After an intense 2023 rulemaking, supervisory, and enforcement cycle for the federal banking agencies, the FDIC issued a final rule on FDIC official signs and advertising requirements right before the new year. The rule comes on the heels of a campaign to police these issues, especially on digital platforms involving non-bank competitors, vendors, and partners to banks, as well as novel financial products.

Introducing new requirements and clarity, the rule is important for all insured depository institutions (“banks”), as well as for non-banks that offer, or purport to offer, FDIC-insured deposit products.

While the final rule takes effect April 1, 2024, full compliance is not required until January 1, 2025.

What Happened?

In late December 2023, the FDIC issued a final rule to update Part 328 of the FDIC’s regulations. The last major change to these regulations was in 2006. Specifically, the rule introduces a new official digital sign requirement for digital channels and amends requirements concerning the display of the FDIC’s official sign at branches and other locations (like bank cafes), disclosures for deposit and non-deposit products across all banking channels (both physical and digital), and misrepresentations of FDIC deposit insurance coverage. The rule also modifies the definition of “non-deposit product” to include crypto-assets and safe deposit boxes and includes specific provisions for ATMs and similar machines. The rule also introduces a requirement that banks establish and maintain policies and procedures to comply with Part 328.

Who’s Affected?

The rule primarily affects all FDIC-insured banks. But non-bank competitors as well as partners and vendors that help banks or otherwise offer, advertise, or publicly discuss FDIC-insured deposit products are also covered by certain aspects of Part 328. To be clear, the advertising requirements and prohibitions apply to any person—bank, non-bank, or individual—that performs any advertising activity implicated by Part 328.

Key Takeaways

1. Physical spaces. The rule amends Part 328 to update sign requirements in a bank’s physical premises, including that banks must continuously, clearly, and conspicuously display the FDIC’s official sign at each place of business where consumers can transact with deposits, including branches.

   The rule requires the placement of the FDIC official sign throughout a bank’s physical premises where deposit activities occur. If non-deposit activities also occur at the same physical location, those activities must be physically segregated from deposit-related activities, and non-deposit signage must be posted to clearly delineate the two activities.

2. Digital channels. The rule amends Part 328 to now include new official digital sign requirements in digital deposit-taking channels, like websites and apps. The official digital sign must clearly, conspicuously, and continuously be displayed on (1) the initial page (home page) of the bank’s website or app, (2) the bank’s landing or login pages, and (3) any pages where the consumer may transact with deposits. The FDIC provides the example of a “bank’s mobile application [that] allows customers to deposit checks remotely, because this electronic space is in effect a digital teller window.”

   Like the requirements for physical spaces, the rule also requires banks to clearly disclose the difference between deposit products and non-deposit products in digital channels. Banks must clearly and conspicuously display static, digital non-deposit signs on its digital deposit-taking channels. If any of the bank’s digital deposit-taking channels offer access to both deposit products and non-deposit products, the bank must clearly and conspicuously display a digital sign for non-deposit products indicating that the non-deposit products are not insured by the FDIC, are not deposits, and may lose value. This sign must be displayed on each bank page relating to non-deposit products and may not be displayed in close proximity to the FDIC digital sign. Unlike the official digital sign for deposit products, the FDIC does not prescribe the specific language/disclosure required for the sign for non-deposit products.

   The rule also requires banks to display a one-time notification to bank customers if the customer accesses third-party non-deposit products from the customer’s digital banking channels. The FDIC provides the example of a bank’s digital channel offering a third party’s securities product that requires the bank customer to leave the bank’s website and access the securities product on the third party’s site.

   This requirement does not apply when consumers access the general parts of a bank’s website or app, such as the home page; it only applies once bank customers have logged into the section of a bank’s website or app to access deposit product accounts. The one-time notification is required only once per session, defined as the period of interaction between a bank customer and the bank’s digital channel, starting when the customer logs in and ending when the customer logs off. The one-time notification must be clearly and conspicuously displayed and indicate that non-deposit products are not insured by the FDIC, are not deposits, and may lose value. The FDIC has included, as an example, a pop-up window to display the notification.

