Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Compliance Strategy

The Regulatory Exam Preparation Playbook: What to Have Ready Before an OCC, FDIC, or CFPB Team Walks In

The document request list arrives 2-4 weeks before examiners do. Here's how to manage the DRL, set up your exam response infrastructure, handle examiner interactions, and avoid the document production mistakes that create findings that didn't exist before the exam.

Table of Contents

TL;DR:

  • The Document Request List arrives 2-4 weeks before examiners do — teams that scramble to pull records under pressure make avoidable mistakes. Build your document management infrastructure before the notice arrives.
  • Three categories of documents should never go to examiners without senior review: draft policies, unreviewed email chains, and anything prepared at counsel’s direction. The ones that look harmless often aren’t.
  • Examiner management isn’t adversarial — but it isn’t passive either. Designate one senior point of contact, log every examiner interaction, and document every verbal response you give.
  • The OCC’s 2026 community bank exam policy changes reduced some mandatory procedures — but added explicit focus on AI/model risk, third-party risk, and CRA compliance. A narrower scope means a sharper lens.

The notice of examination lands in your inbox. Examiners arrive in 21 days.

Most compliance teams immediately start pulling files. The smart ones start with a different question: what’s our exam management infrastructure, and is it ready?

Because the documents are the surface of the exam. What determines whether findings emerge, how severe they are, and whether you come across as a well-governed institution or a team that scrambled — that’s determined by how you manage the 21 days before Day 1 and the three weeks the examiners are on site.

This is the playbook that most exam preparation guides skip. Not the regulatory substance — there are plenty of resources on what each law requires. This is the operational mechanics: how to receive the DRL, what to do with it, how to organize document production, how to manage examiner interactions without creating new risk, and how to use the exit meeting to set up your strongest possible management response.

Before the Notice Arrives: Pre-Exam Readiness

The teams that handle exams well treat exam readiness as a continuous program, not an emergency response. There are four things worth having in place before the notice arrives:

A document custodian structure. For each major document category an examiner might request — board minutes, audit reports, policies, complaint logs, third-party contracts — someone owns that file and knows where to find the authoritative version. When you’re under a 21-day clock, discovering that three different people think they own the compliance training records creates an avoidable crisis.

A “readily producible” document standard. Examiners expect documents that are complete, dated, titled, and versioned. A policy with a last-reviewed date of 2022 and tracked changes from six different editors is not readily producible in the sense regulators care about. Walk your document library annually and identify anything that isn’t exam-ready.

A living issues log. If an examiner asks “what compliance issues have you identified in the past 12 months and how have you remediated them?” your answer should come from a structured tracking system with dates, severity ratings, owners, and closure evidence — not from memory. This is also how you demonstrate a functional compliance management system rather than a reactive one. The Issues Management Tracker structure applies here: you want a log that shows issues were caught, assessed, owned, and closed.

A prior exam findings summary. Know what the last examination found, what you committed to fix, and whether you fixed it. Examiners always review prior findings. If you can hand an examiner a prior-findings summary on Day 1 — including the remediation status of each item — you’ve demonstrated an institution that manages findings seriously. If you can’t, the examiner starts constructing that picture themselves.

When the Notice Arrives: The First 24 Hours

The exam notice typically comes with or is quickly followed by the Document Request List. Your first 24 hours should accomplish three things:

Designate your exam point of contact (POC). One senior person — typically the CCO, CRO, or General Counsel — owns all examiner communication. Not a committee, not a rotation. Every examiner question, every document delivery, every meeting request goes through the POC. This prevents miscommunication, ensures consistent messaging, and creates a record of every interaction.

Scope the DRL with legal and senior management. Read the DRL carefully before distributing it to document owners. Look for requests that might include privileged materials, draft documents that could be misread as final, or categories that are broader than they appear. Items like “all communications related to [topic X]” may include emails that require review before production.

Create a DRL tracker. A simple spreadsheet with each DRL item, the document owner, expected production date, actual production date, and status covers the mechanics. Add a flag column for items that need legal review or have a privilege question. The goal: clear visibility into where you stand on every item, updated daily, with no surprises on Day 1.

