Latest Compliance News

PRESS RELEASE | JANUARY 22, 2026 FDIC Approves the Deposit Insurance Applications for Ford Credit Bank, Salt Lake City, Utah, and GM Financial Bank, Salt Lake City, Utah WASHINGTON – The Board of Directors of the Federal Deposit Insurance Corporation (FDIC) today approved deposit insurance applications submitted by Ford Motor Company to establish Ford Credit Bank and General Motors Company to establish GM Financial Bank. Ford Credit Bank and GM Financial Bank will both be Utah-chartered industrial banks. Applications for deposit insurance are evaluated under a statutory framework of seven factors that include: the financial history and condition of the institution; the adequacy of the institution’s capital structure; the future earnings prospects of the institution; the general character and fitness of the management of the institution; the risk presented by the institution to the Deposit Insurance Fund; the convenience and needs of the community to be served by the institution; and whether the institution’s corporate powers are consistent with the purposes of the Federal Deposit Insurance Act. Ford Credit Bank’s proposed business model will focus on providing automotive financing products nationwide, primarily through the purchase of retail installment sales contracts from independent Ford dealers. Funding will primarily consist of retail savings accounts and time deposits obtained via the bank’s website and mobile application. FDIC staff found that Ford Credit Bank satisfied the statutory factors for approval, subject to certain conditions and written agreements. Among other conditions, Ford Credit Bank will be required to maintain a minimum 15 percent tier 1 leverage ratio, and Ford Motor Company will be required to support the bank’s capital and liquidity positions. GM Financial Bank’s proposed business model will focus on providing automotive financing products nationwide, primarily through the purchase of retail installment sales contracts from GMF. Funding will primarily consist of savings accounts and time deposits via the bank’s website and a mobile application. FDIC staff found that GM Financial Bank satisfied the statutory factors for approval, subject to certain conditions and written agreements. Among other conditions, GM Financial Bank will be required to maintain a minimum 15 percent tier 1 leverage ratio, and General Motors Company will be required to support the bank’s capital and liquidity positions. The FDIC approval orders expire if Ford Credit Bank and GM Financial Bank are not established within 12 months, unless extended by the FDIC. ATTACHMENTS: Deposit Insurance Approval Order Documents – Ford Credit Bank Deposit Insurance Approval Order Documents – GM Financial Bank # # # MEDIA CONTACT: [email protected] The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . CONNECT WITH US

BOARD MEETING | JANUARY 22, 2026 FDIC Board of Directors Meeting Today, the Federal Deposit Insurance Corporation's Board of Directors met in open session to consider the following matters. Materials and information relative to the open Board actions are available on the Board Matters webpage . Items Addressed in Open Session: Amendments to the FDIC’s Guidelines for Appeals of Material Supervisory Determinations Press Release Statement by Chairman Hill Financial Institution Letter Final Rule on FDIC Official Signs and Advertising Requirements Press Release Financial Institution Letter A recording of the  full webcast of the open session  is available. Board Materials The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . CONNECT WITH US

Artificial intelligence is “supercharging” the cybersecurity arms race, with cyber-enabled fraud affecting people of all stripes, according to a new Global Cybersecurity Outlook report by the World Economic Forum and professional services firm Accenture. The post Survey: AI, fraud among top cybersecurity trends for 2026 appeared first on ABA Banking Journal .

The FDIC should defer collection of the special assessment imposed on certain banks following the failures of Silicon Valley Bank and Signature Bank, which would give more time for litigation to play out regarding the recovery of losses caused by the closures, ABA said in a letter to the agency. The post ABA urges FDIC to pause special assessment collection appeared first on ABA Banking Journal .

The artificial intelligence threats are mounting, but so are the defenses, as new industry trends take hold, from agentic commerce to passkey adoption.

ABA said it supports a proposal by the OCC to revise licensing requirements for community banks as part of a broader effort to reduce the overall regulatory burden on the institutions. The post ABA supports OCC proposal to overhaul community bank licensing requirements appeared first on ABA Banking Journal .