3. New short-form advertising statements. Under the rule, banks have a new, short advertising statement (distinct from the physical and digital sign requirements) that may be used in advertisements: “FDIC-insured.” Banks must generally include the official advertising statement in all advertisements, meaning a commercial message in any medium that is designed to attract public attention or patronage to a product or business, that promote deposit products.
4. Representations or omissions regarding insured status. The rule also amends Subpart B of Part 328 to clarify when specific statements or omissions constitute a misrepresentation under Section 18(a)(4) of the Federal Deposit Insurance Act. The rule provides the following examples:
   • Non-banks need to identify the bank. Statements made by a non-bank that represent or imply that an advertised product is FDIC-insured and fail to clearly and conspicuously identify the bank(s) with which the representing party has a direct or indirect business relationship for the placement of deposits.
   • Non-banks need to disclose that they are not banks. Statements made by non-banks regarding FDIC deposit insurance that fail to clearly and conspicuously disclose that the person is not an FDIC-insured bank, and that FDIC deposit insurance only covers the failure of the FDIC-insured bank.
   • Distinguish between deposit and non-deposit products. Statements by persons regarding FDIC deposit insurance where deposit and non-deposit products are offered on a website in close proximity that fail to clearly and conspicuously differentiate between insured deposit products and non-deposit products by disclosing that non-deposit products are not insured by the FDIC, are not deposits, and may lose value, unless otherwise provided in the rule.
   • Disclose conditions for pass-through insurance coverage. Statements made by a person regarding pass-through FDIC deposit insurance coverage that fail to clearly and conspicuously disclose that certain conditions must be satisfied for pass-through FDIC deposit insurance coverage to apply.
   • Do not knowingly repeat. Statements where the person making the statement has been advised by the FDIC, through a cease-or-desist letter, or by another government or regulatory agency (e.g., CFPB, FTC, DOJ, state regulator) that such representations are false or misleading.
5. Policy and procedure requirements. The rule requires that banks establish and maintain written policies and procedures to comply with Part 328. These policies and procedures must be commensurate with the nature, size, complexity, scope, and potential risk of the deposit-taking activities of the bank and, as appropriate, provisions related to the monitoring and evaluating activities of persons that provide deposit-related services to the bank or offer the bank’s deposit-related products or services to third parties.

What Banks Specifically Should Consider

• Policies, procedures, and controls. Banks should consider carefully reviewing all physical spaces and digital channels to conform to the requirements and prohibitions, as well as reviewing and updating, or establishing, relevant policies, procedures, and controls.
• Supervision scrutiny and enforcement risk. The more formal articulation of specific regulatory clarifications and requirements, including the requirement for dedicated policies and procedures for Part 328, (1) should sufficiently put banks on notice of the FDIC’s expectations in this area and (2) could likely lead to increased enforcement activity for violations. This is a trend we have observed with third-party (vendor) risk management issues that now regularly appear in enforcement actions.
• Vendor management. As for third-party risk management in general, bank policies, procedures, and controls should carefully address instances when vendors are performing any of the advertising activities or making any statements about the bank, FDIC deposit insurance, or deposit products.

What Banks and Non-Banks Generally Should Consider

While the rule primarily concerns banks, there are important considerations for non-banks too:

• Bank-fintech partnerships and non-bank vendors to banks. The rule’s requirements will likely mean that non-banks that advertise or offer products and services on behalf of or with banks will likely face further scrutiny, from both bank partners and regulators, to ensure compliance with Part 328. From bank partners, this may happen contractually, and from the agencies, through bank examinations.

  In more extreme cases, shortcomings may form the basis for enforcement actions. These enforcement actions can target banks, non-bank entities, or both—depending on the authorities used. The FDIC has broad enforcement powers in this context, and other regulators may leverage other legal authorities, including the Bank Service Company Act, and the more general prohibition on unfair, deceptive, and abusive acts or practices, in addition to any counterpart state laws or regulations.

• Crypto, digital assets, and advertisers. The rule now defines crypto-assets as non-deposit products. In 2022 and 2023, the FDIC issued a series of cease-and-desist letters to a number of entities concerning potentially false or misleading claims or representations concerning the FDIC deposit insurance status of crypto products. The rule further clarifies that the FDIC remains focused on this space, and recently, the FDIC issued five additional cease-and-desist letters to entities making claims the FDIC found to be false and misleading about FDIC deposit insurance.
• Advertisers of deposit and non-deposit products. Subpart B of Part 328 is applicable to everyone, not just banks. When advertising either deposit products or services or bank relationships, it is critical to review these requirements and prohibitions to understand the FDIC’s expectations.

In many respects, the FDIC has succeeded in updating its rule for a digital banking ecosystem, including the development of an official digital sign, and allowing short-form advertising statements.

While many of the aspects of Part 328 will apply to the evolving financial services landscape, we anticipate this rule and the FDIC’s expectations in this space will continue to be clarified.