Florida’s De-Banking Rules Expansion: How Do the Office of Financial Regulation’s Proposed Rule Changes Impact Financial Institutions?

On September 30, 2025, the Florida Financial Services Commission approved the Florida Office of Financial Regulation’s (OFR) request to publish notices of proposed rulemaking to clarify and implement procedures under Florida House Bill 989 (HB 989). Effective July 1, 2024, HB 989 amended Section 655.0323 of the Florida Statutes to expand the Florida statutory definition of “unsafe and unsound practice.”^[1]The new proposals would amend Rule 69U-100.323 (Annual Attestation of Compliance) and Rule 69U-100.3231 (Complaint Process Rule) of the Florida Administrative Code.

Currently, the Annual Attestation of Compliance requires financial institutions (as defined broadly in Florida Statute Section 655.005, which includes, among other types of institutions, national banks operating in Florida) to annually certify, under penalty of perjury, their adherence to the standards set forth in Section 655.0323. As it stands, HB 989 also establishes a complaint framework for alleged “de-banking” practices by customers or members of financial institutions. If adopted, the proposed amended rules would materially broaden the anti-debanking and right-of-access obligations and complaint framework beyond current statutory parameters, increasing compliance and governance burdens for financial institutions.

Key Proposed Changes

1) Annual Attestation of Compliance – Proposal That an Executive Officer Sign the Attestation

At present, HB 989 requires institutions to file an annual attestation, but does not designate a specific signatory. The OFR’s proposed amendment to the Annual Attestation of Compliance would require that attestation be executed by an “executive officer” (as defined in Section 655.005), thereby elevating accountability for the filing to senior management. The OFR proposal provides:

“(1) Each financial institution, as defined in s. 655.005, Florida Statutes, must attest, by executive officer as defined in s. 655.005(1)(g), and under penalty of perjury, whether the entity is acting in compliance with Section 655.0323(1)”

(Emphasis added).

Fla. Stat. Section 655.005(1)(g) defines the term “executive officer” as an individual who participates or has authority to participate, other than in the capacity of a director, in the major policymaking functions of a financial institution.^[2] 

2) Complaint Process – Proposed Expansion of Who May File a Complaint 

• Expanded Customer Definition and Authorized Parties to Submit a Complaint

At present, HB 989 limits who may file a complaint to “covered persons,” defined as customers and members of a financial institution who allege a violation of the “unsafe and unsound” practices identified in Florida Statutes Section 655.0323(2).

However, the OFR’s proposed rule would significantly expand the definition of “customer.” As amended, a “customer” or “prospective customer” would include “any person or entity for whom a financial institution has made a determination regarding whether to deny, cancel, suspend, terminate, or make available any service, action, or business relationship” (emphases added). This broader definition would significantly enlarge the pool of individuals eligible to file complaints, correspondingly increasing compliance, oversight, and governance obligations for financial institutions.

If adopted, complaints could be filed from any business relationship to which the financial institution is a party—not just traditional customers—including vendors and third-party providers. As a result, any person, regardless of customer status, could file an HB 989 complaint for alleged debanking violations in business dealings (e.g., discriminatory vendor selection).

• Expanded Triggering Events

Under Section 655.0323(2)(d), Florida Statutes, it is considered an unsafe and unsound practice for a financial institution to deny, cancel, suspend, or terminate services—or to otherwise discriminate in the availability or terms of such services—based on the use of any rating, scoring, analysis, tabulation, or action that incorporates a social credit score.

The OFR’s proposed amendment rule broadens the “score” or “social credit score” to include any assessment, appraisal, rating, or consideration, and expressly expands the definition not to be limited to a numerical valuation only.

In addition, under Section 655.0323, Florida Statutes, actionable conduct is currently limited to allegations involving “unsafe and unsound practices” as defined in subsection (2). However, under the proposed rule, the scope of actionable conduct has been significantly widened. If adopted, customers and other eligible parties may file complaints to the OFR not only for violations of subsection (2), but for any breach of Section 655.0323. This expansion signals a shift from a narrow focus on institutional soundness to a broader regulatory oversight of fairness, transparency, and statutory compliance across all subsections of the rule.

• Proposed “Facially Sufficient Complaint” Standard

The OFR’s proposed rule introduces a new procedural threshold for initiating investigations: the concept of a “facially sufficient complaint.” Upon receiving a complaint, the OFR will notify the financial institution and begin the formal response process. However, the term itself is not defined within the proposed amendment, leaving its interpretation unclear. Financial institutions may face uncertainty regarding what constitutes a “facially sufficient complaint” under this standard.

