Federal Reserve Board Ends Novel Activities Supervision Program

What Was the Novel Activities Supervision Program, Really?

The Novel Activities Supervision Program was launched in August 2023 during a period when banks were experimenting with emerging technologies and business models faster than most policies could keep up. The Fed’s goal wasn’t to ban innovation; it was to supervise it in a more coordinated, risk-focused way.

The “Novel” Part: Which Activities Were in Scope?

While “novel” can sound like a complimentlike your bank just wrote a best-selling thrillerhere it meant activities that could introduce new or amplified risks. In practice, NASP zoomed in on a few major buckets:

• Complex, technology-driven partnerships with nonbanks to deliver banking products and services (think Banking-as-a-Service models, embedded finance, and platform-based distribution).
• Crypto-asset-related activities (such as custody, facilitation, or other bank-touching crypto services).
• Distributed ledger technology (DLT) projects that might have broader impact (including tokenization use cases and “dollar token” concepts).
• Concentrated banking services to crypto-related entities and fintechs (for example, deposits, payments, and lending where customer concentration creates liquidity and reputational risks).

How the Program Worked (Without Moving Banks to “Regulatory Island”)

One of the more misunderstood aspects of NASP was that it didn’t create a separate “crypto bank” portfolio. Banks didn’t get shipped off to a new supervisory universe with different physics. Instead, NASP specialists worked alongside existing supervisory teams, using established exam processes while applying deeper subject-matter expertise.

The program’s design also tried to avoid a one-size-fits-all approach. If a bank was lightly piloting a limited fintech partnership, the supervisory intensity wouldn’t look like what a heavily concentrated crypto-services bank might face. In theory, that’s the ideal regulatory combo: consistent standards, variable intensity based on risk.

What Changed When the Fed Ended NASP?

The Fed’s 2025 announcement didn’t say “innovation is over.” It said something much more bureaucratically powerful: “We’ve learned enough to integrate this into normal supervision.”

Specifically, the Fed stated that since it started the program to supervise certain crypto and fintech activities in banks, it strengthened its understanding of these activities, the risks they create, and how banks manage them. As a result, the Fed decided to fold this work back into routine supervision and rescind the 2023 supervisory letter that created NASP (SR 23-7).

In Plain English: Is This Less Oversight?

Not necessarily. It’s more accurate to call it mainstream oversight.

If NASP was the Fed saying, “We need a special lens for these fast-changing risks,” the sunset is the Fed saying, “That lens is now part of our normal glasses.” For banks, this means the topic isn’t going away; it’s being embedded into the everyday playbook.

Why Sunset a Program That Was Only Two Years Old?

Regulators don’t typically create programs just to toss them into the bonfire later. So what’s the logic behind retiring NASP rather quickly?

1) The “Novel” Became Familiar

In emerging risk areas, regulators often start with dedicated teams to build expertise and align approaches across the system. Once enough patterns and supervisory expectations stabilize, specialized structures can be folded back into standard processes without losing effectiveness.

2) Consistency Beats Novelty (Eventually)

A dedicated program can sometimes create the perception that certain activities are “special” in a way that is either overly stigmatizing or overly permissive. Folding oversight back into normal supervision can signal that these activities will be evaluated like other banking activities: permissible or not, safe or not, sound or not, and always subject to governance and controls.

3) Resource Efficiency (The Unsexy, True Answer)

Specialized programs require staffing, coordination, and reporting structures. If the Fed believes its exam teams can now supervise these risks using standard frameworks (with embedded expertise), it can reduce duplication and keep supervisory work streamlined.

What This Means for Banks: The Practical Impact

If you’re a bank executive, compliance officer, or product leader, you’re probably asking the real question: “Okay, cool. What changes on Monday?”

Expect Fewer “Program” Labels, Not Fewer Questions

Banks should anticipate that examiners will continue to ask about the same risks NASP was designed to addressjust without routing them through a program-branded workflow.

That includes:

• Third-party and partnership risk (vendor oversight, subcontractor chains, SLAs, data access, controls testing, and exit plans).
• Operational resilience (business continuity, incident response, cybersecurity, and technology governance).
• Liquidity and concentration risk (especially where customer bases are clustered in volatile sectors).
• Compliance fundamentals (BSA/AML program strength, sanctions screening, fraud controls, consumer compliance, and complaint management).
• Model risk and data governance (for banks using advanced analytics, automated decisioning, or emerging tech stacks).