A new Internet-of-Things (IoT) botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT devices to infect makes it a sobering threat to organizations, and new research reveals Kimwolf is surprisingly prevalent in government and corporate networks. Image: Shutterstock, @Elzicon. Kimwolf grew rapidly in the waning months of 2025 by tricking various “residential proxy” services into relaying malicious commands to devices on the local networks of those proxy endpoints. Residential proxies are sold as a way to anonymize and localize one’s Web traffic to a specific region, and the biggest of these services allow customers to route their Internet activity through devices in virtually any country or city around the globe. The malware that turns one’s Internet connection into a proxy node is often quietly bundled with various mobile apps and games, and it typically forces the infected device to relay malicious and abusive traffic — including ad fraud, account takeover attempts, and mass content-scraping. Kimwolf mainly targeted proxies from IPIDEA , a Chinese service that has millions of proxy endpoints for rent on any given week. The Kimwolf operators discovered they could forward malicious commands to the internal networks of IPIDEA proxy endpoints, and then programmatically scan for and infect other vulnerable devices on each endpoint’s local network. Most of the systems compromised through Kimwolf’s local network scanning have been unofficial Android TV streaming boxes. These are typically Android Open Source Project devices — not Android TV OS devices or Play Protect certified Android devices — and they are generally marketed as a way to watch unlimited (read:pirated) video content from popular subscription streaming services for a one-time fee. However, a great many of these TV boxes ship to consumers with residential proxy software pre-installed. What’s more, they have no real security or authentication built-in: If you can communicate directly with the TV box, you can also easily compromise it with malware. While IPIDEA and other affected proxy providers recently have taken steps to block threats like Kimwolf from going upstream into their endpoints (reportedly with varying degrees of success), the Kimwolf malware remains on millions of infected devices. A screenshot of IPIDEA’s proxy service. Kimwolf’s close association with residential proxy networks and compromised Android TV boxes might suggest we’d find relatively few infections on corporate networks. However, the security firm Infoblox said a recent review of its customer traffic found nearly 25 percent of them made a query to a Kimwolf-related domain name since October 1, 2025 , when the botnet first showed signs of life. Infoblox found the affected customers are based all over the world and in a wide range of industry verticals, from education and healthcare to government and finance. “To be clear, this suggests that nearly 25% of customers had at least one device that was an endpoint in a residential proxy service targeted by Kimwolf operators,” Infoblox explained . “Such a device, maybe a phone or a laptop, was essentially co-opted by the threat actor to probe the local network for vulnerable devices. A query means a scan was made, not that new devices were compromised. Lateral movement would fail if there were no vulnerable devices to be found or if the DNS resolution was blocked.” Synthient , a startup that tracks proxy services and was the first to disclose on January 2 the unique methods Kimwolf uses to spread, found proxy endpoints from IPIDEA were present in alarming numbers at government and academic institutions worldwide. Synthient said it spied at least 33,000 affected Internet addresses at universities and colleges, and nearly 8,000 IPIDEA proxies within various U.S. and foreign government networks. The top 50 domain names sought out by users of IPIDEA’s residential proxy service, according to Synthient. In a webinar on January 16, experts at the proxy tracking service Spur profiled Internet addresses associated with IPIDEA and 10 other proxy services that were thought to be vulnerable to Kimwolf’s tricks. Spur found residential proxies in nearly 300 government owned and operated networks, 318 utility companies, 166 healthcare companies or hospitals, and 141 companies in banking and finance. “I looked at the 298 [government] owned and operated [networks], and so many of them were DoD [U.S. Department of Defense], which is kind of terrifying that DoD has IPIDEA and these other proxy services located inside of it,” Spur Co-Founder Riley Kilmer said. “I don’t know how these enterprises have these networks set up. It could be that [infected devices] are segregated on the network, that even if you had local access it doesn’t really mean much. However, it’s something to be aware of. If a device goes in, anything that device has access to the proxy would have access to.” Kilmer said Kimwolf demonstrates how a single residential proxy infection can quickly lead to bigger problems for organizations that are harboring unsecured devices behind their firewalls, noting that proxy services present a potentially simple way for attackers to probe other devices on the local network of a targeted organization. “If you know you have [proxy] infections that are located in a company, you can chose that [network] to come out of and then locally pivot,” Kilmer said. “If you have an idea of where to start or look, now you have a foothold in a company or an enterprise based on just that.” This is the third story in our series on the Kimwolf botnet. Next week, we’ll shed light on the myriad China-based individuals and companies connected to the Badbox 2.0 botnet , the collective name given to a vast number of Android TV streaming box models that ship with no discernible security or authentication built-in, and with residential proxy malware pre-installed. Further reading: The Kimwolf Botnet is Stalking Your Local Network Who Benefitted from the Aisuru and Kimwolf Botnets? A Broken System Fueling Botnets (Synthient).

