By Alix Prentice

Partner | Financial Regulation

In Supervisory Statement SS31/15, the UK’s Prudential Regulation Authority (“PRA”) updates banks and the large investment firms it supervises on its expectations for their Internal Capital Adequacy Assessment Process (“ICAAP”) and Supervisory Review and Evaluation Process (“SREP”). SS31/15 provides further detail underpinning the high-level PRA expectations set out in its “approach to banking supervision” in the following areas, effective from 1 July 2026:

1. Expectations of firms undertaking an ICAAP

• Firms are reminded that ICAAP assessments are an ongoing obligation that involve more than just the PRA’s own methodologies because they must reflect the level and nature of the bank’s own risk exposure. ICAAPs are the responsibility of a firm’s management body and an integral part of the management process and decision making, necessitating robust and demonstrable systems, controls and information flow.
• Firms electing to recognise guarantees as qualifying as unfunded credit protection by substituting the risk weight of an obligor with that of a guarantor are expected to assess whether that substitution is appropriate and whether that credit protection could become ineffective for a reason other than guarantor default, such as the guarantor seeking to be released from liability under the guarantee or the operational risk that the guarantee is breached such that the guarantor may be entitled not to pay out.
• Banks are required to maintain appropriate and proportionate systems and processes in order to identify, evaluate and manage interest rate risk in the banking book (“IRRBB”). Again, oversight and ultimate approval of the bank’s risk appetite and IRRBB is the responsibility of its management body, who receive direct reports from those responsible for identifying, measuring, monitoring and controlling IRRBB.
• ICAAPs should include evidence as to how the bank has calculated its additional capital provisioning for market risk, and in particular for assigning liquidity horizons in stressed situations.
• ICAAPs must also address group risk, that is, the risk that the financial position of a bank might be affected by its connections with other entities in the same group, whether financial or non-financial.  The PRA’s expectations here include whether or not there is any under-allocation of capital to the UK member of a group, and if so, how that risk is dealt with, and where a firm is a member of a consolidation group including an entity established outside the UK, whether any ex-UK capital requirements or buffers lead to any group risk.
• For managing operational risk, the PRA refers to business continuity plans as a key ICAAP element.
• Pension obligation risk is subject to both the firm’s own assessment and a set of stresses on the accounting basis applied by the PRA to that assessment.
• When dealing with exposures to securitisations in an ICAAP, banks should consider the risk characteristics and structural features of both the securitisation and its underlying exposures to the extent they could materially impact the performance of any positions held by the bank.  Banks should also consider whether the application of another method, SEC-IRBA, SEC-ERBA or SEC-SA, insofar as it may be used, would result in a materially different risk weight, and whether any difference may be caused by identified risk characteristics and structural features as well as the approach taken by a third party rating agency.
• Banks are now also expected to understand risks from climate change, and, using scenario analysis, how they will affect their business model.
• When looking at ICAAP assessment of the risk of excessive leverage, the PRA focusses on the risk of contingent leverage, and circumstances such as those in which firms are contractually obligated to maintain a transaction with a particular counterparty even though it is detrimental to the firm’s leverage ratio position.

2. Stress testing, scenario analysis and capital planning

• As expected, the PRA’s expectations is that stress and scenario testing should include sensitivity and scenario analysis, and test at individual portfolio as well as firm-wide level.
• The exercise should be carried out at least annually, and more frequently if risks identified in the ICAAP process suggest that is appropriate.
• Capital planning should be done over a three to five year horizon.
• The bank’s management body should be actively involved and engaged at all relevant stages.

3. Reverse stress testing

• Reverse stress testing is an exercise in which stress tests and scenario analyses are carried out to test a firm’s business plan to the point of failure, thereby revealing its vulnerabilities.
• The PRA requires firms to identify any unacceptably high business model failure risks and develop measures to prevent or mitigate these. 
• Reverse stress testing scenarios should also include failures of major counterparties or market disruption as a result of such a failure.

