A Guide to Emerging Risks in Banking for 2026

The risk environment that shaped 2025 is carrying over into 2026: more uncertainty, fewer resources, evolving state-federal dynamics, and examination approaches that reward strong governance while exposing operational gaps. 

Let’s dive deeper into these risks and explore strategies for effectively managing them in 2026 and beyond. 

Related: Get regulatory updates and more risk insights in our 2026 Regulatory Compliance Outlook webinar. Register now. 

Regulatory uncertainty

Last year, financial institutions were feeling the squeeze of ever-changing compliance requirements. But what's more complicated to navigate than the pressure of rising regulatory expectations? Not knowing which rules apply, who's enforcing them, or what comes next. 

With a regulatory freeze, leadership changes at all of the federal banking regulators, and a surge of rule reversals, it's no surprise that regulatory uncertainty topped the list of compliance concerns among FIs in 2025. Adding to this uncertainty, ongoing reductions-in-force, retirements, and voluntary separations have significantly thinned the ranks of experienced examiners and supervisors across the agencies, leaving supervisory teams increasingly staffed by newer personnel. When combined with proposed changes to supervisory programs, these shifts are creating a steep learning curve for examiners and supervisors alike.

Here are some other significant events that molded the regulatory uncertainty narrative in 2025.

• Disparate impact removal from fair lending: Following an April executive order, federal agencies moved away from using disparate impact in fair lending supervision and enforcement. The OCC removed all disparate impact references from its fair lending examination manual, and the CFPB proposed changes to Regulation B that would potentially eliminate disparate impact claims under the Equal Credit Opportunity Act (ECOA). However, FIs remain legally responsible for disparate impact violations even if federal banking regulators are no longer examining for them. The underlying laws (ECOA and the Fair Housing Act) and court precedent still apply, and enforcement risk continues through private litigation and state regulators. This shift in supervisory focus reduces examination risk, not legal or reputational exposure.

• CRA modernization reversal: Federal banking agencies proposed rescinding the 2023 Community Reinvestment Act (CRA) modernization rule and returning to 1995 standards with inflation-adjusted asset thresholds. If passed, the expanded assessment areas and updated performance tests from the 2023 modernization would be eliminated. 
  
  
• Section 1071 in limbo: Three separate lawsuits are challenging the small business lending data collection rule while the CFPB proposes changes, including delaying the compliance deadline to January 1, 2028.  While these changes would significantly narrow the scope of covered FIs and reduce certain data elements, they don't eliminate the underlying statutory requirement to collect and report small-business lending data. 
  
  

• CFPB funding crisis: A self-created funding crisis left the CFPB with dwindling funds. Active litigation and enforcement actions are being transferred to the Department of Justice while constitutional questions remain in litigation. Yet despite this uncertainty, the Bureau resumed examinations under a "Humility in Supervision" pledge while maintaining enforcement activity — creating confusion about whether the agency is winding down or ramping up.

The bottom line: Many of the conflicting signals from federal agencies, state regulators, and courts that dominated 2025 will continue into 2026. 

How to manage regulatory change

Manually keeping up with rule changes and updates is a full-time job. A compliance management solution can help by delivering instant notifications of regulatory changes tailored to your FI's size, products, services, examiners, and geography, complete with links to Federal Register summaries, deadlines, and suggested implementation action plans.

Related: Sign up for regulatory updates.

Evolving state regulations

As federal regulators pulled back in 2025, state regulators stepped forward to fill the gap. In many cases, they’re setting even higher regulatory standards.

• Fair lending: When the OCC removed disparate impact from federal oversight, states continued enforcement, including Massachusetts, which announced a $2.5 million settlement for AI-model-related disparate impact outcomes.

• CRA: When federal CRA modernization rolled back to 1995 standards, New York, Massachusetts, Illinois, and California began looking to enforce their own community reinvestment laws. 

• Medical debt: When a Texas court vacated the CFPB's rule halting the reporting of medical debt on credit reports and its use in credit underwriting, 10 states maintained their own prohibitions that explicitly prevent medical debt from being used in negative credit decisions.
  
  
• Cybersecurity: New York's 23 NYCRR Part 500 completed final amendments on November 1, 2025, requiring mandatory multi-factor authentication, comprehensive data asset inventories, active board oversight, and 72-hour vendor breach reporting —  with enforcement actions ranging from $1.5 million to $4.5 million. 
  
  
• Data privacy: California's Privacy Protection Agency finalized sweeping CCPA regulations in July 2025, requiring mandatory annual cybersecurity audits (starting in 2028), detailed risk assessments for high-risk processing, and restrictions on automated decision-making technology. Unlike many state privacy laws, California doesn't provide blanket exemptions for financial institutions — if you serve California customers, these rules apply even if you're based elsewhere.

As the compliance landscape becomes more fragmented, risk increasingly depends on location. As federal priorities shift, states will continue to enforce their own consumer protection laws through regulators, private lawsuits, and the courts.

How to manage state regulations

Build compliance programs to the highest standard you'll face in any jurisdiction, maintain strong programs in areas like fair lending and cybersecurity, and monitor state-specific enforcement trends. If your organization is licensed, registered, or supervised by state regulators — regardless of where you're headquartered — state requirements like New York's Part 500 may apply.

