BLOG

The financial services compliance landscape shifted significantly in 2025 and 2026 in ways that most community banks, credit unions, and fintechs have not yet fully absorbed. The FFIEC retired its Cybersecurity Assessment Tool on August 31, 2025, ending a decade-long standard and directing institutions toward NIST Cybersecurity Framework 2.0 as the recommended replacement. The OCC issued Bulletin 2025-24, effective January 1, 2026, eliminating mandatory policy-based examination requirements in favor of a risk-proportionate model. And the FTC continued active enforcement of the Safeguards Rule against non-banking financial institutions with particular focus on mortgage lenders, auto dealers, and fintech platforms.

For small financial institutions, community banks under $1 billion in assets, credit unions, mortgage companies, and early-stage fintechs, these changes arrive alongside a threat environment that has never been more hostile. Financial SMBs recover from cyberattacks fastest of any sector at 16 hours average, but they carry the highest insurance coverage rates (67%) and invest the most in prevention (18% of IT budget) suggesting the sector has recognized the risk even as compliance requirements continue to evolve around them. This article maps what the current framework actually requires and what institutions need in place to satisfy examiners, insurers, and regulators in 2026.

The regulatory stack: what applies to small financial institutions

Small financial institutions do not face a single compliance framework, they face a stack of overlapping federal, state, and international requirements that interact in ways that create compliance complexity disproportionate to their internal resources. Understanding which frameworks apply to your institution is the starting point, and a comprehensive cybersecurity assessment can help identify which regulatory obligations and security controls require immediate attention.

FFIEC and NIST CSF 2.0: The Federal Financial Institutions Examination Council establishes minimum cybersecurity standards for all federally insured financial institutions, commercial banks, savings associations, credit unions, and mortgage companies. With the retirement of the Cybersecurity Assessment Tool, examiners now expect institutions to demonstrate alignment with NIST Cybersecurity Framework 2.0, which added a sixth function (Govern) to the original five. The new risk-proportionate examination model means examiners assess your institution’s risk profile first, then evaluate whether your controls are commensurate with that profile. Developing a documented cyber strategy roadmap helps institutions demonstrate how security investments align with business and regulatory risks not whether specific policy documents exist.

Gramm-Leach-Bliley Act (GLBA) and FTC Safeguards Rule: GLBA applies to all financial institutions and requires a comprehensive information security program, privacy notices to customers, and limitations on data sharing. The FTC Safeguards Rule implements GLBA’s security provisions for non-banking financial institutions, including mortgage brokers, auto dealers, payday lenders, and fintech companies. The enhanced Safeguards Rule requirements (effective 2023) mirror the bank examination expectations: MFA, encryption, access controls, penetration testing, and a written incident response plan.

NYDFS 23 NYCRR 500: New York’s cybersecurity regulation applies to any entity licensed under New York financial services law, including many fintech companies and lenders operating in New York regardless of where they are headquartered. The 2023 amendments introduced new requirements for covered entities: annual penetration testing, quarterly vulnerability scanning, 72-hour notification for cybersecurity events, and CISO-level accountability for the cybersecurity program. Penalties of up to $1,000 per violation per day apply.

OSFI B-13 (Canada): The Office of the Superintendent of Financial Institutions’ Technology and Cyber Risk Management Guideline applies to all federally regulated financial institutions in Canada and requires a board-approved technology risk appetite, a cyber resilience program, and active supply-chain risk management. For Canadian credit unions and community banks, provincial equivalents apply through FSRA (Ontario) and BCFSA (British Columbia).

PCI DSS 4.0: Any institution that processes, stores, or transmits cardholder data must comply with PCI DSS version 4.0, which introduced more flexible compliance validation options alongside new requirements for targeted risk analysis, phishing-resistant authentication for all users, and automated technical controls for many previously manual requirements.

What FFIEC examiners look for in 2026

With the CAT retired and mandatory policy requirements replaced by risk-proportionate examination, the examiner’s question has shifted from ‘does this policy document exist?’ to ‘does your security posture match your risk profile, and can you demonstrate it?’ The practical implications:

1. Risk assessment documentation, examiners expect a written, current risk assessment that identifies threats relevant to the institution’s specific operations, products, and customer base. The assessment must be updated when the risk environment changes, not just annually.
2. Board-level engagement, regulators across all frameworks now expect boards to actively participate in cybersecurity governance: approving risk appetite statements, receiving regular security briefings, and demonstrating understanding of the institution’s top cyber risks.
3. Incident response capability, not just a written plan, but evidence that the plan has been tested. Tabletop exercises, documented results, and demonstrated improvements from prior exercises are what examiners look for.
4. Third-party risk management, the institution is accountable for the security of every vendor that accesses its systems or customer data. Examiners want to see a vendor inventory, tiered risk assessments, and contractual security requirements, not just a questionnaire.
5. Cyber resilience, the ability to maintain critical operations and recover quickly after an incident. Business continuity testing, backup validation, and recovery time objective documentation are part of the examination scope.

