Begin Main Content Area

Trusts Banner.png

Trust Companies

A trust company is a corporation authorized to handle assets for the benefit of others and does not have commercial banking powers.  Trust companies are not insured by the FDIC.


April 16, 2021
2020 Annual Audit Reports Due
Read the Deputy Secretary's Letter on 2020 Annual Audit Report (PDF) for Banks, Bank & Trust, and Savings Banks:  email to

March 26, 2021 
CISA has issued a new alert for detecting post-compromise threat activity using the CHIRP IOC Detection Tool.  The tool to assist network defenders with detecting activity related to the supply chain compromises affecting SolarWinds and Active Directory/Microsoft 365.  Click here to access the alert. 

March 16, 2021 
UPDATE:  Microsoft Exchange Server Vulnerability
CISA has updated Alert AA21-0762A regarding the Microsoft Exchange Server Vulnerability with further guidance. Click here to access the updated alert.

March 12, 2021 
Microsoft Exchange Server Vulnerability
CISA Emergency Directive 21-02:  The Cybersecurity & Infrastructure Security Agency (CISA) has issued Emergency Directive 21-02 regarding Microsoft Exchange On-Premises Product Vulnerabilities.  Additional information may be found here.  All institutions should be assessing their own and vendor exposure to the Microsoft Exchange vulnerability and taking necessary mitigation steps.    

February 12, 2021

The Bankers Electronic Crimes Taskforce (BECTF), State Bank Regulators and the United States Secret Service has developed a Ransomware Self-Assessment Tool.  The tool was developed to help financial institutions assess their efforts to mitigate risks associated with ransomware and identify gaps for increasing security. This tool provides executive management and the board of directors with an overview of the institution's preparedness towards identifying, protecting, detecting, responding, and recovering from a ransomware attack.  For more information click here.

December 21, 2020
Alert - SolarWinds Orion Platform Software IT Incident
On December 13, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding an active exploitation of SolarWinds Orion Platform.  All financial institutions should be assessing the risk to their systems and implementing necessary remediation measures. 

Financial Institutions are encouraged to obtain updates and threat and vulnerability information from the Cybersecurity and Infrastructure Security Agency at or through the Financial Services Information Sharing and Analysis Center (FS-ISAC).

The below are links to additional resources financial institutions may refer to as they conduct their risk assessments and determine applicable remediation steps. 

September 28, 2020
2021 Bank Holidays (PDF)

March 20, 2020
FDIC Coronavirus Information for Bankers and Consumers
Federal Reserve Resources for Coronavirus

March 16, 2020
Any document that will be mailed to the Bureau of Credit Union and Trust Supervision must also be sent electronically to the following email address: Any institutions that sent documents via mail within the last 3 days should re-send those documents electronically to the aforementioned email address.  If you have a concern about documents mailed recently, please contact Angie Smith at +1 (717) 783-2253 or email at

All checks should still be sent to the Bureau of Credit Union and Trust Supervision through regular mail with the original filing.  Electronic copies of the original filing and a copy of all applicable checks should be sent electronically to the following email address:  General questions regarding filings should be addressed to Angie Smith at +1 (717) 783-2253 or email at .   

February 9, 2018
Deputy Secretary's Letter (PDF) regarding Internal Audit Programs for Financial Institutions (PDF)

November 13, 2017
Secretary's Letter on Cybersecurity (PDF)
The Department continues to work collaboratively with federal regulators, other states financial regulators, and other Commonwealth agencies to address cybersecurity challenges.

Federal Government Principles on Responding to Cyber Incidents
A Presidential Policy Directive (PPD-41) released on July 26, 2016, sets forth principles governing the federal government's response to any cyber incident, whether involving government or private sector entities. For significant cyber incidents, PPD-41 also establishes lead federal agencies and an architecture for coordinating the broader federal government response.

Cybersecurity Update
The Federal Financial Institutions Examination Council (FFIEC) members have issued a revised Management booklet, which is part of the FFIEC Information Technology Examination Handbook (IT Handbook)

The department has issued a Deputy Secretary's letter regarding Accumulated Other Comprehensive Income (AOCI) op-out election on your institution's March 31, 2015, Call Report. An institution that is not an advanced approaches institution must choose to either opt out or not opt out of the requirement to include most components of AOCI in common equity tier 1 capital. The election is irrevocable. Please review the Deputy Secretary's letter (PDF) for important information.

Read the Secretary's Letter on bank assessment fees (PDF). Visit the department's Estimated Assessment Calculator.

July 20, 2014
Read the Secretary's Letter on trust company assessment fees (PDF).
Visit the department's 
Estimated Assessment Calculator.