Business Continuity for Financial Services: Meeting OCC, FDIC, and Fed Resilience Expectations

TL;DR:

• U.S. banking regulators now expect operational resilience — not just a BCP document in a drawer — meaning your institution must prove it can deliver critical services under stress.
• The OCC’s revised Recovery Planning Guidelines (effective January 1, 2025) expanded requirements to banks with $100 billion+ in assets and added operational risk and mandatory testing standards.
• The July 2024 CrowdStrike outage disrupted systems at Chase, Bank of America, Wells Fargo, Capital One, and TD Bank — proving that third-party concentration risk isn’t theoretical.

Financial Services Business Continuity Has Moved Beyond the Binder on the Shelf

If you’re building a business continuity program at a bank, credit union, or fintech, you already know that a generic BCP template won’t cut it. Federal regulators — the OCC, FDIC, and Federal Reserve — have spent the last five years making it clear that business continuity isn’t a document. It’s a capability.

The shift started in 2019 when the FFIEC revised its Business Continuity Management (BCM) booklet, deliberately renaming it from “Business Continuity Planning” to “Business Continuity Management.” That wasn’t cosmetic. The revised booklet expanded its scope from IT disaster recovery to enterprise-wide resilience — covering governance, risk assessment, third-party dependency management, and integrated testing. Examiners now evaluate whether your institution can actually continue operating during disruption, not just whether you have plans filed away.

Then in November 2020, the three federal banking agencies jointly issued SR 20-24: Sound Practices to Strengthen Operational Resilience. Directed at the largest and most complex domestic firms (generally $250 billion+ in total consolidated assets, or $100 billion+ with significant cross-jurisdictional activity), this interagency paper laid out expectations for managing operational risks from cyber incidents, technology failures, pandemics, natural disasters, and — critically — third-party service providers.

The message from all three agencies was the same: your BCP program must prove resilience, not just document intentions.

What Each Regulator Actually Expects

Understanding the regulatory landscape means knowing which agency cares about what — and where they overlap.

OCC: The Most Aggressive on Resilience

The OCC has been the most forward-leaning U.S. regulator on operational resilience. Here’s what’s happened recently:

Recovery Planning Guidelines (Effective January 1, 2025). The OCC’s revised Recovery Planning Guidelines expanded their applicability to insured national banks, federal savings associations, and federal branches with $100 billion or more in average total consolidated assets (down from the previous $250 billion threshold). The revised guidelines also:

• Explicitly incorporate non-financial risk (operational and strategic) into recovery planning for the first time
• Require mandatory testing of recovery plans, with staggered compliance dates (testing provisions received a 6-month extension from the OCC after industry comment)
• Require identification of critical operations and core business lines alongside financial triggers

Acting Comptroller Michael Hsu’s 2024 Directive. Speaking at the Institute of International Bankers, Acting Comptroller Hsu announced the OCC is “exploring baseline operational resilience requirements for large banks with critical operations, including third-party service providers.” He specifically called out five baseline areas: planning, prudent investment, well-designed systems, regular testing, and clear governance.

Heightened Standards Threshold Amendment (Proposed December 2025). The OCC proposed amending its Heightened Standards Guidelines to adjust the average total consolidated assets threshold, signaling a broader push to bring more institutions under stricter operational risk requirements.

OCC FY2025 Supervision Operating Plan. The OCC’s 2025 Bank Supervision Operating Plan lists cybersecurity and operational resilience as top-ranked operational risk priorities. Examiners are specifically instructed to focus on preventative controls, incident response, data recovery/backup, and operational resilience capabilities. Third-party risk management and IT lifecycle management are also called out.

Federal Reserve: Sound Practices and Third-Party Oversight

The Fed’s primary touchpoint is SR 20-24, the interagency operational resilience paper. But the Fed also reinforces resilience expectations through its third-party risk guidance.

In July 2024, SR 24-5: Joint Statement on Banks’ Arrangements with Third Parties to Deliver Bank Deposit Products and Services directly referenced SR 20-24’s operational resilience standards in the context of third-party deposit arrangements — making it clear that outsourcing doesn’t outsource the risk.

