Client Alert
How Do the Florida Office of Financial Regulation’s Proposed Anti-Debanking Rule Revisions Impact Financial Institutions That Operate in Florida?
Client Alert
October 29, 2025
Introduction
On October 14, 2025, the Florida Office of Financial Regulation (OFR) published a notice of proposed rulemaking (Notice) to amend certain of its existing anti-debanking rules that implement Florida House Bill 989 (HB 989), which became effective July 1, 2024, and amended Section 655.0323 of the Florida Statutes. If adopted into final form, the proposed amendments would amend Florida Administrative Code Rule 69U-100.323 (Annual Attestation of Compliance) and Rule 69U-100.3231 (Complaint Process Rule).
Currently, the Annual Attestation of Compliance requires financial institutions (as defined broadly in Florida Statutes Section 655.005, which includes, among other types of institutions, national banks and Edge corporations operating in Florida) to annually certify, under penalty of perjury, their adherence to the standards set forth in Section 655.0323. As it stands, HB 989 also establishes a complaint framework for alleged practices by customers or members of financial institutions. If adopted, the proposed amended rules would materially broaden the anti-debanking, right-of-access obligations, and complaint framework well beyond the plain wording of HB 989, increasing compliance and governance burdens for financial institutions.
Interested parties have until November 13 to submit any comments to the OFR in respect of the proposed amendments set forth in the Notice.
Key Proposed Changes
- Annual Attestation of Compliance – Proposal That an Executive Officer Sign the Attestation
At present, HB 989 requires institutions to file an annual attestation, but it does not designate who needs to sign the attestation, leaving it to the discretion of an institution to decide each year who should sign such attestation. The OFR’s proposed amendment to the Annual Attestation of Compliance would require that an “executive officer” (as defined in Section 655.005) of a financial institution sign the attestation, thereby elevating accountability for the filing exclusively to a senior management official. The OFR proposal provides:
“(1) Each financial institution, as defined in s. 655.005, Florida Statutes, must attest, by executive officer as defined in s. 655.005(1)(g), and under penalty of perjury, whether the entity is acting in compliance with Section 655.0323(1) and (2)[.]”
(Emphasis added.)
Florida Statutes Section 655.005(1)(g) defines the term “executive officer” as an individual who participates or has authority to participate, other than in the capacity of a director, in the major policymaking functions of a financial institution.[1]
2. Complaint Process – Proposed Expansion of Who May File a Complaint
Expanded Customer Definition and Authorized Parties to Submit a Complaint
At present, HB 989 limits who may file a complaint to “covered persons,” defined as customers and members of a financial institution who allege a violation of the “unsafe and unsound” practices identified in Florida Statutes Section 655.0323(2).
However, the OFR’s proposed rule would significantly expand the definition of “customer.” As amended, a “customer” or “prospective customer” would include “any person or entity for whom a financial institution has made a determination regarding whether to deny, cancel, suspend, terminate, or make available any service, action, or business relationship” (emphases added). This broader definition would significantly enlarge the pool of individuals eligible to file complaints, correspondingly increasing compliance, oversight, and governance obligations for financial institutions.
If the rule is adopted, complaints could be filed from any participant in a business relationship to which the financial institution is a party—not just traditional customers—including vendors and affiliates of a customer. As a result, any person, regardless of customer status, could file an HB 989 complaint for alleged debanking violations in business dealings (e.g., discriminatory vendor selection).
Expanded Triggering Events
Under Section 655.0323(2)(d), Florida Statutes, it is an unsafe and unsound practice for a financial institution to deny, cancel, suspend, or terminate services—or to otherwise discriminate in the availability or terms of such services—based on the use of any rating, scoring, analysis, tabulation, or action that incorporates a social credit score.
The OFR’s proposed amendment broadens the “score” or “social credit score” to include any assessment, appraisal, rating, or consideration, and it expressly expands the definition not to be limited to a numerical valuation only.
In addition, under Section 655.0323, Florida Statutes, actionable conduct is currently limited to allegations involving “unsafe and unsound practices” as defined in subsection (2). However, under the proposed rule, the scope of actionable conduct has been significantly widened. If it is adopted, customers and other eligible parties may file complaints to the OFR not only for violations of subsection (2), but for any breach of Section 655.0323. This expansion signals a shift from a narrow focus on institutional soundness to a broader regulatory oversight of fairness, transparency, and statutory compliance across all subsections of the rule.
