OCC Spring 2026 Risk Perspective: What Risk Teams Need to Update Now

TL;DR:

• OCC published its Spring 2026 Semiannual Risk Perspective on May 7, naming credit, market, operational, and compliance risks as the four themes for the next supervisory cycle.
• CRE refinancing and private credit get fresh attention. Cyber threats, fraud, and AI tool governance dominate operational risk. Sanctions and AML pressure from geopolitical tension drive the compliance section.
• Banks have until their next exam to demonstrate alignment. Risk teams should refresh assessments, name control owners against each theme, and document evidence — examiners will ask.

The OCC dropped its Spring 2026 Semiannual Risk Perspective on May 7, and if you run risk or compliance at a national bank, federal savings association, or federal branch, this is the document that shapes your next exam. Examiners use it. Boards reference it. Internal audit cites it. The SARP is not background reading — it’s a roadmap for what gets asked and what gets graded.

The headline assessment: the federal banking system is resilient. Capital ratios and liquidity are strong by historical standards. Bank earnings improved through 2025 with loan growth and declining funding costs. First quarter 2026 trends have generally persisted. That’s the comfortable part of the report.

The uncomfortable part is the four-theme breakdown — credit, market, operational, compliance — and the specific risks under each that the OCC’s National Risk Committee wants supervised banks to address. Below is the practitioner’s read: what changed, what examiners will ask, and what to do about it before your next exam window.

Read the official release at the OCC’s news announcement. The full PDF is on the OCC’s Semiannual Risk Perspective page.

The Four Themes — and What’s New

Three of the four themes carry forward from prior SARPs. What’s new is the language around AI tool governance for cybersecurity functions and the explicit framing of geopolitical tension as a driver of compliance system strain. Both are signals — examiners will probe these specifically.

Credit Risk: CRE and Private Credit

The OCC’s read on credit conditions is that overall risk is manageable but pockets warrant ongoing monitoring. Two specific areas:

Commercial real estate. CRE concentrations remain a supervisory priority — particularly multifamily and certain office portfolios. The Fall 2025 SARP shifted from broad-based CRE concern to institution- and market-specific pockets, and Spring 2026 continues that framing. The supervisory question is no longer “are you over-concentrated in CRE?” — it’s “do you have differentiated underwriting and monitoring for the specific borrowers and submarkets in your book?”

Private credit and refinancing. The OCC named private credit markets in this edition. If your bank is providing back-leverage or warehouse facilities to private credit funds, expect questions about look-through risk, covenant quality, and how you stress-test borrower performance under refinancing scenarios.

What examiners will ask:

• Show me your CRE concentration limits and how they’ve moved over the last 12 months.
• Walk me through your refinancing risk methodology for maturing CRE loans.
• For private credit exposures, what’s your understanding of underlying borrower quality?

Market Risk: Consumer Past-Dues

The OCC flagged modest increases in past-due consumer loans across some portfolios. This is a watch-list item, not a deteriorating trend. The supervisory ask is straightforward: are you tracking it and is your allowance methodology responsive?

For consumer lenders — especially card, auto, and personal loan books — the action item is to refresh your CECL inputs against current vintage performance and document the reasoning.

Operational Risk: Cyber, Fraud, and AI Governance

This is where Spring 2026 has the most teeth. The OCC’s language: “Cyber threats and fraud remain a concern. Cybercriminal groups targeting the financial sector are increasingly sophisticated.”

Three specific operational risk priorities:

Cyber threat management. The bar moved up. Sophisticated attackers, financially motivated, operating at scale. Examiners will look for evidence that your controls are tuned to current threat actor TTPs (tactics, techniques, and procedures), not the threat landscape from two years ago. If your last threat model refresh predates 2025, that’s a finding.

Fraud. The fraud language pairs with cyber for a reason — most large-loss fraud now has a cyber component. Account takeover, business email compromise, synthetic identity, and authorized payment fraud all blur the line. Your fraud program needs visibility into cyber telemetry, and your cyber program needs visibility into fraud cases.

AI tool governance for cybersecurity functions. This is the new line. If your SOC is using AI-powered detection, response automation, or anomaly scoring tools, the OCC wants governance over those tools. That means model risk management treatment, validation, monitoring for drift, and documented human-in-the-loop decision points where AI output drives consequential action. The OCC’s existing model risk guidance — Bulletin 2011-12 / SR 11-7 — applies. The Spring 2026 SARP makes that linkage explicit for AI in security operations.

