Introduction
In February 2026, the Federal Financial Institutions Examination Council (FFIEC) updated their IT Examination Handbook to remove all references to reputation risk. What has changed and what do these updates mean for your financial institution? Let's take a look.
Table of Contents
- Introduction
- Background
- Impact on the Handbook
- What Do These Changes Mean?
- What Should You Do Now?
- Frequently Asked Questions (FAQs)
Background
On August 7, 2025, Executive Order 14331 was published in the Federal Register. Titled "Guaranteeing Fair Banking for All Americans," the order directed the federal banking agencies to ensure access to banking services is based on neutral, risk-based criteria. To support this goal, the order called for the removal of "reputation risk" from official guidance and examination procedures.
While the intent of the order was to preserve access to financial services, the regulators have interpreted the order more broadly, proposing to remove references to "reputation risk" across the board.
- Prohibition on Use of Reputation Risk by Regulators (OCC and FDIC)
- Prohibition on Use of Reputation Risk by NCUA
- Prohibition on Use of Reputation Risk or Other Supervisory Tools To Encourage or Compel Banking Organizations To Engage in Politicized or Unlawful Discrimination (Federal Reserve)
Impact on the Handbook
Consistent with this approach, the FFIEC removed every reference to the word "reputation" from the IT Examination Handbook. (In case you're curious, there were 92.)
While the FFIEC stated the updates do not create new requirements, if financial institutions interpret the changes literally, these updates could effectively require a cultural shift, along with significant adjustments to governance, risk management, and compliance (GRC) programs.
Following are some examples of context shifts in the booklet due to the removal of reputation risk.
Risk Definition
The word "reputation" was removed in the FFIEC's handbook-wide definition of risk, which now focuses solely on events that could negatively impact earnings or capital.
| Before | After |
| "The potential that events, expected or unanticipated, may have an adverse effect on a financial institution's earnings, capital, or reputation." | "The potential that events, expected or unanticipated, may have an adverse effect on a financial institution's earnings or capital." |
Business Continuity Management
The word "reputation" was removed in the FFIEC Business Continuity Management booklet in the context of crisis and emergency management.
| Before | After |
| "Management should consider the impact of a crisis or emergency on the entity's reputation and personnel." | "Management should consider the impact of a crisis or emergency on the entity and personnel." |
Third-Party Risk Management
The word "reputation" was removed from the FFIEC Outsourcing Technology Services booklet in the context of evaluating a vendor's reputation during the due diligence process.
| Before | After |
| "Determine whether due diligence requirements encompass all material aspects of the service provider relationship, such as the provider's financial condition, reputation (e.g., reference checks), controls, key personnel, disaster recovery plans and tests, insurance, communications capabilities and use of subcontractors." | "Determine whether due diligence requirements encompass all material aspects of the service provider relationship, such as the provider's financial condition, controls, key personnel, disaster recovery plans and tests, insurance, communications capabilities and use of subcontractors." |
Information Security Monitoring
The word "reputation" was removed from the FFIEC Information Security booklet in the context of using "reputation-based tools" for blocking potentially fraudulent activities.
| Before | After |
| "Reputation-based tools to block connections to the institution's servers based on device or network indicators known or suspected to be associated with fraudulent activities." | "Tools to block connections to the institution's servers based on device or network indicators known or suspected to be associated with fraudulent activities." |
"Reputation Risk" Definition Removal
The following definitions of reputation risk were removed from several booklets, as well.
