Insights
Regulatory commentary, governance frameworks, and practical perspective.
AI Risk Needs a Home and a Yardstick: Building Quantitative Discipline Before the Tools Reach the Core
The Financial Stability Board's June 2026 consultation gives AI risk a home inside the governance framework institutions already run. The firms that pass supervisory scrutiny will be the ones that can name the owner, measure the system, and report the result before anyone asks.
July 1, 20265 min read
Read moreRansomware Stops Being a Technology Problem
The June 2026 NIST ransomware profile revision moves ransomware out of the technical domain and into the governance domain. The institutions handling it well are the ones that can name the owner, evidence the recovery, and govern the vendor exposure.
June 15, 20265 min read
Read moreThe Supervisory Reset Reaches Capital Markets: What Mid-Size Broker-Dealers Must Get Right Before the Next FINRA Cycle
The Securities and Exchange Commission and the Financial Industry Regulatory Authority are asking the same governance questions that banking regulators began asking six months ago. Mid-size broker-dealers that treat compliance as a reporting exercise rather than an operating discipline will find the gap at the worst possible time.
May 27, 20265 min read
Read more2026 Supervisory Reset: What Mid-Sized Banks and Credit Unions Must Act On Before the Next Exam Cycle
Between October 2025 and April 2026, the OCC, FDIC, and NCUA independently moved to a governance-driven supervisory model. The institutions that treat the lighter touch as relief, rather than as a sharper standard, will discover the shift the hard way.
May 15, 20264 min read
Read moreYour AI Strategy Should Not Fit Inside a Chat Window: What Mid-Sized Banks Risk by Settling for the Default
Defaulting to the chat-window AI experience is a strategic choice in disguise. Mid-sized banks that treat AI as a productivity tool rather than an institutional capability are leaving the higher-value work, and the harder governance work, on the table.
April 30, 20269 min read
Read moreWhen an FDIC Exam Becomes a Credibility Test: What Mid-Sized Banks Need to Get Right in 2026
Examiners are reading mid-sized bank submissions for evidence of operating discipline, not just compliance. The institutions that pass the credibility bar are the ones that can show how their controls actually work.
April 23, 20268 min read
Read moreCybersecurity and AI Risk in Mid-Sized Banks: Why Operating Discipline Matters Now
The cybersecurity and AI risk conversations in mid-sized banks are converging. Both depend on the same operating discipline: clear ownership, evidenced controls, and honest documentation of what is actually deployed.
April 16, 20267 min read
Read moreThe First-Line and Second-Line Wording Trap: Why It Becomes an Audit Problem
Well-meaning ownership language can quietly assign work to the wrong line of defense. The gap rarely shows up at implementation. It shows up months later in an exam, when no one can produce evidence of who actually did the work.
December 12, 20254 min read
Read moreNavigating the Web of Interconnected Risks
Operational, technology, third-party, and conduct risks no longer move independently. The institutions managing them well are the ones that connect their governance frameworks rather than running them in parallel silos.
April 2, 20256 min read
Read moreA 15-minute triage call to find the fastest path.
Start a Conversation