4. SREP

• The SREP is the process in which the PRA reviews the ICAAP, the risks the firm is exposed to and those it poses, the risks shown up by the firm’s stress testing programme, its governance, culture, management body capabilities, and resources.
• The PRA looks at whether the firm’s resources and risk management measures adequately address its risk profile in order to achieve sound coverage.
• If not, the PRA will require the firm to take appropriate steps at an early stage.
• The PRA will also base certain elements of capital requirements that it sets, including the PRA buffer, on the SREP.

By Daniel Meade

Partner | Financial Regulation

Earlier this week, the Federal Reserve Board (“FRB”) issued a press release on changes in supervisory approach consistent with Vice Chair of Supervision Michelle Bowman’s priorities, which she articulated in, among other places, a speech we covered in June when she was just confirmed to the Vice Chair position. The press release appears to follow reporting from the New York Times the previous day reporting on the memo and its critics. The press release also included an October 29, 2025 memo that was sent to FRB supervisory staff laying out supervisory operating principles and “directional guidance on the changes the Vice Chair expects [staff] to undertake.” The memo noted that the “changes represent a significant shift from past operating practices.” 

While the operating principles memo may reflect a shift from past operating practices at the FRB, it is consistent with efforts underway at the Federal Deposit Insurance Corporation (“FDIC”) and Office of the Comptroller of the Currency (“OCC”) that we reported on last month to focus supervision on material financial risks rather than “non-material procedural issues.” The memo notes this focus on material financial risks in a number of the eleven overall bullets in the memo, but explicitly notes in the second overall bullet this approach and how it may manifest in the delivery of “Matters Requiring Attention” or “MRAs” or Matters Requiring Immediate Attention” or “MRIAs”:

• Examiners and other supervisory staff should prioritize their attention on a firm’s material financial risks.
  • They should not become distracted from this priority by devoting excessive attention to processes, procedures, and documentation that do not pose a material risk to a firm’s safety and soundness.
  • Examiners and other supervisory staff can address shortcomings that do not rise to the level of MRAs or MRIAs by making nonbinding supervisory observations. We will be amending SR 13-13 to reverse its directive to eliminate supervisory observations.
  • This will make supervision more effective by allowing examiners and other supervisory staff to prioritize their attention on a firm’s material financial risks.

The memo also noted there would be a reduction in horizontal reviews of similarly situated large banking organizations.            

Vice Chair Bowman noted in the press release that “[o]ur supervisory approach is not about narrowing our focus—it is about sharpening it, . . . By anchoring our work in material financial risks, we strengthen the banking system’s foundation while upholding transparency, accountability, and fairness. This is not about what we are leaving behind—it is about building a more effective supervisory framework that truly promotes safety and soundness across our financial system, which is the Federal Reserve’s core supervisory responsibility.”

On the same day as the FRB press release, former Vice Chair of Supervision (but still FRB Governor) Michael Barr gave a speech entitled “The Case for Strong, Effective Banking Supervision.”  While Governor Barr did not specifically reference the supervisory principles memo, he did criticize the reductions in force announced at all three federal bank supervisors.  

Much of bank supervision can be viewed as art rather than science, and calibrations of “how strict” bank supervision ought to be does often ebb and flow given changes in administrations. While banks will likely welcome the efficiencies the new principles may bring, they almost always would prefer certainty.

By Mercedes Kelley Tunstall

Partner | Financial Regulation

As of last week, Monday, November 10th, the Tenth Circuit has rescinded a preliminary injunction against a Colorado state law opting-out from DIDMCA and remanded the case back to the United States District Court for the District of Colorado. This means that it is now illegal for out-of-state banks that are not national banks to export interest rates into Colorado.

This development could impact bank-fintech partnership arrangements, to the extent such partnerships provide consumer lending and do not already recognize the interest rate limit of 25% in Colorado.  Of course, because of true lender concerns that have been raised in Colorado over the past several years, most bank-fintech partnerships already comply with that interest rate limit.  And, if a state bank or bank-fintech partnership has not already adhered to the 25% interest rate limit in Colorado, the rescinding of the preliminary injunction certainly signals that now is the time to do so.