Related: How to Keep Up with State Regulations 

The shift to risk-based supervision

Federal banking regulators announced a coordinated move toward risk-based supervision in 2025. For example, the FDIC extended examination cycles to 66-78 months for well-rated institutions — more than 6 years between comprehensive exams. The Federal Reserve implemented new operating principles that focus on substantive risks such as capital, liquidity, concentration, and governance. The OCC introduced Community Bank Minimum BSA/AML Examination Procedures, giving examiners discretion to rely on satisfactory independent testing. 

Self-reporting has shifted from optional to a strategic necessity. FIs are experiencing this shift: 49% report that exams now focus on specific areas such as cybersecurity and TPRM rather than comprehensive reviews. For institutions with strong governance and effective controls, this means lighter supervision. For those with gaps, it means intensified scrutiny.

How to manage risk-based supervision

We’ve entered a do-it-yourself era of supervision. Build programs around continuous self-identification through strong internal audit, compliance monitoring, and quality control. Document comprehensively for long gaps between exams, as the team members who were present last year may not be at your FI six years from now. 

Bottom line: You’re the one responsible for your institution’s success. 

Related: Prudent Risk Management Is About Clarity, Not Caution

The third-party risk snowball: Concentration risk, cybersecurity breaches, and AI governance

Vendor risks are not new, but 2025 saw third-party risk management (TPRM) shift from a background concern into a front-line compliance priority, with regulators and auditors pressing for stronger programs across all FIs. 

Areas where vendor risk escalated and will continue to emerge include:

• Cybersecurity breaches: The Marquis Software Solutions breach in August 2025 affected over 700 financial institutions, exposing Social Security numbers, tax IDs, and financial account information. The vendor reportedly paid a ransom, creating OFAC sanctions exposure and FinCEN SAR filing requirements for every client institution. When the breach occurred, customers called their banks, not the vendor. Ultimately, your FI is on the hook for everything your vendors do.
  

• BSA/AML connection: In 2025, enforcement actions consistently cited inadequate oversight of merchant services programs, ISOs, prepaid card programs, and fintech partnerships. Your BSA/AML program is only as strong as your vendors' controls. If your payment processor or fintech partner isn't maintaining adequate customer identification, transaction monitoring, or SAR filing processes, your FI will bear the regulatory consequences. 
  

• AI governance: The challenge isn't AI that institutions deliberately deployed — it's AI embedded in vendors' tools as "enhanced features." For lenders, LOS workflow optimization, document extraction, and fraud detection are AI systems that need governance. With Freddie Mac AI governance requirements effective March 3, 2026, FIs must answer: which vendors use AI, how it is deployed, what data feeds it, and who's accountable?
  

As AI continues to evolve and FIs implement more vendor services, risks will grow — underscoring the importance of strong TPRM practices.

How to manage third-party risk

Your compliance program only functions if your vendors maintain their own compliance. As TPRM responsibilities grow and regulatory scrutiny intensifies, FIs need systems that can demonstrate ongoing vendor oversight — not just annual reviews, but continuous monitoring that tracks vendor changes, certification expirations, and emerging risks in real time with defensible documentation when examiners ask questions.

Related: TPRM 101: What is Ongoing Vendor Monitoring for Financial Institutions?

Flood insurance compliance

One of the more interesting developments of 2025 was a focus on flood compliance.

The FDIC and FRB issued 13 flood insurance-related enforcement actions combined in 2025. Common failures include failure to follow force-placement procedures, obtain insurance at loan origination, maintain adequate coverage, and missing required borrower notices.

How to manage flood insurance compliance

Flood insurance violations often signal broader operational issues: inadequate loan origination checklists, weak exception tracking, missing quality control reviews, insufficient staff training, and poor system controls. The same weaknesses that allow flood insurance violations likely affect other compliance areas as well, so strengthening operational fundamentals with automated compliance checklists, exception-tracking systems, and quality-control reviews is critical. 

Related: When the Waters Rise: Navigating Flood Compliance

The compliance resource and talent crisis

Today’s FIs are dealing with resource constraints and a looming talent gap tomorrow.

Forty percent of financial institutions rely on just one or two compliance professionals to manage BSA/AML, fair lending, third-party risk, cybersecurity, lending compliance, and AI governance. For FIs under $250 million, that number jumps to 78%. The deeper problem: 24% of institutions report up to a quarter of their compliance teams are retirement-eligible within five years.

How to manage a resource shortage

Preserve institutional knowledge before experienced compliance officers retire. Automated solutions establish audit trails that standardize workflows, streamline policy management, and create centralized documentation accessible to current and future team members — enabling small teams to maintain consistency regardless of staff changes.

Changing examiner methods and experience

FIs aren’t alone in facing the pressure of constant change. Examiners are adapting their examination strategies amid staffing shortages, shifting priorities, and evolving market conditions. With limited time and resources, examiners can no longer conduct the in-depth reviews they once did, which fundamentally changes the examination landscape.

How to manage evolving exams

Remote exams and less experienced examiners mean your documentation must stand on its own. Policies, procedures, risk assessments, and monitoring reports need to tell your compliance story without the need for in-person explanation. Make it easier on your FI and examiner by centralizing regulatory tracking, vendor inventory, policy version control, and risk assessments, so they are ready for review at any time.

Related: What You Need to Know Ahead of Your FI's Next Exam 

Looking ahead in 2026

The FIs that will navigate the changing risk landscape successfully aren't those trying to predict which regulations survive or which agencies stay aggressive. They're the ones building sustainable compliance and risk programs that function effectively regardless of the political environment, regulatory approach, or supervisory intensity.

In our Enterprise Risk Management Buyer's Guide, learn how to turn risk management into a strategic advantage for your FI.