T H E T A K E
I should be upfront about something before we get into this. I am not a US finance expert, and I make no claims to be. The nearest I came to banking was managing a branch in the Lake District in my early twenties, and the closest thing to a reputational crisis I can recall from that period was the morning we ran out of digestive biscuits during a charity coffee morning. Half the town was in the branch. The fallout was, by the exacting standards of a small Cumbrian market town, significant. People remembered. But in a strange way, that is precisely the point: reputation at that level was something you could feel in the room. It was tangible, traceable, and crucially it had a clear definition. Everyone in that branch knew exactly what had gone wrong and why it mattered.
What happened in Washington on 7 April 2026 is operating at a rather different altitude, but the underlying question it raises turns out to be remarkably similar. The FDIC and the OCC, two of the principal US banking regulators, jointly issued a final rule taking effect on 9 June 2026 that prohibits regulators from using reputation risk as a basis for criticising, penalising, or taking adverse action against a supervised institution. The Federal Reserve followed in February with its own parallel proposal. The rule defines what it is banning, and the definition itself is worth dwelling on: “any risk, regardless of how that risk is labelled, that an action or activity of an institution could negatively impact public perception of the institution for reasons not clearly and directly related to the financial or operational condition of the institution.” Regulators have codified in law that reputational risk is too vague and too subjective to function as an enforcement tool. After decades of listing it in supervisory frameworks as though its meaning were obvious to everyone, they have admitted in writing that they could not define it precisely enough to govern with it.
The political backdrop matters here, and it is worth being honest about it rather than treating this as a dry technocratic development. The rule flows directly from an executive order signed by President Trump, “Guaranteeing Fair Banking for All Americans,” designed to address what conservatives describe as debanking: the allegation that Biden era regulators used reputational risk as a lever to pressure banks into closing accounts for crypto firms, firearms dealers, and fossil fuel companies. Not because those businesses were financially unsound, but because associating with them was deemed uncomfortable in terms of public perception. A December 2025 House Financial Services Committee report concluded, in notably direct terms, that federal regulators had pushed banks to drop clients “solely because they were ideologically opposed to their existence.” The crypto lobby had been pushing hard for exactly this kind of reform, and the Blockchain Association was among those urging the Federal Reserve to follow suit. So this rule has clear political parentage, a clear set of intended beneficiaries, and anyone reading it as neutral housekeeping is missing something important. And yet, once you set aside the partisan framing and sit with the actual substance, a much larger question surfaces, one that goes well beyond US banking and lands, rather uncomfortably, in boardrooms operating in every sector and every geography.
If the institutions whose specific purpose is to regulate reputational risk in financial services could not define it with enough precision to use it as an enforcement mechanism, what exactly are most organisations doing when they list it as a category in their enterprise risk registers? The honest answer, in most cases, is not very much. Reputational risk tends to sit in the register as a named category: duly acknowledged, given a colour on a heat map, positioned alongside cyber risk and regulatory risk, and then left almost entirely uninterrogated. It rarely comes with specific triggers or defined thresholds. It almost never has an owner who is accountable for monitoring it in any meaningful operational sense. Nobody has tested it against a scenario. It exists on the register to demonstrate completeness, not to function as a governance tool. The reasoning US regulators used to justify removing it from their framework: the concept is too vague and too subjective to be defined with sufficient precision; this applies with equal force to the way most boards handle it internally. The difference is that regulators were eventually forced to confront that question. Most boards have not been.
