supervision.
A Framework Inspired by the Inputs
An implicit two-pronged framework emerges: identify practices contrary to prudent operation, then assess whether continuation is likely to materially harm financial condition or the Deposit Insurance Fund. Supervisors would apply intermediate tools, notably MRAs, in a forward-looking manner where vulnerabilities are significant, especially for cyber and operational risks, while reserving formal enforcement for unremedied problems. Several commenters seek clearer criteria for materiality and prudent standards to ensure predictability and timely action.
Case Study
A representative pattern across comments links operational and cyber weaknesses to financial outcomes: one commenter stresses that cyberattacks, vendor failures, and major operational breakdowns can cause real, rapid losses and urges clarity on connecting such problems to material financial harm before issuing MRAs. Consistent with this, others note MRAs may be warranted when an institution is exceptionally vulnerable to shocks, illustrating how the proposed materiality standard can support proactive supervision when risk pathways to financial harm are clearly articulated.
Recommendations
- Clarify the meaning of “generally accepted standards of prudent operation” to reduce inconsistent interpretations and strengthen predictability.
- Explicitly include cybersecurity incidents and third-party dependencies within the scope of unsafe or unsound practices to ensure timely action.
- Provide guidance on linking nonfinancial problems, cyberattacks, vendor failures, operational breakdowns, to material financial harm for MRAs and enforcement.
- Address concerns about the “likely” threshold so that low-probability, high-impact risks can be proactively mitigated where appropriate.
- Tie materiality assessments to objective, demonstrable impacts on solvency and liquidity to maintain a consistent, risk-based standard.
- Preserve forward-looking supervision by ensuring the MRA standard supports action when an institution is exceptionally vulnerable to shocks.
- Maintain clarity that practices posing material risk of loss to the Deposit Insurance Fund fall within the definition to support decisive intervention.
Conclusion
On balance, the record supports that the proposed definition provides adequate authority for agencies to proactively address risks that could trigger a precipitous decline in financial condition, including liquidity events and cybersecurity incidents. Most respondents back a materiality-based approach tied to prudent operation and the Deposit Insurance Fund, paired with forward-looking MRAs. Still, several urge refinements so the “likely” standard and undefined terms do not impede responses to low-probability, high-impact threats. With targeted clarifications, the definition can preserve both consistency and timely intervention.
Follow us, stay informed, stay secure, and let’s navigate the risk landscape together.