Business Continuity for Banks and Credit Unions: OCC and NCUA Examination Guide

An OCC examination team is reviewing your institution’s BCM program. They’re not just checking whether a binder labeled “Business Continuity Plan” exists on a shelf. They’re asking: When did you last update your business impact analysis? What specific systems were tested in your last recovery exercise — and did you actually fail them over, or just discuss it? Does your plan name a vendor that you decommissioned two years ago? What did the board receive at their last quarterly briefing?

That’s the examination reality for banks and credit unions today. The FFIEC Business Continuity Management framework, adopted by every federal banking regulator, has moved significantly away from plan documentation toward program performance. Examiners are trained to distinguish between institutions that maintain operational resilience and those that maintain the appearance of it.

TL;DR

• OCC, FDIC, Federal Reserve, and NCUA all use the 2019 FFIEC Business Continuity Management booklet as their primary examination framework — it’s the same standard whether you’re a national bank or a credit union
• Common exam findings: stale BIAs, tabletop-only testing, vendor BCPs never reviewed, no board-level reporting on BCM status
• FFIEC testing requirements progress from orientation walkthroughs → limited-scale testing → full-scale failover — regulators expect to see the progression documented
• The OCC rescinded its formal Appendix E recovery planning rule effective May 1, 2026, but BCM supervisory expectations remain fully in place
• Third-party concentration risk is now a central examination focus following the July 2024 CrowdStrike incident

The Regulatory Foundation: FFIEC BCM

The Federal Financial Institutions Examination Council (FFIEC) is the interagency body that sets uniform examination principles for federal banking regulators. Its members include the OCC (which supervises national banks and federal savings associations), the Federal Reserve (state member banks and bank holding companies), the FDIC (state non-member banks), the NCUA (federally chartered and federally insured credit unions), and the Consumer Financial Protection Bureau.

In November 2019, the FFIEC replaced its previous Business Continuity Planning booklet with an updated Business Continuity Management booklet. The name change wasn’t cosmetic. The shift from “planning” to “management” signaled a fundamental change in what examiners are assessing: not whether you have a document, but whether your institution has a functioning program.

The 2019 BCM booklet defines six core program components:

1. BCM governance and policy — Board and senior management oversight, defined roles and responsibilities, integration with enterprise risk management
2. Business impact analysis — Identifying critical functions, dependencies, and quantifying the cost of disruption
3. Resilience and recovery strategies — Prevention, mitigation, and response capabilities
4. Testing and exercises — Annual at minimum, progressing from walkthroughs to full-scale operational tests
5. Third-party continuity management — Vendor BCP review, contractual requirements, concentration risk
6. Training and awareness — Staff readiness across the organization

Every federal banking regulator adopted this framework. Whether your institution is examined by the OCC, Federal Reserve, FDIC, or NCUA, examiners are working from the same foundational playbook.

What OCC Examiners Look For

The OCC supervises approximately 1,200 national banks and federal savings associations. It adopted the FFIEC BCM booklet through OCC Bulletin 2019-57 and has integrated BCM assessment into its standard examination procedures.

OCC examiners assess BCM across the FFIEC’s six components, but several areas draw particularly close scrutiny:

Business impact analysis currency. The BIA must reflect the institution’s current operations. Post-merger integrations, cloud migrations, new critical vendors, and material operational changes should trigger BIA updates. Examiners frequently find BIAs that are technically “current” by age but haven’t been substantively revised after significant operational changes. If your institution migrated core systems to a cloud provider 18 months ago and your BIA still references on-premises infrastructure, that’s a finding.

Testing substance. The FFIEC framework defines a testing progression:

Institutions that have conducted only tabletop discussions for critical services routinely receive exam findings. Examiners expect documented evidence that critical systems have been failed over to backup environments, that recovery time objectives were measured against actuals, and that gaps identified in testing have remediation timelines.

Third-party vendor continuity. Since the June 2023 interagency third-party guidance issued jointly by the OCC, Federal Reserve, and FDIC, examiners have significantly intensified their review of vendor BCM documentation. Institutions are expected to: (1) contractually require vendors providing critical services to maintain BCM programs; (2) obtain and review vendor BCP/DR documentation annually; and (3) understand vendor recovery time capabilities against institutional RTOs. The July 2024 CrowdStrike outage — which affected approximately 8.5 million Windows systems globally and caused an estimated $5.4 billion in Fortune 500 losses — demonstrated exactly the third-party concentration risk regulators had been warning about.

Board reporting. BCM must reach the board, not just operational management. Examiners review board minutes and reports for evidence of BCM status reporting, including testing results, identified gaps, remediation status, and material changes to the risk profile. Institutions where BCM lives entirely within IT or operations without board visibility receive governance findings.