Concrete Example: A Bank-Fintech Partnership

Imagine a regional bank that partners with a fintech to offer branded deposit accounts through a slick app. Under a “novel activities” mindset, the bank might have received more specialized attention around:

• Who owns the customer relationship (and the risks that come with it).
• How onboarding and identity verification work in practice.
• How the fintech’s marketing and disclosures align with bank compliance expectations.
• How the bank monitors transaction patterns for fraud and AML red flags.
• What happens if the fintech’s cloud provider has an outage (or a very bad day).

With NASP sunset, those questions don’t vanishthey simply show up as part of routine exams, ongoing monitoring, and supervisory conversations.

Concrete Example: Tokenization and “Dollar Token” Experiments

Some banks have explored tokenized deposits, internal ledger pilots, or limited DLT initiatives aimed at improving settlement speed or transparency. These initiatives are “techy,” but supervisors tend to evaluate them through classic banking lenses:

• Are the operational and legal frameworks clear?
• Are controls auditable and enforceable?
• Is the bank relying on third parties for critical functions?
• Does management understand how the system fails under stress?

In other words: you can build the future, but you still have to document it, test it, and govern it like a bank.

What This Means for Fintechs and Crypto Firms

For nonbank partners, NASP’s sunset is not a “free pass.” It’s more like a change in traffic pattern: the Fed is shifting from a special lane to regular lanesstill with speed limits.

Partnerships May Feel Less “Singled Out,” But Due Diligence Won’t Relax

Fintechs working with banks should expect continued scrutiny around:

• Transparency into controls, systems, and incident response.
• Clear allocation of responsibilities (especially for compliance and customer support).
• Data security and consumer protection practices.
• Financial condition and operational maturity (yes, “we’re pre-revenue but vibes are strong” is not a control environment).

Crypto-Adjacent Banking Still Lives in a High-Expectation Neighborhood

Even as some regulatory tones have shifted toward clearer pathways for certain crypto-related activities, banks and their partners remain subject to strong expectations around risk management. If anything, the lesson from the last few years is that supervisors don’t fear innovationthey fear innovation without guardrails.

How This Fits the Broader U.S. Regulatory Shift

The Fed’s decision didn’t happen in a vacuum. The U.S. approach to digital assets and fintech risk has been evolvingsometimes in leaps, sometimes in awkward regulatory moonwalks.

Regulators Moving from “Special Permission” to “Clear Standards”

Around 2025, U.S. banking agencies signaled changes that, broadly speaking, emphasized ongoing supervision and risk management rather than blanket prior-approval approaches for certain activities. That shift aligns with the idea that emerging activities can be managed through mainstream supervisory frameworksif expectations are clear and exams are consistent.

Stablecoin Policy Became More Formal

The GENIUS Act (signed in July 2025) is an example of stablecoin regulation moving from “mostly guidance and debate” to a more explicit federal framework. Implementation activity (including requests for public comment) reflects how quickly the policy environment around payment stablecoins has been professionalizing.

Put together, these developments point to a theme: regulators appear to be trying to turn emerging-tech supervision into normal, repeatable practiceless experimental, more institutional.

Criticism, Politics, and the “De Facto Ban” Debate

NASP wasn’t universally loved. Some lawmakers and industry voices argued that specialized supervisory structures could become a tool for informal restrictionespecially if banks believed participation increased friction, uncertainty, or reputational risk.

On the other side, Fed leadership emphasized that the purpose was to support responsible innovation by building expertise, coordinating supervision, and matching supervisory intensity to risk rather than applying blunt rules.

The sunset can be read in multiple ways, depending on your worldview:

• Optimistic read: The Fed learned quickly, standardized expectations, and no longer needs a dedicated program.
• Skeptical read: The Fed is rebranding the same supervision in a way that reduces headlines and political heat.
• Practical read: The Fed is doing what big institutions dopilot, learn, integrate, repeat.

A Bank-Ready Checklist: How to Prepare in a Post-NASP World

If your bank touches crypto-related services, DLT experiments, or complex fintech partnerships, here are grounded steps that tend to stand up well in examsregardless of what the program is called.

Governance and Strategy

• Document a clear business rationale for the activity (not just “competitors are doing it”).
• Ensure board oversight is real: periodic reporting, defined risk appetite, and escalation triggers.
• Maintain an inventory of all “novel” initiatives, including pilots and proofs-of-concept.

Risk Management and Controls

• Run a risk assessment that maps operational, compliance, legal, liquidity, and reputational risks.
• Define control owners and testing cadences (who tests what, and how often).
• Create clear monitoring dashboards: concentrations, transaction anomalies, uptime, fraud trends, complaint spikes.

