Curated coverage· general

Regulators answered half of banks' data-security asks

New federal guidelines promise 72-hour notice if regulators lose bank data, but the rule lacks the enforcement power faced by private lenders.

Curated by Financing Your Way from original reporting by American Banker — Top News. Summary is AI-assisted and editorially reviewed — see our editorial standards.

FYWBy Financing Your Way EditorialJuly 17, 2026

Financial regulators are finally addressing the 'double standard' regarding data breach notifications, but the playing field still isn't level for lenders. Under existing rules, your lending partners must report major security breaches to regulators within 36 hours. In a new memorandum, regulators have agreed to notify banks within 72 hours if the government itself suffers a breach that could impact bank data. However, there is a catch: this new government commitment is a non-binding memo, not a codified law. For retailers and merchants, this matters because your customer data flows through these financial pipelines. If your primary lender suffers a breach, they are under a strict 36-hour clock to report it, which triggers their incident response protocols. If the regulator is the one who loses the data, the notification timeline is twice as long and lacks legal teeth. This discrepancy highlights a persistent risk in the financial ecosystem that operators should account for in their vendor due diligence. You should ensure your financing partners have robust contingency plans for data interruptions, regardless of who is at fault for the leak.

Source: American Banker — Top News

Who else is covering this

Related coverage from across the industry

← Return to the library· Submit a correction