Proposed “Facially Sufficient Complaint” Standard
The OFR’s proposed rule introduces a new procedural threshold for initiating investigations: the concept of a “facially sufficient complaint.” Upon receiving a complaint, the OFR will notify the financial institution and begin the formal response process. However, the term itself is not defined within the proposed amendment, leaving its interpretation unclear. Financial institutions may face uncertainty regarding what constitutes a “facially sufficient complaint” under this standard.
Proposal for Citing Suspicious Activity as a Basis to Deny Services
The proposed amendment from the OFR provides that a financial institution asserting a service denial or other adverse action based on suspicious activity, as defined in Section 655.50(3), Florida Statutes, would have to explicitly identify the suspicious-activity basis in its response to the complaint and provide sufficient supporting information to substantiate the claim.
While the Notice stops short of requiring financial institutions to disclose a Suspicious Activity Report , the proposed language exposes financial institutions that deny service on the basis of “suspicious activity reportable to FinCEN” to the risk of violating SAR confidentiality requirements at 31 C.F.R. § 1020.320(e)(1)(i), which prohibit institutions from “disclosing information that would reveal the existence of a SAR.” What’s more, such information would be improperly disclosed to, and evaluated by, Florida regulatory authorities in a non-examination context that may not have supervisory and examination authority over the institution (e.g., such as a national bank or an Edge corporation).
As used in the Notice, the term “suspicious activity” incorporates by reference the Florida definition of the term at Florida Statutes Section 655.50(h), which, in turn, defines “suspicious activity” as “any transaction reportable as required and described under [the FinCEN rule at] 31 C.F.R. s. 1020.320.” Accordingly, when a financial institution is placed in a position to defend itself in response to an HB 989 complaint, and the financial institution’s reason for declining services is because of “suspicious activity reportable to FinCEN,” the Complaint Process Rule will cause that institution to disclose to the OFR that it declined service because of a “transaction reportable as required and described” under FinCEN’s SAR rule—an outcome that necessarily causes the respondent institution to violate 31 C.F.R. § 1020.320(e)(1)(i) because it will have “disclos[ed] information that … reveal[s] the existence of a SAR.”
The proposed rule will require financial institutions operating in Florida that close or deny services for a SAR-based reason to go further and explicitly identify the suspicious-activity basis. This will seemingly conflict with the OCC’s and FinCEN’s SAR confidentiality rules, which explicitly contemplate a scenario in which a bank that is “subpoenaed or otherwise requested to disclose a SAR, or any information that would reveal the existence of a SAR,” must “decline to produce the SAR or such information” and “[any information that would reveal the existence of a SAR] and 31 U.S.C. 5318(g)(2)(A)(i).” See 12 C.F.R. § 21.11(k)(1); see also 31 C.F.R. 1020.320(e)(1)(i).
Implications for Financial Institutions
Collectively, the proposals would extend beyond existing statutory language and are likely to increase governance, documentation, and response burdens—especially for institutions with broad Florida operations or complex organizational structures. Senior management accountability for attestations, broader definitions of who can complain and what can be alleged, and heightened expectations around suspicious-activity justifications all seem to point to a need for enhanced internal controls, standardized decision-making documentation, and careful coordination among compliance, legal, and risk functions.
Winston & Strawn LLP is focused on advising financial institutions on potential impacts of the proposed expansion of HB 989 and related Florida regulatory developments.
If you have any questions regarding this subject or related subjects, or if you need assistance, please contact Carl Fornaris (Partner and Chair, Financial Innovation and Regulation Practice), Jack Knight (Partner and Chair, Financial Services Litigation Practice), Caitlin Mandel (Partner, White Collar & Government Investigations Practice), Patrick Doerr (Partner, White Collar & Government Investigations Practice), or your Winston & Strawn relationship attorney.
[1] See Fla. Stat. § 655.005(1)(g): “Executive officer” means an individual, whether or not the individual has an official title or receives a salary or other compensation, who participates or has authority to participate, other than in the capacity of a director, in the major policymaking functions of a financial institution. The term does not include an individual who may have an official title and may exercise discretion in the performance of duties and functions, including discretion in the making of loans, but who does not participate in the determination of major policies of the financial institution and whose decisions are limited by policy standards established by other officers, whether or not the policy standards have been adopted by the board of directors. The chair of the board of directors, the president, the chief executive officer, the chief financial officer, the senior loan officer, and every executive vice president of a financial institution, and the senior trust officer of a trust company, are presumed to be executive officers unless such officer is excluded, by resolution of the board of directors or by the bylaws of the financial institution, from participating, other than in the capacity of a director, in major policymaking functions of the financial institution and the individual holding such office so excluded does not actually participate therein.