The 10 controls every small financial institution needs in place

6. Phishing-resistant MFA on all administrative accounts, customer-facing systems, and any interface accessing customer data, including VPN and remote desktop access.
7. Email security with anti-impersonation protection, financial institutions receive high volumes of spear-phishing targeting treasury staff, wire transfer approvers, and executives.
8. Endpoint detection and response (EDR) on all endpoints with 24/7 monitoring, financial SMBs recover fastest from attacks, largely because detection happens faster when EDR is in place. Many institutions further strengthen visibility through managed detection and response services that provide continuous monitoring and threat investigation.
9. Network segmentation separating core banking systems from general office networks and any externally accessible systems.
10. Privileged access management (PAM), strict controls on administrative credentials, just-in-time access provisioning, and session recording for privileged operations.
11. Encrypted backups tested quarterly, with recovery time objectives documented and tested, not assumed.
12. Third-party vendor inventory and risk tier classification, with security requirements embedded in contracts for Tier 1 and Tier 2 vendors.
13. Penetration testing annually and vulnerability scanning quarterly, documented results with remediation tracked to closure.
14. Written incident response plan tested through tabletop exercises at least twice per year, with regulatory notification timelines mapped for each applicable framework.
15. Board cybersecurity reporting, a quarterly security briefing to the board in plain language, covering current threat landscape, posture metrics, and open remediation items.

Fintech-specific compliance considerations

Fintech companies face the same regulatory stack as traditional financial institutions — with the additional complexity of faster technology change cycles, third-party API dependencies, and the challenge of scaling compliance programs alongside the business. Key fintech-specific considerations:

• NYDFS 23 NYCRR 500 applies to many fintechs operating in New York regardless of headquarters location, any entity licensed under New York financial services law must comply, including money transmitters, lenders, and payment processors.
• PCI DSS 4.0 applies to any fintech that handles cardholder data — which includes most payment-adjacent fintechs. The 4.0 requirements for phishing-resistant authentication and automated technical controls have a compliance deadline of March 31, 2025, making many fintechs already non-compliant.
• The CFPB and FTC actively enforce Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) rules against fintechs, and data security failures that harm consumers are increasingly treated as UDAAP violations.
• SOC 2 Type II certification is now a de facto requirement for most enterprise fintech sales cycles, institutional clients require it as part of vendor risk management programs.

What happens to community banks and credit unions now that the FFIEC CAT has been retired?

Examiners will now assess your institution against NIST CSF 2.0 using a risk-proportionate model rather than a checklist of required policy documents. This means your security posture needs to match your risk profile, institutions with higher transaction volumes, more customer data, or more complex technology environments will be held to higher control expectations. The practical advice is to map your current controls to NIST CSF 2.0’s six functions (Govern, Identify, Protect, Detect, Respond, Recover) and document the gaps before your next examination.

Does the FTC Safeguards Rule apply to my fintech company?

It depends on whether your company qualifies as a ‘financial institution’ under GLBA, which includes companies that are ‘significantly engaged’ in financial activities, including lending, exchanging currency, providing financial advice, and acting as a financial intermediary. Most fintech companies that touch consumer financial data fall within scope. The FTC has been actively expanding enforcement in this area, with particular focus on data security failures at non-bank financial companies.

What is the 36-hour incident notification requirement?

The Computer-Security Incident Notification Rule (12 CFR Part 53) requires federally regulated banking organizations to notify their primary federal regulator within 36 hours of determining that a ‘computer-security incident’ has occurred that has or is likely to materially disrupt or degrade bank operations, business lines, or customers. The 36-hour clock starts from the determination that a reportable incident has occurred, not from the moment the incident is detected. This makes having a documented, tested incident response plan critical for meeting the notification timeline, and institutions should establish relationships with incident response services providers before a regulatory reporting event occurs.

How does a small community bank with limited IT staff approach FFIEC compliance?

The most cost-effective approach for community institutions is a co-managed security model, often delivered through managed cybersecurity services that combine monitoring, compliance support, and strategic security guidance. retaining a qualified managed security service provider to handle the technical controls, monitoring, and documentation that FFIEC examiners look for, while maintaining internal accountability through a designated qualified individual and board-level reporting. This provides the equivalent of a dedicated security team at a fraction of the cost of hiring one, and the managed provider’s documentation becomes part of your compliance evidence file.

The retirement of the FFIEC CAT and the shift to risk-proportionate examination does not reduce the compliance burden for small financial institutions, it increases the importance of having a documented, evidence-based security program that can withstand examiner scrutiny. The institutions that will sail through 2026 examinations are the ones that have aligned their controls to their risk profile, documented everything, and tested what they have built.