A powerful coalition of financial trade associations has issued a direct challenge to the U.S. Treasury. They demand significant reforms to how regulators handle sensitive financial data. This move follows a series of alarming cybersecurity breaches, highlighting a growing crisis of confidence between banks and their overseers.
Four of America’s most influential financial bodies have co-signed the demand. The American Bankers Association, the Bank Policy Institute, the Managed Funds Association, and SIFMA laid bare their “deep concern” in a letter to Treasury Secretary Scott Bessent. They are calling for federal agencies to meet the same tough security standards they impose on the private sector.
A Pattern of “Major” Security Failures
The groups’ unified front follows major security incidents at the Treasury Department and the Office of the Comptroller of the Currency (OCC). The OCC, a primary banking regulator, suffered a particularly damaging breach. Hackers first compromised the agency’s systems in May 2023, but the OCC only discovered the intrusion in February 2025.
This long-term exposure put vast amounts of sensitive information at risk. The hackers accessed an estimated 148,000 emails. Some contained “highly sensitive information relating to the financial condition of federally regulated financial institutions.” The fallout was swift. Major banks like JPMorgan Chase and Bank of New York Mellon reportedly paused their electronic data sharing with the OCC, a move one expert called a “historic” challenge to the regulator’s authority.
Four Key Demands for Reform
The financial industry’s letter outlines four urgent recommendations to prevent future disasters:
- Match Private-Sector Standards: The groups insist that federal regulators must adopt the same data protection standards they mandate for banks. This includes greater transparency and accountability.
- Stop Centralizing Data: Instead of forcing firms to upload information to agency portals, the coalition argues for a decentralized model. They propose that firms should hold their own data, providing regulators access on-site or through other secure means.
- Enforce Swift Breach Notification: Regulators must notify affected companies of a breach within 72 hours. This standard, which private firms will soon face, stands in stark contrast to the months-long delay in the OCC incident.
- Streamline Data Requests: The associations are calling for an end to duplicative and overly broad data requests. They argue this will allow firms to focus critical resources on security rather than “data gathering.”
A Call to Rebuild Trust
This public rebuke highlights a long-simmering frustration. The groups note that regulators have failed to implement similar recommendations made by a joint working group back in 2022.
The Treasury Department has not yet issued a formal public response. However, with scrutiny from congressional committees intensifying, the pressure for action is undeniable. The financial industry’s message is clear: the guardians of the system must first prove they can guard themselves. Rebuilding that trust is now a critical mission for Washington.