Fed Vice Chair for Supervision Michael Barr has stated publicly that “reliance by banks on third-party service providers has grown considerably in recent years, and with that reliance comes the potential for greater cyber risk. It is ultimately the responsibility of banks to manage their third-party risk.”

FDIC: Enforcement-Driven Expectations

The FDIC reinforces business continuity expectations primarily through examination findings and enforcement actions. The FDIC’s examination procedures align with the FFIEC BCM booklet, and examiners evaluate whether institutions have:

• Completed a current business impact analysis (BIA)
• Identified critical business functions and recovery priorities
• Documented and tested recovery strategies
• Addressed third-party dependency risks
• Maintained board-level oversight of the BCM program

The FDIC also jointly issued the Interagency Guidance on Third-Party Relationships in June 2023, which explicitly requires banking organizations to assess whether third parties maintain “appropriate operational resilience and cybersecurity practices, including disaster recovery and business continuity plans that specify the time frame to resume activities and recover data.”

Where Banks Actually Get Cited: Common Examination Findings

Regulators don’t issue MRAs because your BCP document is missing a table of contents. They cite you for capability gaps. Here are the findings that show up again and again:

Finding Category	What Examiners Flag	How to Fix It
Untested Plans	BCP exists but hasn’t been tested in 12+ months; no evidence of tabletop exercises or simulations	Annual testing minimum; quarterly tabletops for critical functions
Missing or Stale BIA	No current BIA, or BIA doesn’t reflect actual business operations and dependencies	Update BIA annually and after significant changes (M&A, new products, new vendors)
Third-Party Blind Spots	No documented assessment of critical vendor BCPs; no contractual RTO/RPO commitments	Include BCP requirements in vendor contracts; request and review vendor testing results
No Board Oversight	Board receives no regular reporting on BCM program status, testing results, or gaps	Quarterly board reporting on BCM status, annual BIA/testing summary
Incomplete Recovery Strategies	Plans cover IT systems but not business operations, staffing, or manual workarounds	Enterprise-wide recovery strategies covering technology, operations, people, and facilities
Concentration Risk Ignored	Multiple critical functions depend on same vendor or infrastructure with no alternatives	Map single points of failure; develop concentration risk mitigation strategies

The Citibank Case: What Happens When Resilience Fails

The most instructive enforcement example in recent years is Citibank.

In October 2020, the OCC assessed a $400 million civil money penalty against Citibank and issued a cease-and-desist order requiring “broad and comprehensive corrective actions to improve risk management, data governance, and internal controls.” The consent order identified deficiencies in data quality and data governance, noncompliance with 12 C.F.R. Part 30 Appendix D (the OCC’s Heightened Standards), and unsafe or unsound practices — including inadequate board and senior management oversight.

Then in July 2024, the OCC assessed an additional $75 million civil money penalty against Citibank for violating the 2020 consent order and lacking processes to monitor the impact of data quality concerns on regulatory reporting.

Meanwhile, Reuters reported in February 2024 that the Fed issued its own rebuke of Citibank for setbacks on the 2020 consent orders, citing continued deficiencies in risk management, data governance, and internal controls.

The lesson: Citibank’s failures weren’t about missing documents. They were about missing capabilities — the ability to aggregate data accurately, govern risk effectively, and maintain the internal controls that operational resilience requires. Four years after the original consent order, the bank was still getting penalized for the same gaps. Total cost so far: $475 million in OCC penalties alone, plus the Fed’s actions.

The CrowdStrike Wake-Up Call: Third-Party Concentration Risk Is Real

On July 19, 2024, a faulty update from cybersecurity vendor CrowdStrike caused a global IT outage that affected 8.5 million Windows devices. The financial services impact was immediate:

• Chase, Bank of America, Wells Fargo, U.S. Bank, Capital One, and Charles Schwab all experienced system problems in the U.S.
• TD Bank had digital systems disrupted
• Fifth Third Bank had login issues preventing normal operations
• Payment processors reported delays; customers couldn’t complete transactions at some institutions

The European Banking Authority noted that while most affected financial entities restored systems within the same day, the incident “highlights the importance of operational resilience” and “pointed to the potentially systemic nature of cyber incidents, which can rapidly spread globally across the financial infrastructure.”