• Proposal for Citing Suspicious Activity as a Basis To Deny Services

The proposed amendment from the OFR provides that financial institutions that assert a service denial or other adverse action based on suspicious activity, as defined in Section 655.50(3), Florida Statutes, would have to explicitly identify the suspicious activity basis in its response to the complaint and provide sufficient supporting information to substantiate the claim.

In light of federal regulatory prohibitions on the disclosure of suspicious activity reports (SARs) and SAR-related information, financial institutions can potentially be affected by the uncertainty over how far they can go in disclosing SAR-related information to comply with the proposed Florida rule. 

In this regard, we have previously advised financial institution clients that operate in Florida that it should be sufficient for an institution to state in a Section 655.0323 complaint response report:

“After an analysis of risk factors unique to the customer, the Bank determined to close the account based on a quantitative, impartial and risk-based standard.  31 U.S.C. 5318(g)(2)(A)(i) and federal banking regulations at [12 C.F.R. 21.11(k)] [12 C.F.R. 208.62(j)] [12 C.F.R. 353.3(g)] prohibit the Bank from providing information related to the account closure.  Accordingly, the OFR should conclude that no violation of Fla. Stat. 655.0323(2) has occurred, and the OFR should cease investigation of the customer complaint.”

Although anyone that looks up 31 U.S.C. § 5318(g)(2)(A)(i) and 12 C.F.R. § 21.11(k), 12 C.F.R. § 208.62(j), or 12 C.F.R. § 353.3(g) will see that the statute is titled, “Reporting of Suspicious Transactions” and the regulations use the words, “Suspicious Activity Reports,” Fla. Stat. 655.0323(5)(e)1 commands the OFR not to disclose to the customer, in the event of cessation of the investigation, what was the basis of the OFR’s determination.

The proposed rule will require financial institutions operating in Florida that close or deny services on a SAR-based reason to go further and explicitly identify the suspicious activity basis.  This will seemingly conflict with the OCC’s and FinCEN’s SAR confidentiality rules, which explicitly contemplate a scenario where a bank that is “subpoenaed or otherwise requested to disclose a SAR, or any information that would reveal the existence of a SAR” must “decline to produce the SAR or such information” and “[any information that would reveal the existence of a SAR] and 31 U.S.C. 5318(g)(2)(A)(i).”  See 12 C.F.R. § 21.11(k)(1).

Implications for Financial Institutions

Collectively, the proposals would extend beyond existing statutory language and are likely to increase governance, documentation, and response burdens—especially for institutions with broad Florida operations or complex organizational structures. Senior management accountability for attestations, broader definitions of who can complain and what can be alleged, and heightened expectations around suspicious activity justifications all seem to point to a need for enhanced internal controls, standardized decisioning documentation, and careful coordination among compliance, legal, and risk functions.

Winston & Strawn LLP is focused on advising financial institutions on potential impacts of the proposed expansion of HB 989 and related Florida regulatory developments.

If you have any questions regarding this subject or related subjects, or if you need assistance, please contact Carl Fornaris (Partner and Chair, Financial Innovation and Regulation Practice), Fernanda Legaspe (Associate), or your Winston & Strawn relationship attorney.

---

[1] Winston & Strawn LLP previously reported on HB 989 and HB 3 in briefings. They can be accessed here and here. 

[2] See Fla. Stat. § 655.005(1)(g): “Executive officer” means an individual, whether or not the individual has an official title or receives a salary or other compensation, who participates or has authority to participate, other than in the capacity of a director, in the major policymaking functions of a financial institution. The term does not include an individual who may have an official title and may exercise discretion in the performance of duties and functions, including discretion in the making of loans, but who does not participate in the determination of major policies of the financial institution and whose decisions are limited by policy standards established by other officers, whether or not the policy standards have been adopted by the board of directors. The chair of the board of directors, the president, the chief executive officer, the chief financial officer, the senior loan officer, and every executive vice president of a financial institution, and the senior trust officer of a trust company, are presumed to be executive officers unless such officer is excluded, by resolution of the board of directors or by the bylaws of the financial institution, from participating, other than in the capacity of a director, in major policymaking functions of the financial institution and the individual holding such office so excluded does not actually participate therein.