By way of background, in 2023, the Colorado legislature passed a law opting out from allowing banks that are making loans to Colorado residents from avoiding Colorado limits on interest rates by exporting the interest rates available in the bank’s home state to Colorado. The law was passed in accordance with an opt-out right that exists in Federal law, specifically in the Depository Institutions Deregulation and Monetary Control Act of 1980 (DIDMCA), 12 U.S.C. §1831d.  As we reported in June 2024 (Why You Should Care About Colorado Attempting to Opt-Out of DIDMCA), three industry trade associations (the National Association of Industrial Bankers, the American Financial Services Association, and the American Fintech Council) sued the state of Colorado to prevent the law from going into effect and obtained a preliminary injunction.  This has meant that out-of-state banks have continued to be able to export the interest rates of their home state into Colorado.

The opinion rendered by the 10th Circuit in National Association of Industrial Bankers v. Weiser, available at 2025 WL 3140623 (November 10, 2025), addressed not just the topic of whether a preliminary injunction should continue, but also the substance of the action brought by the industry trade associations. The Tenth Circuit acknowledged that “. . we read §1831d(a) as preempting state law in two respects: (1) A state bank may charge up to the national discount-plus-one rate regardless of any state interest-rate cap; and (2) a state bank may export interest rates permitted by the state where the bank is located to out-of-state borrowers, even if the rate charged exceeds the rate permitted by the borrower’s state.”  In other words, as we explained in June 2024, “While DIDMCA does allow a state to re-impose its own usury rates for loans made by depository institutions chartered in Colorado to Colorado residents (i.e., to opt-out of DIDMCA), at issue is whether a loan ‘made in’ Colorado means loans made by the depository institutions that are physically in Colorado, or whether a loan ‘made in’ Colorado also includes loans made to Colorado borrowers. The Colorado Attorney General and the Administrator of the Colorado Uniform Consumer Credit Code have stated that the new law means that loans that are ‘made in’ Colorado do indeed include all loans made to Colorado borrowers. The industry trade associations argue otherwise.”

In approaching this issue, the Tenth Circuit found that “the opt-out provision is wholly separate” from the preemption language and explained that because it is wholly separate, the opt-out right in DIDMCA applies to both preemption prongs.  In other words, while the trade associations argued that the opt-out applies only to the first prong (i.e., the discount-plus-one rate), it does not apply to the exportation of interest rates.  Accordingly, the Tenth Circuit opined that such an interpretation intrudes on the states’ police power and that it “betrays common sense – no state would ever opt out of §1831d if the opt-out meant that the state would only disadvantage its own banks for loans to out-of-state borrowers.”  In addition, they concluded that “the statutory purpose establishes . . . that ‘loans made in such State’ refers to loans in which either the lender of the borrower is located in the opt-out state.”

By Peter Y. Malyshev

Partner | Financial Regulation

Cadwalader partner Peter Malyshev was recently quoted in The Capitol Forum discussing the emerging regulatory landscape for sports prediction markets, including how companies are preparing for increased scrutiny at both the federal and state levels.

Peter noted that several companies exploring entry into sports prediction markets are already taking proactive compliance steps, not only by considering registration with the CFTC as commodity exchanges, futures commission merchants (“FCMs”) or introducing brokers (“IBs”), but also by testing geolocation boundaries across individual states and implementing robust know-your-customer (“KYC”) controls.

“They’re looking at a future when there may be a time when there could be a court-created test of what gambling is,” Peter said, explaining that firms want to ensure they can comply with potential state-by-state restrictions even if federal rules evolve. “Instead of shutting down some contracts on the federal level, they want to be ready on the individual state level as a back-up,” said Peter. 

Read the full article here (subscription required).

By Mercedes Kelley Tunstall

Partner | Financial Regulation

The Consumer Financial Protection Bureau ("CFPB") has faced significant operational constraints under recent changes in the present administration and Congress. With its budget significantly reduced and market concerns related to this week’s announcement about bureau leadership, financial institutions will likely have substantive questions about their ongoing consumer financial services compliance.