The Document Request List: What Compliance Exams Ask For

A compliance examination DRL for a community or midsize bank typically includes 50-100 line items. The exact list varies by exam type, bank size, and prior findings, but the common categories:

CategoryTypical Scope
Board and committee governance12-24 months of minutes; charters; membership rosters
Compliance program documentationWritten compliance program; policies and procedures; training records; compliance calendar
Consumer complaint managementComplaint log; resolution records; trends analysis; management reporting
Third-party risk managementCritical vendor list; contracts; due diligence records; oversight reports
BSA/AML programBSA policy; risk assessment; SAR logs; CIP samples; OFAC screening records
Consumer product filesSample origination files or transaction records by product type
Prior exam historyPrior exam reports; management responses; remediation evidence
Audit and testingInternal audit reports; compliance testing results; work papers
Regulatory filingsHMDA LAR; CRA data; regulatory reports as applicable
Legal and regulatory mattersActive regulatory inquiries; litigation; DOJ/AG correspondence

The 2026 exam environment adds three categories that weren’t standard five years ago: AI and model risk documentation (model inventory, pre-deployment assessments, ongoing monitoring reports), detailed third-party vendor oversight records aligned with the June 2023 interagency guidance on third-party relationships, and CRA compliance documentation under the 2023 final CRA rule for institutions that had to implement it.

Document Production Protocols

How you produce documents shapes how examiners interpret them. Three protocols that protect you:

Include a document index. Produce a one-page index identifying every document submitted, its title, date, version, and the DRL item it responds to. This prevents an examiner from receiving 400 pages of PDFs and spending three days building their own organizational picture. It also prevents them from questioning whether something is missing.

Mark drafts as drafts. Never produce a draft policy without clearly marking it as such. If you’re in the middle of updating a policy and produce the current version in a directory alongside the draft revision, a tired examiner may treat the draft as your operative document. Mark drafts with the date, version number, and “DRAFT — NOT FOR REGULATORY PRODUCTION” in the header until finalized.

Review email before producing it. Email requests are increasingly common in compliance exams — “all communications regarding [consumer complaint process / AML alerts / third-party oversight] during the examination period.” These productions often include frank internal discussions about gaps, counsel discussions that may be privileged, and draft assessments that weren’t intended as final positions. Have legal counsel or senior compliance review any email thread production before it goes to examiners.

Managing Examiner Interactions

Examiners are professionals doing a job. The adversarial instinct that some compliance teams bring to examinations usually makes exams worse, not better. At the same time, passive deference to examiner questions isn’t the right posture either.

The right model: cooperative, prepared, and precise.

Cooperative: Respond to requests promptly. If you need more time, say so immediately — don’t let deadlines pass silently. If something on the DRL is ambiguous, ask for clarification rather than guessing at scope. Examiners respond well to an institution that’s engaged and responsive.

Prepared: When an examiner asks a process question in a meeting, the person in the room should know the answer from direct experience — not be reading from a policy document they’ve never worked with. Walk key staff through their process areas before examiners interview them. “Tell me how you handle a consumer complaint from receipt through closure” should produce a confident, consistent answer from anyone in the complaint function.

Precise: Answer the question asked, not a broader version of it. If an examiner asks when you last tested your third-party vendor relationships, the correct answer is the specific date and scope of the last review — not a general explanation of your TPRM philosophy. Volunteering information beyond the question scope is one of the most common ways institutions create new examination findings.

Log every interaction. Your exam POC should keep a daily log of examiner meetings, document requests made verbally, and any oral commitments to produce additional information. If an examiner mentions verbally that something looks like a concern, that conversation should be documented before you leave the room. The formal findings process starts with those conversations.

What’s Different in 2026

Three exam environment changes that affect preparation this year:

OCC community bank policy update (effective January 1, 2026): The OCC eliminated mandatory examination activities not required by statute for community banks, shifting to risk-based tailoring. Examiners now scope based on a bank’s specific activities and risk profile. This can mean a shorter examination for lower-risk institutions — but the OCC also identified specific areas for increased attention: AI/model risk in credit and operations, TPRM compliance with the June 2023 interagency guidance, and CRA implementation for affected institutions. If you’re in any of those categories, plan for examiner depth.