What examiners will ask:

• Show me your inventory of AI tools used in cyber and fraud functions.
• For each, what’s the validation evidence?
• Who is the model owner and where is the monitoring documented?
• If the AI tool generates an alert that triggers an action, is there a human review step?

Compliance Risk: Sanctions, AML, and System Strain

The Spring 2026 SARP language is direct: “Geopolitical tensions increase sanctions and money laundering risk, straining bank compliance systems.”

That last clause — “straining bank compliance systems” — is the part to circle. It signals examiners are paying attention to whether compliance programs are actually keeping up with volume, complexity, and the speed of designations. Three places this shows up:

Sanctions screening capacity. Volume of OFAC designations and complexity of ownership structures (the 50% rule, sectoral sanctions) keep climbing. If your screening system or your investigations team is backlogged, that’s the strain the OCC is describing. Examiners will ask about alert backlog age, false positive rates, and analyst capacity.

BSA/AML program effectiveness. Recent enforcement — including FinCEN’s record penalty against Canaccord Genuity — shows what happens when programs don’t keep pace. The Spring 2026 SARP signals OCC examiners are looking for the same gaps proactively.

Geopolitical risk integration. Russia-Ukraine, China-Taiwan tensions, Middle East dynamics, and emerging Africa sanctions create constantly shifting risk maps. The expectation is that your country risk methodology, your customer risk rating, and your transaction monitoring rules update when the geopolitical picture shifts — not on an annual review cycle.

What examiners will ask:

• What’s your current OFAC alert backlog and how has it trended?
• When was your last sanctions program risk assessment?
• How do geopolitical events trigger updates to your customer risk ratings and transaction monitoring rules?

Control Failure Map: How OCC Findings Translate to Your Program

Practitioner Takeaways: 5 Things to Check Monday Morning

1. Pull your current top-of-house risk assessment. Map each of the four SARP themes to a named risk in your taxonomy. If a theme doesn’t map cleanly, you have a documentation gap.

2. Inventory AI tools in cyber and fraud functions. Every tool gets a model owner, a validation status, and a monitoring plan. If the inventory is incomplete, that’s your first remediation item.

3. Check your CRE concentration reports for granularity. Are they showing submarkets, property types, and borrower clusters — or rolled up to a single CRE bucket? The latter doesn’t survive an exam in 2026.

4. Pull last 90 days of sanctions alert metrics. Backlog, age of oldest open alert, false positive rate, analyst hours. If trends are bad, prepare the narrative now — what’s driving it and what you’re doing about it.

5. Review your geopolitical risk update process. When did your country risk methodology last update? When did transaction monitoring rules last incorporate a geopolitical trigger? If the answer is “annual review,” you have work to do.

Action Items: 30 / 60 / 90 Days

30 days:

• CRO or CCO walks the SARP themes through ERM committee. Assign each to a named risk owner.
• Risk teams refresh top-of-house risk assessment narrative against the four themes.
• Cyber and fraud teams build/refresh AI tool inventory.

60 days:

• Internal audit adds SARP-aligned testing to the next quarter’s plan — particularly CRE concentration monitoring, sanctions program capacity, and AI governance in security operations.
• Sanctions team produces a capacity and backlog briefing for the BSA officer and the audit committee.
• CRE underwriting refreshes concentration reporting to show submarket and borrower-level granularity.

90 days:

• Risk committee receives a SARP gap-closure report — what’s been addressed, what remains, what evidence has been generated.
• Model Risk Management completes validation reviews for any AI tools deployed in cyber/fraud functions that were not previously inventoried.
• Compliance produces an updated geopolitical risk methodology that ties events to risk rating and rule updates.

The Bigger Picture

The Spring 2026 SARP is consistent with the direction of OCC supervision over the past year — granularity over generality, evidence over assertion, and integration of AI governance into existing risk frameworks rather than as a separate silo. Banks that already operate this way will find the SARP confirmatory. Banks that have been running on annual cycles, rolled-up reports, and governance light-touch will find their next exam uncomfortable.

The work isn’t dramatic. It’s specific, documented, and owned. That’s the bar.

Need a structured approach to mapping examiner expectations to your program? The Enterprise Risk Management Framework gives you the risk taxonomy, control mapping, and reporting templates to align with SARP themes without rebuilding from scratch.

For more on OCC supervisory direction, see our coverage of the OCC reputation risk final rule and business continuity expectations for banks and credit unions.

Sources:

• OCC News Release: Spring 2026 Semiannual Risk Perspective
• OCC Semiannual Risk Perspective Publication Page
• OCC Bulletin 2011-12 Model Risk Management
• OCC Supervision and Examination Publications