For over a decade, the term "reputation risk" has been a staple in the boardroom and a primary headache for compliance officers. However, following the landmark OCC Bulletin 2025-4 in March 2025, the Office of the Comptroller of the Currency (OCC) began a major policy shift by removing references to reputation risk from its Comptroller’s Handbook and instructing examiners to no longer examine for it as a standalone category.

For banks and financial institutions, this shift is not the "end" of reputation risk; rather, it represents a fundamental re-visioning of how institutions must manage it within their fintech partnerships to align with the evolving position of federal regulators.

A Brief History: The Shift Away from Subjectivity

Historically, the OCC defined reputation risk as the "risk to current or projected financial condition and resilience arising from negative public opinion." This concept was one of the eight core categories of risk used in bank supervision for decades.

The original intent was to ensure that banks considered the "brand contagion" that could arise from third-party relationships. However, over time, the industry and regulators alike found that this category was often too subjective. In March 2025, the OCC stated that its examination process should be rooted in risk management rather than "casting judgment on how a particular activity may fare with public opinion."

The Catalyst: Executive Order 14331

The transition was accelerated by Executive Order 14331, "Guaranteeing Fair Banking for All Americans," signed on August 7, 2025. The Order directed federal banking regulators to remove "reputation risk" and equivalent concepts from their guidance documents, examination manuals, and other supervisory materials within 180 days.

A primary driver of the EO was the concern that "reputation risk" had been used as a pretext for "politicized or unlawful debanking"—the restriction of financial services to law-abiding individuals or businesses based on their political or religious beliefs rather than individualized, objective, risk-based analyses.

To codify these changes, the OCC and FDIC issued a joint Notice of Proposed Rulemaking (NPRM) in October 2025 (OCC Bulletin 2025-30). This proposal seeks to formally prohibit agencies from taking adverse actions or issuing supervisory criticisms solely on the basis of reputation risk.

The Turning Point: A Focus on Material Risk

From our analysis of these developments, it appears the regulatory community is moving toward a framework that eliminates the "pretext" for de-banking while focusing on material risks. In our view, this shift suggests several key implications for bank supervision:

1. Reduced Subjectivity: By removing public perception as a standalone metric, the goal is to eliminate inconsistent oversight that can vary based on the political or social climate.
2. Focus on Root Causes: A reasonable implication of this shift is that regulators now prefer to address "reputational" issues through their root causes—such as Operational, Compliance, or Strategic failures—which are quantifiable and grounded in safety and soundness.
3. Efficiency: Focusing on core financial risks—such as credit, liquidity, and interest rate risk—prevents the diversion of bank and agency resources toward subjective assessments that may not improve a bank's financial condition.

The Impact on Fintech Due Diligence: Re-visioning the Process

The OCC's removal of "reputation risk" as a standalone supervisory category does not negate a bank's requirement to conduct thorough due diligence. These changes do not mean banks should stop assessing the reputation risk associated with their fintech partnerships; rather, the methodology must shift from "brand management" to "operational forensic science."

Specifically, a robust due diligence process should no longer rely on purported brand impact or "reputation impact by association." Instead, selection and ongoing monitoring should be based on quantifiable resilience. If a fintech partner operates in a novel or controversial space but maintains ironclad cybersecurity, a healthy balance sheet, and a robust AML program, the "reputation" hit becomes a strategic business decision for the bank, rather than a supervisory hurdle.

How Should Banks Assess Reputation Risk Now?

In this new era, reputation risk remains significant in a bank's internal decision-making process, but it is re-visioned to focus on objective and tangible areas of fintech business and operations:

1. Integrated Root-Cause Analysis

Instead of scoring "reputation" as an isolated category, banks should evaluate the underlying causes of potential failure:

• A major data breach -> Operational Risk.
• Predatory lending or regulatory violations -> Compliance Risk.
• Business model instability or failure to scale -> Strategic Risk.

2. The Business Risk and Liquidity Lens

Reputation must be viewed through a "Business Risk" lens, assessing it as a potential threat to Liquidity. For example, a scandal involving a core fintech partner could trigger a deposit run or a sudden drop in stock price. This makes reputation a financial risk that the Board must manage, even if regulators do not provide a specific grade for it.

3. Performance-Based Metrics

Due diligence should prioritize objective metrics. Evaluating a fintech’s "Uptime," "Error Rates," and "Customer Complaint Resolution" provides a verifiable record of performance that supersedes subjective media monitoring.

The Across Framework: Quantifying Reputation Through Performance

At Across, we have pioneered an assessment framework that helps banks navigate this re-visioning. Our approach ensures that banks can still account for reputation risk in their fintech decisions while equating that risk to quantifiable operational and business metrics rather than subjective perception.

The Across framework quantifies reputation by associating it directly with the efficiency of a fintech’s performance and controls in tangible areas, including:

• Operations: Uptime, error rates, and incident response efficiency.
• Legal: Contractual adherence and litigation history.
• BSA/AML/OFAC: The rigor of financial crime prevention controls.
• Regulatory Compliance: Direct adherence to consumer protection and financial laws.

By utilizing the fintech's risk position in these specific areas as a primary function to determine reputation risk, Across allows banks to replace perceptions with quantifiable results.

The Strategic Takeaway

The regulatory pivot initiated by the OCC and the current administration is a win for clarity. By removing the "shadow" of reputation risk and aligning with the principles of Executive Order 14331, banks are empowered to make more objective, data-driven decisions.

Fintech due diligence should no longer be about "how this looks," but about "how this works." Banks that successfully re-vision their reputation assessments into "Core Risks" using frameworks like Across will be better aligned with modern examination standards and better positioned to partner with the next generation of financial technology.

Disclaimer: This post is for informational purposes and does not constitute legal or regulatory advice. The analysis of regulator intent and future supervisory positions reflects the views of Across and is not an official statement from any government agency. Always consult with your compliance and legal teams regarding OCC Bulletin updates.

___________________________________________________________________________________________________________________________________________________________________

About Across

Across provides real-time, decision-ready onboarding and ongoing risk assessments for banks working with fintech partners. By combining automation with risk intelligence, Across helps financial institutions maintain continuous oversight, scale compliance infrastructure, and confidently operate Banking-as-a-Service programs in an increasingly complex regulatory environment.

Follow Across for insights on fintech risk, regulatory developments, and the future of bank-fintech partnerships.

web | connect | book

‍

‍