FFIEC CAMELS revision proposal: As we covered in this morning’s post on the CAMELS rating system overhaul, the FFIEC’s May 2026 proposed revisions would require evidence of material financial risk to downgrade a management component — process or documentation gaps alone wouldn’t be sufficient under the proposal. Until that proposal is finalized (comments due August 17, 2026), examiners are still using the existing 1996 UFIRS framework. But the direction of travel is relevant to how you frame management capabilities.

Third-party risk scrutiny: The June 2023 OCC/FDIC/FRB interagency guidance on third-party relationships is now fully integrated into examination procedures. Examiners are asking for documentation of critical vendor risk assessments, contract provisions mapping to the guidance’s expectations, and evidence of ongoing monitoring — not just due diligence at onboarding. Teams that haven’t updated their TPRM programs to reflect the June 2023 guidance are finding this in findings.

Common Mistakes That Create Findings

A short list of exam preparation errors that generate findings from situations that weren’t problems before the exam:

Producing everything on the DRL without review. The completeness instinct is right, but speed without judgment produces privilege issues and scope-expanding document surprises. Build 48 hours of senior review time into the production schedule for any category that includes email, legal analysis, or draft risk assessments.

Sending the wrong person to examiner interviews. Examiners interview operational staff to verify that policies are actually implemented as written. If the person who runs your complaint intake process can’t accurately describe it without referring to the policy document, that inconsistency becomes a finding about training or process clarity.

Over-promising on remediation timelines. When an examiner identifies a potential finding in a meeting, the natural instinct is to propose an aggressive remediation date to demonstrate responsiveness. Be honest about what’s achievable. A 30-day commitment to fix a systemic process issue that takes 90 days to fix properly results in a violation of your written management response commitment — which is worse than asking for 90 days to begin with.

Letting examiner conversations be the record. If an examiner verbally characterizes your TPRM program as having a gap, and you don’t document that conversation or push back before the exit meeting, that characterization may appear in the report. The time to correct a factual misunderstanding is during the exam, not in your management response.

The Exit Meeting: Don’t Waste It

The exit meeting is the transition from examination to findings management. Regulators present their preliminary findings verbally — typically in order of severity — before the formal written report and management response process begins.

Your goal at the exit meeting is full understanding, not immediate agreement. Ask clarifying questions:

  • What’s the specific regulatory citation for this finding?
  • What evidence would a management response need to address this?
  • Is this an MRA (Matter Requiring Attention) or a less formal observation?
  • What’s the expected response timeline?

Write down every finding and the examiner’s characterization of severity. This is your baseline for the management response — the formal written document where you commit to specific remediation actions and timelines.

For handling MRAs from that written response through to closure, the same structured MRA remediation framework applies: issue characterization, root cause analysis, corrective actions with owners and dates, and closure evidence.

For teams building exam-readiness infrastructure, the Issues Management Tracker includes an MRA and exam findings tracking module with status dashboards and documentation templates that work for both examiner-produced findings and self-identified issues.

So What? Build the Infrastructure Before You Need It

The teams that handle exams well aren’t smarter about regulations than everyone else. They’re better organized about where their documents live, clearer about who manages examiner interactions, and more disciplined about what goes out the door and why.

Three things worth doing before your next exam notice arrives:

Run a mock DRL exercise. Pick 15 items from a standard compliance examination DRL and time how long it takes your team to locate, compile, and review those documents. The gaps that emerge — missing dates, unclear owners, draft policies posing as final — are exactly what examiners will find. Better to find them yourself.

Update your issues log to exam-ready standard. Every open finding from the last 24 months should have: a clear description, root cause analysis, remediation owner, target date, and closure evidence (or current status). If an examiner asks “what did you do about the third-party oversight gap your last audit found?” and the answer is in a live tracker rather than in your memory, you’ve answered the question and demonstrated a compliance management system at the same time.

Brief your board. Examiners form views of management culture in part from board minutes. If your minutes reflect engaged risk oversight — questions asked, concerns documented, management responses challenged — that signal matters. If minutes are pro forma with no record of substantive discussion, that’s what they see.

The notice of examination isn’t the beginning of exam preparation. It’s the beginning of execution. The preparation happens in the months before it arrives.