Accordingly, I thought that I would put down some thoughts on what financial institutions CAN DO during this transitional period at the CFPB and what they SHOULD NOT DO at this time. Because I am a regulatory lawyer who focuses on compliance, I will go through the things NOT TO DO, first.

Do Not

• Decide to forego following the consumer financial services compliance policies and procedures your institution already has in place. These policies and procedures are viewed by all regulators as being components of your overall compliance management system (“CMS”) and even if the CFPB will not be on-site supervising your institution for the next three years, your other supervising regulators will be paying attention to how robust your CMS is. And, a failure to comply in one part of the CMS can be a source of consternation in supervision exams, in and of itself.
• Revise your consumer financial services policies and procedures to be less stringent, just because the CFPB will not be looking over your shoulder.  There may be other reasons that are reasonable for revising those policies and procedures to be less stringent, including statements from the other prudential regulators that reputational risk is not as important as previously, or court cases coming through that interpret the alphabet soup of regulations in a more business-friendly manner.
• Become less concerned about consumer complaints. Consumer complaints are incredibly useful bellwethers for all sorts of reasons and are generally among the first things requested when any regulator, plaintiff’s attorney or potential business partner or investor is looking at your business. Robust and timely responses to consumer complaints continue to be important for all financial institutions, as are sessions with legal and compliance staff to identify trends in consumer complaints and root causes.
• Think that if a potential violation of law or regulation occurs, the statute of limitations will run out before a revived CFPB in the future has the ability to identify it.  Remember, the CFPB has previously made extensive use of “tolling agreements” when the statute of limitations has already run, or is about to run, and choosing not to agree to the tolling agreement has in the past almost guaranteed that the CFPB will immediately sue under their unfair or deceptive or abusive acts or practices (“UDAAP”) authority and as many other violations as they can muster.  And, even if the statue of limitations has clearly run and there is no tolling agreement put in front of your organization, the CFPB’s UDAAP authority has a very long period over which it can be leveraged by the CFPB.

Do

• Take advantage of the more open environment to test and try new products or services, because you will not need to worry about a CFPB interrupting the test/trial in flight. Of course, it is imperative to continue to address any concerns that may arise regarding consumer financial services compliance and to document thoroughly any problems that may arise during the test/trial, as well as the adjustments made to the product or service to address those problems.
• Consider re-allocating compliance resources (people and otherwise) that might otherwise be focused upon CFPB exam preparation/response or responding to investigations to addressing how new technologies will impact your provision of consumer financial services. This is an excellent time to allow your compliance functions to learn about payment stablecoins, cryptocurrencies, tokenized assets, and of course, how artificial intelligence is, can and will be used in the organization to deliver, support and upgrade the consumer financial services it provides.
• Take this time to really look at products or services that drive consumer complaints and consider whether adjustments can and should be made to reduce those complaints.  When the organization is not having to play as much defense, it is an excellent time to work on creating a better offense.

I hope this list helps provide some grounding for how to think about the next three years and can be useful to support shifts in resources and perspectives in your organizations. And, of course, as we enter this holiday season with Thanksgiving next week, I hope that you are able to enjoy time with your loved ones!

By Chris van Heerden

Director | Fund Finance

In the latest installment of our U.S. Bank Quarterly Survey, we review the current banking landscape and its historical context with two questions in mind: First, what do bank fundamentals tell us about the state of the U.S. economy (recognizing that this is a retrospective or coincident analysis)? And, second, what can we infer about the capacity and willingness of banks to extend credit (a more forward-looking inquiry)?

We find that tepid aggregate loan growth excluding lending to non-depository financial institutions (“NDFIs”) reflects a bifurcated economy in which overall growth is concentrated in a few sectors (e.g., AI capex). A similar theme emerges in reported loan demand and credit performance.

NDFI loans have attracted significant lending capital, and may continue to do so in light of the overall delinquency rate for this segment sitting below 15 bps. Clean loan performance for NDFI loans fit with the short tenure loans and active collateral control mechanisms (e.g., borrowing base eligibility and exclusion criteria) often built into loans in the category, which should continue to support lending growth.

Access the full report here.