An official website of the United States government
Certain OCC systems are temporarily suspended. For more information click here.
Share This Page:
WASHINGTON — Late Wednesday evening on February 25, 2026, a cybersecurity researcher acting in good faith in accordance with the OCC’s Vulnerability Disclosure Policy reported to the OCC’s cybersecurity team that he had discovered a cybersecurity vulnerability affecting the BankNet Portal and related OCC systems.1 The researcher shared the detailed steps of his activities. The OCC took immediate action and successfully remediated the identified vulnerability on Thursday, February 26, which the researcher has tested and validated.
At this time, the OCC has not identified any unauthorized access by third parties to any confidential bank information. The agency is conducting ongoing forensics of the incident and related OCC systems with the assistance of additional experts from the Department of the Treasury.
Out of an abundance of caution, the agency has temporarily suspended access to the affected OCC systems. The OCC will take additional action, which may include deploying an independent third party to conduct an end-to-end assessment of OCC systems, if warranted, based on the forensic analysis. The OCC will provide updates as appropriate.
The OCC’s Vulnerability Disclosure Policy has been in place since 2021 as mandated by the Department of Homeland Security. The policy encourages and permits ethical researchers to conduct good faith security research on certain OCC systems, including BankNet, to uncover flaws and immediately report them to the OCC for remediation.
1 BankAssessment, BankNet Portal, CAMP (Case Analysis Management Program), Canary, CATS (Central Application Tracking System), CCM (Common Case Management), CRA-QACR (Community Reinvestment Act-Qualifying Activity Confirmation Request), LFT (Large File Transfer), MLR (Money Laundering Risk).
