The Financial Integrity and Regulation Management (FIRM) Act prohibits Federal banking agencies from using ‘‘reputational risk’’ — or any substantially similar term — when supervising, examining, rating, or enforcing against depository institutions. It directs agencies to remove references to reputational risk from guidance, manuals, and rules and lists a set of specific supervisory activities that are off-limits if based on reputational risk.
That change narrows a long-standing, subjective supervisory tool and replaces it with a statutory ban. Institutions and compliance officers should expect agencies to revise examiner guidance and exam procedures; the bill also creates a 180-day reporting obligation to congressional banking committees describing those internal changes.
The Act includes targeted definitions and a terrorism-related exception that will shape how the prohibition operates in practice.
At a Glance
What It Does
The bill defines ‘‘reputational risk,’’ requires each Federal banking agency to remove any reference to it from guidance and manuals, and bars agencies from establishing standards, conducting examinations, issuing findings, basing ratings, or taking enforcement actions that rely on reputational risk. It also requires agencies to report to the Senate Banking Committee and House Financial Services Committee within 180 days describing implementation.
Who It Affects
Covered entities include depository institutions under the FDIA definition — explicitly including insured credit unions — and the full suite of Federal banking agencies (FDIC, OCC, FRB, plus the NCUA and the CFPB as named in the bill). Compliance, risk, and legal teams at those institutions will see the most immediate operational impact.
Why It Matters
The change removes a discretionary supervisory lever that agencies have used to influence banks’ customer relationships and product choices. That narrows supervisory discretion on subjective publicity-related concerns and shifts where institutions must manage non-safety reputational exposures — from exam room judgments back to corporate risk management and the private market.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The FIRM Act starts with definitions and findings that frame Congress’s view: safety and soundness are the primary supervisory objectives and reputational risk is a non-statutory, subjective concept that has been used to influence access to financial services. The bill then sets a clear rule: agencies must delete references to reputational risk from guidance, manuals, and similar documents so that reputational risk is no longer considered in examinations and supervision.
Beyond removal, the Act draws a bright line by listing prohibited supervisory activities tied to reputational risk. Agencies may not adopt rules or supervisory expectations, conduct examinations or data collections, issue findings or criticisms, base supervisory ratings, or take formal or informal enforcement actions that are based in whole or in part on reputational risk or substantially similar concepts.
The statute defines reputational risk in a way that covers negative publicity “whether true or not,” while carving out an exception for negative publicity tied to unlawful transactions with state sponsors of terrorism or designated foreign terrorist organizations.The bill also expands the statutory list of ‘‘Federal banking agencies’’ to expressly include the National Credit Union Administration and the Consumer Financial Protection Bureau, and it clarifies that ‘‘depository institution’’ follows the FDIA definition and expressly includes insured credit unions. Finally, the Act requires each named agency to submit a report to the House Financial Services Committee and Senate Banking Committee within 180 days confirming the agency implemented the Act and describing internal policy changes.
That reporting obligation is the only compliance mechanism the statute creates; the bill does not prescribe monetary penalties or private rights of action for violations.Operationally, implementation will look like targeted editorial changes to examiner manuals and supervisory playbooks, removal of reputational-risk language from publicly available guidance, and internal retraining for examiners. For banks and credit unions, the immediate effect is that exam narratives and ratings should not cite reputational risk; risk teams will need to document and manage publicity-driven threats internally rather than rely on supervisory engagement to address them.
The Five Things You Need to Know
The bill’s statutory definition of ‘‘reputational risk’’ covers negative publicity “whether true or not” but excludes publicity regarding unlawful transactions involving state sponsors of terrorism or designated foreign terrorist organizations.
The Act explicitly includes the NCUA and the CFPB within the definition of ‘‘Federal banking agency’’ and explicitly includes insured credit unions within ‘‘depository institution.’, Section 5 lists five prohibited supervisory actions tied to reputational risk: establishing standards, conducting exams or data collection, issuing findings or criticisms, making ratings decisions, and taking formal or informal enforcement actions.
Agencies must submit implementation reports to the Senate Banking Committee and House Financial Services Committee within 180 days describing the internal policy changes they made to comply.
The statute contains no civil penalty, private right of action, or statutory enforcement mechanism beyond the 180‑day reporting requirement to Congress.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Names the statute the Financial Integrity and Regulation Management Act or the FIRM Act. This is the heading provision and has no operational effect beyond establishing the Act’s public name for references in guidance and reports.