Third-Party and Partnership Discipline

• Perform due diligence that goes beyond questionnaires: evidence, testing results, audits, and incident history.
• Contract for the right things: data access, audit rights, reporting, subcontractor transparency, and exit support.
• Maintain a practical termination planbecause “we can just switch providers” is not a plan.

Operational Resilience

• Tabletop major incidents: cyber events, cloud outages, partner failures, fraud surges.
• Validate recoverability: backups, failovers, manual procedures, customer communication plans.
• Align “innovation speed” with change management controls (yes, even when product really wants to ship).

Conclusion: Not GoodbyeJust “Welcome to Regular Supervision”

The Federal Reserve Board ending the Novel Activities Supervision Program is best understood as a transition, not a retreat. The Fed is signaling that it has built sufficient expertise to supervise these activities through its standard processeswithout needing a dedicated program wrapper.

For banks and fintech partners, the message is simple: the label changed, but the expectations didn’t evaporate. If you’re building with crypto, DLT, or complex technology partnerships, plan for rigorous questions, strong documentation, and controls that can survive daylight.

Or, to put it in banker terms: innovation is still welcomejust bring your receipts.

Experiences from the Field: What This Change Feels Like (and How Teams Actually Adapt)

Let’s talk about the human side of a supervisory program sunsetbecause policy changes don’t land on “the industry” as a concept. They land on real teams with real calendars, real inboxes, and real moments where someone says, “Wait… does this mean we can finally launch?”

Experience #1: The compliance team’s emotional roller coaster. When a specialized program goes away, the first reaction is often relieflike the moment you realize the pop quiz was canceled. Then comes the second thought: “Great. Now it’s on every exam team’s checklist, forever.” That’s not cynicism; it’s pattern recognition. Specialized oversight may feel intense, but at least it’s predictable. Mainstreaming oversight can spread expectations across multiple examiners, portfolios, and workstreams, which means the compliance function needs to get even better at creating a single, coherent story about the activity and its controls.

One practical adaptation that shows up repeatedly is the creation of an “innovation risk binder” (digital, ideallynot a literal binder unless your office still has a fax machine as a personality trait). The best versions include: the business rationale, risk assessment, governance minutes, partner diligence artifacts, control testing, incident reports, and monitoring metrics. The goal is not to drown everyone in documentation; it’s to answer the same questions consistentlywhether they come from a fintech exam specialist, a safety-and-soundness examiner, or a tech-focused review.

Experience #2: Product teams learning to speak “supervision.” Product leaders often hear “standard supervisory process” and think “less friction.” Sometimes it is. But mature teams learn the real win is clarity. When oversight becomes routine, product and risk teams can build repeatable launch pathways: defined approvals, control gates, and evidence requirements that don’t change dramatically from one project to the next.

A useful mental model is to treat novel initiatives like any other high-risk product category (think: new lending verticals, new payment rails, or major vendor migrations). You can still move quickly, but you move quickly within a system: pre-launch testing, phased rollouts, contingency planning, and post-launch monitoring. The teams that thrive are the ones who stop treating regulators as an external “release blocker” and instead design compliance into the product lifecyclelike seatbelts in a car, not a helmet you put on after the crash.

Experience #3: The partnership paradoxfintech speed meets bank accountability. In bank-fintech relationships, everyone loves the phrase “we’re aligned,” right up until something goes wrong. Then alignment turns into archaeology: Who promised what? Who monitored what? Who owned customer disclosures? Who was supposed to detect suspicious activity? When NASP-style attention fades into normal supervision, strong banks don’t relax partnership disciplinethey operationalize it. They build standard contract language, standard reporting packs, and standard performance thresholds that apply across partners.

And yes, this is where the humorous truth lives: the most valuable “innovation” in many bank-fintech partnerships isn’t the app featureit’s the spreadsheet that tracks incidents, controls, remediation owners, and deadlines. Not glamorous, but extremely effective at preventing the kind of surprise that turns into a supervisory finding.

Experience #4: Examinations become less about novelty and more about execution. When a program is labeled “novel,” people sometimes assume the examiner’s focus is whether the activity is “new” or “weird.” In mainstream supervision, the focus becomes more classic: governance quality, control effectiveness, management understanding, and whether the activity fits the bank’s risk appetite. Teams that do well tend to be boring in the best way: they have clear policies, consistent monitoring, tested controls, and a calm, credible explanation of how the activity works and how it can fail.

The practical takeaway from all these experiences is encouraging: the sunset of a special program doesn’t mean you should guess what regulators want next. It means you should build a disciplined operating model that can survive program names changing. If you can explain the activity, measure its risks, govern its partners, and prove your controls work, you’re in a strong positionno matter what acronym gets retired next.