| Booklet | Definition |
| Management Booklet | "Reputation risk can stem from errors, delays, omissions, unauthorized access to IT systems, or loss of confidential information that become public knowledge. Such occurrences may directly affect business partners and customers and may result in a loss of customers, customer withdrawal of funds, and loss of trust in the institution's products or services." |
| Outsourcing Technology Services Booklet | "Errors, delays, or omissions in information technology that become public knowledge or directly affect customers can significantly affect the reputation of the serviced financial institutions. For example, a TSP's failure to maintain adequate business resumption plans and facilities for key processes may impair the ability of serviced financial institutions to provide critical services to their customers." |
| Retail Payment Systems Booklet |
"Reputation risk occurs when negative publicity regarding an institution's business practices leads to a loss of revenue or litigation. For retail payment-related systems, reputation risk is linked to consumer expectations regarding the delivery of retail payment services, and the institution's ability to meet its regulatory and consumer protection obligations related to those services. An institution's reputation, particularly the trust afforded it by customers and counterparties can be irrevocably tarnished due to perceived or real breaches in its ability to conduct business securely and responsibly. Financial institutions are responsible for risks associated with the activities of third-party service providers with which they contract. Deficiencies in security and privacy policies that result in the release of customer information by a service provider can damage the reputation of client financial institutions. Operational failures could significantly impact an institution's reputation if systems are disrupted for extended periods. Management oversight of third-party service providers is a critical component of reputation risk management." |
What Do These Changes Mean?
If you take the removal at face value, it might be tempting to grab a pair of scissors and cut the word "reputation" out of your information security policies, business continuity plan, risk assessments, vendor management program, and any other documents where it appears.
But is that actually necessary, and would that be a good change for your financial institution's bottom line?
- Does it make sense to discard reputation risk from social media risk assessments?
- Does it make sense to overlook public perception after a service disruption or incident?
- Does it make sense to partner with a vendor who has a questionable track record according to your peers?
- Does it make sense to change security monitoring tools just to avoid factoring in reputation, even if it helps identify real risks?
If your answer to any of those questions is "no," it may not make sense to completely exclude reputation as a factor in how your institution thinks about and manages risk.
What Should You Do Now?
How should your financial institution approach this update? While there is no one right answer, here are a couple considerations that may help guide your approach.
- First, remember public perception can still lead to material financial risks. That's especially true for community financial institutions, which often rely heavily on local trust, personal relationships, and public image where a single misstep or poorly handled event can have a significant impact on the business.
- Second, focus on reputation risk in the right contexts. Financial institutions should absolutely avoid using reputation risk as a reason to deny banking services to customers and members, but it can still be worth considering in situations where reputational damage could create a real impacts on earnings, capital, or operations.
If you have copies of the booklets saved locally, access and download the latest versions from the FFIEC IT Examination Handbook website.
If you'd like to learn more about how Tandem can help you manage your cybersecurity governance, risk management, and compliance practices, visit our website at Tandem.App.
Frequently Asked Questions (FAQs)
Q: Why was reputation risk removed from the FFIEC IT Examination Handbook?
A: The change aligns with a broader regulatory direction emphasizing measurable financial risks over subjective reputational considerations.
Q: Does the removal of "reputation risk" mean financial institutions should stop considering reputation entirely?
A: Not necessarily. While it is no longer highlighted in FFIEC guidance, reputational issues can still contribute to material financial risks.
Q: Will my examiners give me a finding if I still include reputation risk in my programs?
A: If reputation risk is used in a way that could negatively impact customer or member access to financial services, this would likely be noted. Comments or findings on other uses of reputation risk may vary depending on the circumstances.
Q: Will my examiners give me a finding if I exclude reputation risk from my programs?
A: It depends on the circumstances. While examiners may not focus on "reputation risk" as a standalone category, if reputational concerns are linked to issues that could affect earnings or capital, they could still be noted.
Q: Does this change affect cybersecurity or information security practices?
A: Not directly, but it may shift the focus toward technical indicators rather than tools or controls explicitly tied to reputation-based signals.
Q: Should financial institutions remove reputation considerations from risk assessments?
A: Institutions may wish to review how reputation is referenced, but removing it entirely could overlook risks that may ultimately affect earnings, capital, and operations.
Q: Does the guidance change how institutions should handle business continuity planning and incident response?
A: Updates focus crisis planning on operational and financial impacts, but clear communication and public perception can still play an important role in handling incidents.
Q: Do financial institutions still need to consider reputation risk in vendor management?
A: Institutions should evaluate vendors based on a variety of factors, emphasizing objective due diligence rather than relying solely on vendor reputation or peer references.
Q: What updates will Tandem be making in response to these guidance changes?
A: When new or updated guidance is released, Tandem's team of security and compliance experts review the guidance and make updates to the software, as needed. Stay up to date with the latest changes in Tandem's Software Updates blog.