Congressional findings
Sets out Congress’s view that safety and soundness are the primary supervisory goals, that reputational risk is non-statutory, and cites past agency uses (referencing Operation Choke Point) to justify legislative intervention. Findings frame statutory interpretation disputes and signal congressional intent to judges, regulators, and agencies when corner cases arise.
Key definitions
Defines ‘‘depository institution’’ by reference to the FDIA and explicitly adds insured credit unions, expands ‘‘Federal banking agency’’ to include the NCUA and CFPB, and defines ‘‘reputational risk’’ with a terrorism-related carveout. Those definitional choices determine which entities and which regulatory actors the prohibition covers and narrow the circumstances in which reputational considerations are permitted.
Removal of references to reputational risk from guidance
Directs agencies to excise references to reputational risk or substantially similar terms from guidance, rules, exam manuals, and similar documents. Practically, this requires editorial and policy reviews of publicly available guidance and examiner playbooks and will trigger internal change-control processes and retraining for examination staff.
Blanket prohibition of supervisory activity based on reputational risk
Enumerates prohibited conduct: agencies may not create standards, conduct examinations or data collection, issue findings or criticisms, base ratings, or pursue enforcement actions that rest in whole or part on reputational risk. The list is comprehensive and operationalizes the statutory ban by identifying the common supervisory levers agencies use to influence institution behavior.
Reporting to congressional committees
Requires each Federal banking agency, within 180 days of enactment, to report to the Senate Banking Committee and House Financial Services Committee confirming implementation and describing internal policy changes. This is the sole compliance and oversight mechanism the Act prescribes; it creates a transparency obligation rather than a judicial or administrative enforcement path.
This bill is one of many.
Codify tracks hundreds of bills on Finance across all five countries.
Explore Finance in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Banks and credit unions that accept customers in politically sensitive industries — The ban reduces the risk that examiners will pressure institutions to cut off lawful customers on the basis of negative publicity, preserving commercial discretion over customer relationships.
- Industries previously flagged under subjective reputational reviews (for example, certain fintechs, payment processors, or sectors cited during Operation Choke Point) — They gain reduced regulatory leverage that might have been used to restrict access to banking services absent statutory violations.
- Institutional compliance and legal teams — They receive clearer boundaries on what examiners may cite, lowering the chance that reputational arguments will be used in supervisory criticism and forcing institutions to manage publicity risks internally.
Who Bears the Cost
- Federal banking agencies and examiners — Agencies must revise manuals, guidance, and examination procedures and retrain staff, which imposes administrative and operational costs and constrains supervisory judgment at the frontline.
- Supervisory efforts to address noncompliance with informal or reputational channels — Agencies lose a discretionary tool that previously allowed them to influence institution behavior short of enforcement, potentially making it harder to obtain voluntary corrective actions.
- Law enforcement and anti‑money‑laundering efforts that rely on supervisory cooperation — Narrowing reputational considerations could complicate cross‑cutting strategies where publicity-driven concerns intersect with information sharing, requiring tighter coordination with OFAC/BSA channels to address illicit finance risks.
Key Issues
The Core Tension
The central dilemma is between preventing political or subjective supervisory pressure on private firms and preserving regulators’ flexible tools to nudge institutions away from behaviors that could indirectly threaten safety and soundness; eliminating reputational risk reduces potential regulatory overreach but also removes a soft supervisory instrument frequently used to address complex, non‑legal harms that can nonetheless translate into financial risk.
The bill draws a clean legal fence around reputational risk but leaves important implementation questions unresolved. The terrorism-related exception narrows the prohibition, yet it hinges on labels applied by the Secretary of State (state sponsors of terrorism and FTO designations).
That creates an evidentiary and timing problem: conduct that agencies view as raising reputational concerns for illicit finance reasons may not map neatly to those statutory designations, so agencies will need to decide whether other supervisory authorities (e.g., BSA/AML or OFAC enforcement) suffice to address the same conduct.
Another trade-off is practical: reputational risk has been used as a non-binding lever to achieve voluntary changes in institutions’ behavior. Removing that lever forces agencies either to pursue formal enforcement actions (with higher procedural costs and standards of proof) or to accept some behavior they once could discourage informally.
The Act uses a reporting requirement as its only monitoring mechanism; without civil penalties or private remedies, compliance will be enforced internally within agencies and politically through congressional oversight rather than through judicial review or fines. That structure raises the likelihood of implementation variance across agencies and potential litigation over what counts as a ‘‘term substantially similar’’ to reputational risk.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.