Sources: OCC Comptroller’s Handbook — Bank Supervision Process, OCC Bulletin 2025-24: Examinations — Frequency and Scope for Community Banks, OCC Examinations Overview, FDIC Bank Examinations, Canarie: What Happens During a Bank Examination (2026)

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

How far in advance do bank regulators send the document request list?
Typically 2-4 weeks before the scheduled on-site start date, though the specific lead time varies by agency and exam type. The OCC for safety and soundness exams often sends a preliminary DRL 4-6 weeks out, followed by supplemental requests as the examination scope firms up. FDIC community bank exams typically have 2-4 weeks of pre-exam document production. CFPB enforcement investigations operate on their own timeline — you may have 30-60 days from a Civil Investigative Demand. The rule of thumb: assume the DRL arrives and the clock starts immediately. Organizing your document management infrastructure before you receive the DRL is the only way to be ready on day one.
What's typically on a compliance exam document request list?
A compliance examination DRL for a community or midsize bank typically includes 50-100 line items covering: board and management meeting minutes (12-24 months), committee charters and membership rosters, compliance program documentation (policies, procedures, training records), complaint log and resolution records, audit reports and findings from the prior 12-24 months, sample consumer files or transaction histories by product type, BSA/AML program documentation including risk assessment and SAR logs, third-party vendor contracts and oversight documentation, HMDA and CRA data as applicable, and exam-ready reporting packages from prior examinations. Safety and soundness exams add capital, liquidity, credit quality, and earnings documentation. The specific scope depends on the exam type and any flagged risk areas from prior exams.
What's the biggest document production mistake compliance teams make during exams?
Producing draft documents without flagging them as drafts. Examiners who receive an undated policy in a folder may not know it was a work-in-progress — and the exam findings may reflect deficiencies that technically applied to a draft you were about to fix. Mark every draft clearly, produce final versions where they exist, and include a document production index that identifies the date, version, and owner of each item. A close second: producing email chains that contain frank internal discussions about compliance gaps. Emails aren't automatically privileged — before producing any email thread, legal counsel or senior compliance leadership should review whether it raises privilege or creates scope-expanding risk.
What does the OCC's 2026 community bank examination policy change mean in practice?
Effective January 1, 2026, the OCC updated its examination policies for community banks to eliminate mandatory examination activities not required by statute or regulation. Examiners now tailor their examination procedures to the bank's specific activities, size, complexity, and risk profile rather than following a standardized checklist. In practice, this means lower-risk community banks may see shorter on-site periods and more targeted scope. However, the OCC has simultaneously increased focus on areas where it sees elevated risk — including AI/model risk in credit decisioning, TPRM compliance with the June 2023 interagency guidance, and CRA compliance under the 2023 final rule. A shorter exam doesn't mean lower standards — it means the examiner has already decided where to look.
How should we handle an examiner who asks for something that creates privilege concerns?
Do not refuse the request without counsel review — that creates an immediate adversarial dynamic. The right response is: 'We want to be fully responsive. We'd like to flag that this item may include materials covered by attorney-client privilege and ask for 48 hours to have counsel review before we produce.' Regulators respect privilege claims made in good faith, promptly, and with specificity. They don't respond well to blanket privilege assertions over clearly non-privileged compliance documents. The categories most commonly raising privilege issues: legal opinions on regulatory requirements, counseled compliance gap analyses, documents prepared at the direction of outside counsel in anticipation of regulatory action.
What happens at the exit meeting, and who should attend?
The exit meeting (sometimes called the exit conference or closeout meeting) is the regulators' verbal delivery of preliminary findings before the formal written report. The OCC and FDIC typically hold exit meetings at the conclusion of safety and soundness and compliance exams. Attendees should include: the CEO or President, the Chief Compliance Officer (or equivalent), the Chief Risk Officer, and legal counsel if you've had privilege concerns during the exam. Importantly, this is not the time to dispute findings — it's the time to understand them well enough to write a strong management response. Come prepared to listen and ask clarifying questions about scope, severity, and expected response timing. Save substantive pushback for the formal management response stage.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Issues Management Tracker & Template

End-to-end issues tracking and remediation management for risk and compliance teams.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.