What NCUA Examiners Look For

The National Credit Union Administration supervises approximately 4,800 federally chartered and federally insured credit unions. As an FFIEC member agency, NCUA applies the same BCM framework as bank regulators, but examination depth scales with institution size and complexity.

Credit unions under $100M in assets face lighter-touch examination procedures. However, NCUA examiners still review whether institutions have documented BCPs, have tested those plans within the past 12 to 24 months, and have procedures for recovering critical member-facing services.

For larger credit unions (particularly those over $500M in assets), NCUA examination procedures mirror OCC intensity. Examiners look for:

• Proportionate programs — BCM programs scaled to the credit union’s product complexity, geographic footprint, and member dependency on digital services
• Critical service identification — Share drafts, ACH processing, online banking, and ATM networks are typically the critical functions that drive RTO/RPO requirements
• Vendor relationship management — Core processing systems (Symitar, Fiserv, FIS, Jack Henry) are often single points of failure; examiners want to see those vendor BCPs reviewed and factored into institutional RTOs
• Tested recovery procedures — Same expectation as banks: tabletop-only testing for critical services generates findings

A common misconception among credit union compliance teams: because NCUA’s examination guidance doesn’t always spell out BCM requirements as explicitly as OCC bulletins, the expectations must be lower. They’re not. Examiners use the FFIEC BCM booklet and expect credit unions to meet the same program standards, adjusted for institutional complexity.

2026 Update: OCC Rescinds Appendix E

On April 1, 2026, the OCC published a final rule rescinding 12 CFR 30, Appendix E — the formal recovery planning standards that had applied to large national banks (originally $250B+ in assets, lowered to $100B+ effective January 1, 2025). The rescission became effective May 1, 2026.

The OCC’s stated rationale: formal recovery plans in the Appendix E format had not proven to be effective risk management tools in practice.

What this means for compliance programs:

What changed: The mandatory recovery planning appendix — with its specific requirements for recovery plan content, board approval, and testing — is gone. Institutions previously subject to Appendix E no longer have a specific regulatory rule mandating formal recovery plans in that format.

What didn’t change: The FFIEC Business Continuity Management framework remains fully in force. OCC supervisory expectations for sound BCM programs are unchanged. The rescission removed a formal regulatory appendix, not underlying examiner expectations for operational resilience. Institutions that dismantle BCM programs in response to the rescission will discover that lesson during their next examination.

The practical takeaway: if your BCM program was built around Appendix E compliance specifically, this is an opportunity to rebuild it around the FFIEC BCM principles that apply to every institution regardless of size.

Building an Exam-Ready BCM Program

The institutions that consistently avoid BCM findings share several characteristics:

BIA integrated into change management. Rather than treating BIA as a periodic exercise, they’ve embedded BIA review triggers into change management processes. Cloud migrations, significant vendor changes, product launches, and M&A activities automatically trigger BIA updates.

Testing documented with specificity. Exam-ready test documentation includes: test scope and objectives, participant list, scenario description, recovery time actuals vs. RTOs, issues and gaps identified, and remediation timelines with owners. Vague entries like “annual BCP test completed — satisfactory” invite examiner follow-up.

Vendor BCP reviews on a schedule. They maintain a vendor criticality register, require BCP documentation contractually for critical vendors, and review it annually. When vendors can’t or won’t provide BCP documentation, they’ve documented that gap and the alternative controls.

Board reporting is substantive. Rather than a single paragraph in a quarterly operational risk report, BCM gets dedicated board reporting that includes testing outcomes, current RTO performance vs. targets, and identified risks.

For institutions building or refreshing their programs, see the FFIEC Business Continuity Management Requirements Guide for a detailed breakdown of the 2019 booklet’s requirements, and the Business Continuity Financial Services Regulatory Guide for sector-specific implementation considerations.

So What?

The examination question isn’t whether your institution has a plan — it’s whether your program functions. Stale BIAs, tabletop-only testing, unreviewed vendor BCPs, and absent board reporting are the four fastest paths to an exam finding. They’re also entirely preventable.

The July 2024 CrowdStrike outage gave every bank and credit union examiner a concrete reference point for third-party concentration risk. That reference point isn’t going away. Examiners who spent years explaining why third-party BCM documentation matters now have an 8.5-million-device, multi-billion-dollar case study to illustrate the point.

Build your program around the FFIEC BCM framework’s six components. Document everything. Test with substance, not just discussion. Treat vendor BCP review as a recurring operational task, not a once-in-a-program-lifetime checkbox. Report to the board in terms they can act on.

That’s what exam-ready looks like.

Equip your team: The Business Continuity & Disaster Recovery (BCP/DR) Kit includes BIA templates, BCM policy frameworks, testing documentation templates, and vendor BCP review checklists — formatted to align with FFIEC examination expectations.