There are two things going wrong at once, and it is worth working through both because they require genuinely different solutions. The first is a definition problem, and it is more serious than it might initially appear. A board that cannot articulate its actual reputational exposures in specific, concrete terms is not governing reputation; it is gesturing at it, which is a different thing entirely. “Anything that damages public perception” is not a risk category. It is an anxiety. The difference matters enormously when you are trying to build governance structures, because an anxiety cannot be monitored, cannot be escalated against a threshold, and cannot be owned by anyone in particular. What specificity looks like in practice varies considerably by sector and geography: for an industrial firm with significant government relationships across the Gulf, reputational exposure is probably concentrated in a small number of sovereign and regulatory relationships where loss of standing would have direct commercial consequences. For a professional services firm, it might centre on the integrity of key client relationships and the retention of the senior people who hold them. For a consumer business, it might be centred on social media perception among a specific demographic. These are genuinely different things requiring different early warning indicators, different escalation paths, and different response protocols, none of which can be designed if the starting point is a definition as broad and shapeless as “things that could make us look bad.”
The second problem is structural and it connects to the question of board agility, which is increasingly where governance discussions are landing in 2026. Boards are built for deliberation: quarterly rhythms, committee governance, collective decision making that takes time and benefits from multiple perspectives and appropriate challenge. These are not weaknesses. For most categories of strategic risk, this architecture is exactly what good governance looks like. But reputation does not wait for the next scheduled committee meeting, and this is where the structure of most governance frameworks quietly fails. Best practice in crisis response now treats the first 72 hours as a structured protocol rather than an improvised response, with escalation thresholds, named decision authority, and response parameters established and tested in advance, not worked out in real time while everyone is simultaneously trying to understand what has happened. The board that discovers a serious reputational problem from a press inquiry has already lost the window that matters most. The board whose protocol requires three committee meetings before the communications team can respond publicly has a protocol that exists on paper and nowhere else. What the organisations getting this right have understood is that there are actually two distinct functions hiding under the single label of reputation governance: the strategic oversight function, which belongs at board level and can operate at the pace boards were designed for, and the operational response function, which needs to be delegated, fast, and bounded by parameters the board has agreed to in advance. Expecting the board level oversight mechanism to also serve as the crisis response mechanism is where governance structures fail without anyone quite noticing, until something actually happens and the inadequacy becomes apparent to everyone at once.
There is a regional dimension worth noting for those of us working in the Gulf, because the direction of travel here is moving in almost the opposite direction to the United States. The UAE Central Bank’s February 2026 guidance on AI and machine learning explicitly holds boards accountable for reputational harm arising from AI systems, including requirements around bias testing, consumer opt-out mechanisms, and human review rights, embedding reputation more deeply into board level accountability frameworks at precisely the moment US regulators are stripping it out of theirs. For organisations operating across both environments, that divergence creates a governance complexity that goes beyond simple compliance and touches on how organisations communicate their values in markets with genuinely different expectations of what responsible governance looks like.
We eventually sourced emergency biscuits from a nearby shop and the situation in the Lake District was resolved by mid morning. The lesson, beyond never underestimating the importance of adequate catering at a charity event, was that reputation at that scale is entirely legible: you can read it in the room, act on it immediately, and trace the consequences directly to specific decisions and specific moments. Most organisations today are dealing with something considerably harder: reputational exposure that is diffuse rather than concentrated, stakeholders who are numerous and sometimes contradictory, and environments that shift faster than governance cycles were designed to accommodate. The answer to that complexity is not a vaguer risk framework. It is a far more specific one. The US regulators have just told us, in formal regulatory language, that they tried to build such a framework and found they could not do it well enough to act on it. Every board should treat that not as reassurance, but as a challenge.
T H E S I G N A L
“Supervisory pressure based on reputation risk is unlawful and has no role in the Federal Reserve’s supervisory framework.”
Federal Reserve Vice Chair for Supervision Michelle Bowman, February 2026, characterising reputation risk as without legal basis in bank supervision.
T H E Q U E S T I O N
When did your board last test whether its reputational risk framework would actually function under pressure, or has it been enough, until now, simply to have it on the register?
S O U R C E S & F U R T H E R R E A D I N G
Your agent needs a database. Ghost gives it as many as it needs. Ephemeral, forkable, unlimited postgres, 1TB storage free. Try it at ghost.build.