ABA joined four other associations to request that the FDIC push back the deadline for comment on its proposal to create a process through which banks can seek agency approval to issue stablecoins through a subsidiary. The post ABA, associations seek extension of comment period for FDIC’s Genius Act implementation appeared first on ABA Banking Journal .

News items that are the most recent sanctions-related actions from the Office of Foreign Assets Control. The post Recent news from Treasury’s Office of Foreign Assets Control: January 20 appeared first on ABA Banking Journal .

Three Democratic senators have introduced legislation to revive a Biden-era rule that would lower the cap on credit card late fees to $8. The post Democratic senators introduce bill to lower credit card late fee cap appeared first on ABA Banking Journal .

Comptroller of the Currency Jonathan V. Gould today discussed bank resolution planning in remarks prepared for delivery at the American Bar Association Banking Law Committee Meeting.

Sen. Ron Wyden asked the bank for details related to 18 $1 million wire transfers between accounts linked to late sex offender Jeffrey Epstein, as well as BNY’s KYC procedures and names of individual bankers.

SUNSHINE ACT MEETING NOTICE The FDIC Board of Directors will meet in an open session: Date and Time: Thursday, January 22, 2026, at 10:00 a.m. ET Place:  The Board meeting will be open to public observation by webcast . Members of the media should contact the Office of Communications by Tuesday, January 20, at [email protected] to attend in person from FDIC Headquarters, 550 17th Street, NW, Washington, DC. Read Notice & Agenda The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . CONNECT WITH US

The Office of the Comptroller of the Currency (OCC) today released enforcement actions for January 2026.

The Department of Housing and Urban Development is proposing to rescind three rules allowing the use of disparate impact in determining Fair Housing Act violations. The post HUD proposes to remove disparate impact from Fair Housing Act rule appeared first on ABA Banking Journal .

Romance scams carried out by artificial intelligence and computers scamming other computers are among the top five fraud trends to watch out for in 2026, according to a new report by credit reporting agency Experian. The post AI romance, ‘machine-to-machine’ scams among top 2026 fraud trends appeared first on ABA Banking Journal .

The NCUA Board (Board) is issuing for public comment a proposal to rescind its Interpretive Ruling and Policy Statement (IRPS) 11-02, which addresses chartering corporate credit unions, because it is redundant to the Federal Corporate Credit Union Chartering Manual. This action will eliminate potential confusion.

The NCUA Board (Board) proposes to rescind its Interpretative Ruling and Policy Statement 10-1 (IRPS 10-1), which was issued as an amendment to IRPS 08-2. Rescinding IRPS 10-1 would ease the compliance burden on federal credit unions (FCUs) by limiting the number of sources that FCUs must check to ensure compliance with applicable chartering and field of membership (FOM) requirements.

The NCUA Board proposes to rescind its Interpretative Ruling and Policy Statement 08-2 (IRPS 08-2). Rescinding IRPS 08-2 would ease the compliance burden on Federal credit unions (FCUs) by limiting the number of sources that FCUs must check to ensure compliance with applicable chartering and field of membership (FOM) requirements.

The NCUA Board (Board) is publishing this proposed rule to remove a redundant and outdated regulation regarding nondiscrimination in lending. While the regulation was intended to summarize the Fair Housing Act (FHA) prohibitions on discrimination related to real estate related loans, appraisals, and advertising, the Board's last substantive amendment to the regulation was finalized in 2001. Thus, the regulation may not reflect all case law or regulatory developments under the FHA, a statute that primarily falls under the jurisdiction of the Department of Housing and Urban Development (HUD) and continues to apply to federal credit unions (FCUs) regardless of the NCUA's regulations. Thus, the Board believes the current regulation may cause confusion and unnecessary burden because it has not kept up with changes in FHA interpretation and implementation. For these reasons, the Board is proposing to remove this regulation in its entirety.

Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software. Eight of the vulnerabilities earned Microsoft’s most-dire “critical” rating, and the company warns that attackers are already exploiting one of the bugs fixed today. January’s Microsoft zero-day flaw — CVE-2026-20805 — is brought to us by a flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Kev Breen , senior director of cyber threat research at Immersive , said despite awarding CVE-2026-20805 a middling CVSS score of 5.5, Microsoft has confirmed its active exploitation in the wild, indicating that threat actors are already leveraging this flaw against organizations. Breen said vulnerabilities of this kind are commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits. “By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack,” Breen said. “Microsoft has not disclosed which additional components may be involved in such an exploit chain, significantly limiting defenders’ ability to proactively threat hunt for related activity. As a result, rapid patching currently remains the only effective mitigation.” Chris Goettl , vice president of product management at Ivanti , observed that CVE-2026-20805 affects all currently supported and extended security update supported versions of the Windows OS. Goettl said it would be a mistake to dismiss the severity of this flaw based on its “Important” rating and relatively low CVSS score. “A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned,” he said. Among the critical flaws patched this month are two Microsoft Office remote code execution bugs ( CVE-2026-20952 and CVE-2026-20953 ) that can be triggered just by viewing a booby-trapped message in the Preview Pane. Our October 2025 Patch Tuesday “End of 10” roundup noted that Microsoft had removed a modem driver from all versions after it was discovered that hackers were abusing a vulnerability in it to hack into systems. Adam Barnett at Rapid7 said Microsoft today removed another couple of modem drivers from Windows for a broadly similar reason: Microsoft is aware of functional exploit code for an elevation of privilege vulnerability in a very similar modem driver, tracked as CVE-2023-31096 . “That’s not a typo; this vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher,” Barnett said. “Today’s Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades. These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems.” According to Barnett, two questions remain: How many more legacy modem drivers are still present on a fully-patched Windows asset; and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft cuts off attackers who have been enjoying “living off the land[line] by exploiting an entire class of dusty old device drivers?” “Although Microsoft doesn’t claim evidence of exploitation for CVE-2023-31096, the relevant 2023 write-up and the 2025 removal of the other Agere modem driver have provided two strong signals for anyone looking for Windows exploits in the meantime,” Barnett said. “In case you were wondering, there is no need to have a modem connected; the mere presence of the driver is enough to render an asset vulnerable.” Immersive, Ivanti and Rapid7 all called attention to CVE-2026-21265 , which is a critical Security Feature Bypass vulnerability affecting Windows Secure Boot. This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026. Once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes. Barnett cautioned that when updating the bootloader and BIOS, it is essential to prepare fully ahead of time for the specific OS and BIOS combination you’re working with, since incorrect remediation steps can lead to an unbootable system. “Fifteen years is a very long time indeed in information security, but the clock is running out on the Microsoft root certificates which have been signing essentially everything in the Secure Boot ecosystem since the days of Stuxnet,” Barnett said. “Microsoft issued replacement certificates back in 2023, alongside CVE-2023-24932 which covered relevant Windows patches as well as subsequent steps to remediate the Secure Boot bypass exploited by the BlackLotus bootkit.” Goettl noted that Mozilla  has released updates for Firefox and Firefox ESR resolving a total of 34 vulnerabilities, two of which are suspected to be exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01) and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03). “Expect Google Chrome and Microsoft Edge updates this week in addition to a high severity vulnerability in Chrome WebView that was resolved in the January 6 Chrome update (CVE-2026-0628),” Goettl said. As ever, the SANS Internet Storm Center has a per-patch breakdown by severity and urgency. Windows admins should keep an eye on askwoody.com for any news about patches that don’t quite play nice with everything. If you experience any issues related installing January’s patches, please drop a line in the comments below.

PRESS RELEASE | JANUARY 13, 2026 Travis Hill Sworn in as the 23 rd Chairman of the FDIC WASHINGTON – Travis Hill was sworn in as the 23rd Chairman of the Federal Deposit Insurance Corporation (FDIC). Chairman Hill has served as Acting Chairman of the FDIC Board since January 20, 2025, and previously as Vice Chairman since January 5, 2023. Chairman Hill was nominated by President Trump on September 30, 2025, for a term of five years and confirmed by the Senate on December 18, 2025. Prior to joining the FDIC Board, Chairman Hill served in various roles at the FDIC; the United States Senate Committee on Banking, Housing, and Urban Affairs; and Regions Financial Corporation. He received a Bachelor of Science from Duke University, where he studied economics and political science, and a Juris Doctor from Georgetown University Law Center. # # # MEDIA CONTACT: [email protected] The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . CONNECT WITH US

Agencies issue 2025 Shared National Credit Program report