What Is Regulation Y?

Regulation Y, issued by the Federal Reserve, governs corporate bank holding company practices and those of state-member banks. Regulation Y establishes the minimum ratios of several categories of capital to standardize total risk-based assets that bank holding companies must maintain to stay healthy.

Key Takeaways

  • Regulation Y, issued by the Federal Reserve, governs corporate bank holding company practices and those of state-member banks.
  • The regulation defines which types of transactions bank holding companies need Federal Reserve approval.
  • Regulation Y has been subject to relatively frequent rule-making updates by the Fed.

Understanding Regulation Y

Regulation Y was issued by the Board of Governors of the Federal Reserve System under the Bank Holding Company Act of 1956, the International Banking Act of 1978, the Federal Deposit Insurance Act, as amended by the Change in Bank Control Act of 1978, and the Financial Institutions Reform, Recovery and Enforcement Act of 1989 to regulate the acquisition of control of banks by companies and individuals. Activities under Regulation Y include:

  • Establishment of minimum capital reserves, the ratio of reserves to assets, for bank holding companies
  • Bank holding company transactions such as two bank holding companies merging, a bank taking on a nonbanking activity, a person or group taking over a bank holding company or state-member bank, or a troubled bank choosing a new senior officer or director.
  • Define nonbanking activities for bank holding companies, state member banks, and foreign banks operating in the U.S.

After implementing Regulation Y, the Federal Reserve amended the provisions to update, clarify, and streamline the approval process. Changes have reduced the regulatory burden on "well-run" banks. This also served to make the supervisory process more risk-oriented. Since 2000, the Fed has issued new rules under Regulation Y over 30 times.

Reduced Scrutiny of Well-Run Banks

Amendments to Regulation Y narrowed the focus of the application process to analyze the specific proposals put forth by the banks. When banks had previously submitted applications under Regulation Y, they were subjected to a comprehensive analysis of compliance issues unrelated to the transactions or appointments in question.

The Federal Reserve eliminated certain application requirements and procedures for well-managed banks. Restrictions were removed that related to the conduct of certain nonbanking activities. The change streamlines the administrative process but increases the risk that the newly proposed activity may interact with a bank's existing practices and be harmful to consumers or the financial stability of the bank.

Determining a Healthy Bank

A well-managed bank met criteria that included capitalization standards, maintaining a satisfactory rating from regulators, and no recent history requiring supervisory action. A satisfactory rating is contingent upon the bank’s management and composite ratings deemed satisfactory by the Federal Reserve. The streamlined rules under Regulation Y include a 30-day public comment period regarding the transaction for which the bank applied.

Transactions That Don't Need Approval

Some transactions do not require Federal Reserve approval such as the acquisition of securities in a fiduciary capacity by a bank in good faith, granting it control of voting securities of another bank unless stipulations apply. Stipulations include the acquiring bank obtaining sole discretionary authority for more than two years on voting securities. Federal Reserve approval would be necessary if the acquisition benefits the acquiring bank, its employees, subsidiaries, or shareholders.


As of May 2022, Federal bank regulatory agencies implemented a rule to improve sharing of information about cyber incidents that may affect the U.S. banking system. It requires a banking organization to notify its primary federal regulator of any significant computer security incident as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred.

Notification is required where incidents have affected or are likely to affect the viability of a banking organization's operations, its ability to deliver banking products and services, or the stability of the financial sector.

The rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer security incident that has affected or is likely to affect banking organization customers for four or more hours.

Article Sources
Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.
  1. Code of Federal Regulations. "Part 225."

  2. United States Federal Reserve. "Regulations."

  3. Federal Reserve Board. "Frequently Asked Questions About Regulation Y."

  4. Federal Reserve Board. "Agencies Approve Final Rule Requiring Computer-Security Incident Notification."