Lawmakers Press Bank Regulators on Tech Rules and Delays

As the Subcommittee on Digital Assets, Financial Technology, and Artificial Intelligence Chairman Bryan Steil, R-Wisc., said in his opening remarks, “The question before us is not whether this transformation will continue. It will. The real question is whether our regulatory framework is prepared to meet it.”

The hearing on Thursday (March 26) titled “Innovation at the Speed of Markets: How Regulators Keep Pace With Technology,” brought together senior supervisory officials from the Federal Reserve, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency and the National Credit Union Administration. Taken together, the witnesses described an approach that is evolving away from categorical caution and toward integration, though the pace and clarity of that transition has varied.

James Gallagher, senior deputy comptroller and chief national bank examiner at the OCC, emphasized that the agency is adjusting how it evaluates new products and partnerships as part of a broader effort “supporting and keeping pace with responsible innovation within the federal banking system.” His remarks pointed to a supervisory model that is less concerned with the form of technology than with whether an institution can demonstrate control over the risks it introduces.

At the FDIC, Ryan Billingsley, director of the Division of Risk Management Supervision, described a similar repositioning, but with a focus on the supervisory burden itself. He said the agency is reconsidering how guidance is applied, including whether existing expectations have been extended to activities that “pose no material financial risk to banks,” a distinction that goes to the center of complaints from smaller institutions.

Randall Guynn, director of the Federal Reserve’s Division of Supervision and Regulation pointed to efforts to make supervision more transparent, including publishing internal operating manuals, in a bid to explain how decisions are made rather than simply enforce them.

Amanda Parkhill, acting director of the NCUA’s Office of Examination and Insurance, added a different dimension, describing an active review of regulations that may be outdated or unnecessarily restrictive. That process, she indicated, is being informed by feedback from institutions that view compliance obligations, particularly in technology adoption, as disproportionate to their scale.

Expansion of the Bank Perimeter

Third-party risk has moved from a technical compliance issue to a structural concern about how banks operate, panelists said.

Guynn’s testimony illustrated that partnerships allow banks to reach new markets and deploy products more efficiently, but they also introduce risks that are not easily contained within traditional supervisory frameworks.

Gallagher’s statements suggested that regulators are attempting to tailor oversight to the specific risk profile of each institution, rather than applying uniform standards across all partnerships.

During questioning by lawmakers, U.S. Rep. John Rose, R-Tenn., pointed to friction for small banks tied to third-party relationships. Billingsley acknowledged that regulators are reviewing the 2023 interagency guidance on third-party relationships and considering changes, including examining “risk management standards more generally, to see if we can better tailor them, particularly for our community banks.  We’ve taken a more open-minded approach over the last 12 to 18 months with respect to banks’ engagement with third parties.” That guidance is in the process of being updated, he told the lawmaker.

Digital Assets and Normalization

The treatment of digital assets received attention from several witnesses.

Gallagher referenced the OCC’s work implementing a payment stablecoin regime, positioning it as part of a broader effort to provide a supervisory environment in which these activities can develop without destabilizing institutions.

Billingsley described other changes, including the removal of prior notification requirements that had limited banks’ ability to engage in crypto-related activities. He also outlined the development of a formal framework, telling lawmakers, “We expect soon to propose prudential requirements  —including tailored requirements related to reserve assets, capital, liquidity, and principles-based risk management requirements — for FDIC-supervised payment stablecoin issuers.”

Guynn focused on the functional implications, noting that stablecoins and tokenized deposits may alter how payments are processed and settled, with potential efficiency gains but also new operational dependencies.

AI and the Question of Control

Artificial intelligence drew consistent attention across all four agencies.

Billingsley pointed to the breadth of current applications, including fraud detection and credit underwriting, and noted that newer forms of AI are being tested for internal functions such as customer service and code generation.

Guynn acknowledged that adoption is expanding but stressed that most use cases remain limited in scope, reflecting unresolved challenges related to explainability, data integrity and model risk.

In response to questions from Rose on agentic AI and fraud defenses, Parkhill highlighted similar applications within credit unions, alongside concerns about how smaller institutions can meet the same governance standards as larger organizations when deploying AI tools.

As the OCC’s Gallagher stated during his own response to questions about innovation and oversight and in particular the use of AI, “The current pace of innovation is much faster, but this is nothing new.  We’ve seen banks innovate throughout our history as an organization and throughout my career.”