This wasn’t a cyberattack. It was a software update gone wrong at a single vendor — and it cascaded across the global banking system in hours. That’s exactly the third-party concentration risk that the OCC, Fed, and FDIC have been warning about.

What regulators now expect you to demonstrate:

1. You know which vendors are single points of failure for critical operations
2. You’ve tested what happens when those vendors go down — not just theoretically, but in a tabletop or simulation
3. You have manual workarounds documented for critical processes that depend on third-party technology
4. Your vendor contracts include RTO commitments, notification timeframes, and testing evidence requirements
5. You’ve assessed whether multiple critical functions share the same underlying infrastructure (cloud provider, security vendor, payment processor)

Building a Financial Services BCP That Satisfies All Three Agencies

Here’s a 120-day implementation roadmap for building or upgrading your institution’s business continuity program to meet current OCC, FDIC, and Fed expectations.

Days 1–30: Foundation and Governance

Deliverables:

• BCM policy approved by the board — defines scope (enterprise-wide, not just IT), roles, reporting cadence, and regulatory alignment
• BCM governance structure — designate a BCM program owner (typically reports to CRO or COO); establish a cross-functional steering committee with representation from IT, operations, compliance, risk, and business lines
• Regulatory requirements mapping — document which requirements apply to your institution based on asset size, charter type, and business model

Responsible parties: CRO or designated BCM program owner, with board approval

Key dependency: Board must approve the BCM policy before the BIA can proceed with proper authority and resource commitment.

Days 31–60: Business Impact Analysis and Risk Assessment

Deliverables:

• Completed BIA for all business lines — identify critical business functions, quantify financial/operational/reputational/regulatory impact of disruption at 1-hour, 4-hour, 24-hour, 72-hour, and 7-day intervals
• RTO/RPO targets for each critical function — classified into tiers:

Tier	Recovery Time	Examples	Typical RTO
Tier 1 — Essential	Immediate priority	Wire transfers, ACH processing, core banking system, customer-facing digital channels	0–4 hours
Tier 2 — Important	Same-day recovery	Lending operations, treasury management, regulatory reporting, internal communications	4–24 hours
Tier 3 — Deferred	Extended recovery acceptable	Training systems, marketing platforms, non-critical internal tools	24–72 hours

• Third-party dependency map — every critical function linked to its vendor dependencies, including sub-contractors and fourth parties where known
• Concentration risk assessment — flag any vendor, platform, or data center that supports multiple Tier 1 or Tier 2 functions

Responsible parties: Business line leaders (own their BIA inputs), BCM program owner (consolidates), IT (validates technical recovery capabilities)

Days 61–90: Recovery Strategies and Plan Documentation

Deliverables:

• Business Continuity Plan (BCP) — enterprise-wide plan covering:
  • Recovery procedures for each critical function by tier
  • Communication protocols (internal escalation, customer notification, regulatory notification, media)
  • Alternate site/remote work activation procedures
  • Manual workaround procedures for technology-dependent processes
  • Succession plans for key personnel
• Disaster Recovery Plan (DRP) — IT-focused companion covering system recovery procedures, backup verification, and failover activation
• Vendor resilience requirements — updated contract language requiring RTO commitments, annual BCP testing evidence, and disruption notification within defined timeframes (typically 1–4 hours for critical vendors)
• Crisis communication templates — pre-drafted notifications for customers, regulators, employees, and board members

Responsible parties: BCM program owner (plan documentation), IT (DRP), Legal (contract updates), Communications (templates)

Days 91–120: Testing, Validation, and Board Reporting

Deliverables:

• Tabletop exercise — minimum one exercise covering a realistic disruption scenario (ransomware attack, critical vendor outage, or data center failure); include executive leadership and key business line owners
• Technical recovery test — validate that IT systems can actually recover within documented RTOs; verify backup integrity
• Third-party testing coordination — participate in or review results from critical vendor BCP tests
• Board report — summary of BIA results, identified gaps, recovery capability assessment, testing outcomes, and remediation plan with timelines
• Remediation tracker — log all gaps identified during testing with assigned owners and target completion dates

Responsible parties: BCM program owner (exercises), IT (technical testing), CRO (board reporting)

Ongoing (Quarterly/Annual)

Activity	Frequency	Owner
Board BCM status report	Quarterly	CRO / BCM program owner
BIA refresh	Annually + after major changes	Business line leaders
Tabletop exercise	Annually minimum (quarterly for Tier 1)	BCM program owner
Technical recovery test	Annually	IT / DRP owner
Vendor BCP review	Annually per vendor	Third-party risk management
Plan updates	After every test, incident, or organizational change	BCM program owner
Regulatory self-assessment	Annually	Compliance / Internal Audit

The Operational Resilience Shift: What’s Coming Next

Business continuity in financial services is evolving from “can you recover?” to “can you keep delivering critical services under stress?” That’s the operational resilience shift, and it’s happening faster in the U.S. than most institutions realize.

Acting Comptroller Hsu’s 2024 comments signaled that the OCC is moving toward formal operational resilience requirements — not just guidance — for large banks. The UK already implemented its operational resilience framework with a March 2025 full-compliance deadline. The EU’s Digital Operational Resilience Act (DORA) took effect in January 2025. U.S. regulation typically follows within 2–3 years.

What this means for your institution today:

• Map your important business services — not just critical systems, but the end-to-end services your customers depend on
• Set impact tolerances — define the maximum acceptable disruption for each important business service (this goes beyond RTO/RPO to include degraded service levels)
• Test against those tolerances — prove you can stay within them during severe but plausible scenarios
• Include third parties — your operational resilience is only as strong as your most critical vendor’s ability to deliver

So What? Why This Matters for Your Institution

Three things to take away:

1. The bar has risen. The OCC’s 2025 recovery planning guidelines, the interagency third-party guidance, and the CrowdStrike incident all point in the same direction — regulators expect demonstrated resilience capability, not just documented plans.

2. Examiners are looking at capability, not paperwork. Can your institution actually recover within its stated RTOs? Have you tested it? Can you prove it? If the answer to any of those is “no,” that’s an MRA waiting to happen.

3. Third-party risk is the biggest gap. Most institutions have a BCP for their own operations. Far fewer have assessed whether their critical vendors can meet the same recovery standards. The 2023 Interagency Guidance on Third-Party Relationships makes this expectation explicit.

If you’re building or upgrading your institution’s BCM program, the Business Continuity & Disaster Recovery Kit includes BIA templates, BCP/DRP frameworks, tabletop exercise guides, and crisis communication templates — all designed against FFIEC and OCC requirements for financial services.

FAQ

What’s the difference between business continuity and operational resilience for banks?

Business continuity focuses on recovering from disruptions — getting systems back online and resuming operations. Operational resilience is broader: it asks whether your institution can continue delivering critical services during a disruption, even in a degraded mode. The FFIEC’s 2019 shift from “Business Continuity Planning” to “Business Continuity Management” reflects this evolution. Operational resilience includes BCP but also encompasses third-party dependency management, impact tolerances, and the ability to absorb shocks without complete service interruption.

Do community banks need the same level of business continuity as large banks?

The OCC’s heightened standards and recovery planning guidelines apply to banks with $100 billion+ in total consolidated assets, and the interagency Sound Practices paper targets the largest firms ($250 billion+). However, the FFIEC BCM booklet applies to all FFIEC-supervised institutions regardless of size. Community banks aren’t expected to have the same program complexity as a JPMorgan, but examiners still expect a current BIA, documented recovery strategies, annual testing, and third-party dependency management proportionate to the institution’s size, complexity, and risk profile.

How often should a bank test its business continuity plan?

The FFIEC BCM booklet expects at least annual testing, but the specific frequency depends on your institution’s risk profile. Best practice for financial services: annual full-scale or simulation exercises, quarterly tabletop exercises for critical business functions, and technical recovery tests at least annually. The OCC’s revised Recovery Planning Guidelines now include explicit testing requirements for banks with $100 billion+ in assets. Any significant organizational change (M&A, new core system, new critical vendor) should trigger an ad-hoc test cycle.