Feature Compliance Strategy
The Regulatory Exam Preparation Playbook: What to Have Ready Before an OCC, FDIC, or CFPB Team Walks In
The document request list arrives 2-4 weeks before examiners do. Here's how to manage the DRL, set up your exam response infrastructure, handle examiner interactions, and avoid the document production mistakes that create findings that didn't exist before the exam.
Table of Contents
TL;DR:
- The Document Request List arrives 2-4 weeks before examiners do — teams that scramble to pull records under pressure make avoidable mistakes. Build your document management infrastructure before the notice arrives.
- Three categories of documents should never go to examiners without senior review: draft policies, unreviewed email chains, and anything prepared at counsel’s direction. The ones that look harmless often aren’t.
- Examiner management isn’t adversarial — but it isn’t passive either. Designate one senior point of contact, log every examiner interaction, and document every verbal response you give.
- The OCC’s 2026 community bank exam policy changes reduced some mandatory procedures — but added explicit focus on AI/model risk, third-party risk, and CRA compliance. A narrower scope means a sharper lens.
The notice of examination lands in your inbox. Examiners arrive in 21 days.
Most compliance teams immediately start pulling files. The smart ones start with a different question: what’s our exam management infrastructure, and is it ready?
Because the documents are the surface of the exam. What determines whether findings emerge, how severe they are, and whether you come across as a well-governed institution or a team that scrambled — that’s determined by how you manage the 21 days before Day 1 and the three weeks the examiners are on site.
This is the playbook that most exam preparation guides skip. Not the regulatory substance — there are plenty of resources on what each law requires. This is the operational mechanics: how to receive the DRL, what to do with it, how to organize document production, how to manage examiner interactions without creating new risk, and how to use the exit meeting to set up your strongest possible management response.
Before the Notice Arrives: Pre-Exam Readiness
The teams that handle exams well treat exam readiness as a continuous program, not an emergency response. There are four things worth having in place before the notice arrives:
A document custodian structure. For each major document category an examiner might request — board minutes, audit reports, policies, complaint logs, third-party contracts — someone owns that file and knows where to find the authoritative version. When you’re under a 21-day clock, discovering that three different people think they own the compliance training records creates an avoidable crisis.
A “readily producible” document standard. Examiners expect documents that are complete, dated, titled, and versioned. A policy with a last-reviewed date of 2022 and tracked changes from six different editors is not readily producible in the sense regulators care about. Walk your document library annually and identify anything that isn’t exam-ready.
A living issues log. If an examiner asks “what compliance issues have you identified in the past 12 months and how have you remediated them?” your answer should come from a structured tracking system with dates, severity ratings, owners, and closure evidence — not from memory. This is also how you demonstrate a functional compliance management system rather than a reactive one. The Issues Management Tracker structure applies here: you want a log that shows issues were caught, assessed, owned, and closed.
A prior exam findings summary. Know what the last examination found, what you committed to fix, and whether you fixed it. Examiners always review prior findings. If you can hand an examiner a prior-findings summary on Day 1 — including the remediation status of each item — you’ve demonstrated an institution that manages findings seriously. If you can’t, the examiner starts constructing that picture themselves.
When the Notice Arrives: The First 24 Hours
The exam notice typically comes with or is quickly followed by the Document Request List. Your first 24 hours should accomplish three things:
Designate your exam point of contact (POC). One senior person — typically the CCO, CRO, or General Counsel — owns all examiner communication. Not a committee, not a rotation. Every examiner question, every document delivery, every meeting request goes through the POC. This prevents miscommunication, ensures consistent messaging, and creates a record of every interaction.
Scope the DRL with legal and senior management. Read the DRL carefully before distributing it to document owners. Look for requests that might include privileged materials, draft documents that could be misread as final, or categories that are broader than they appear. Items like “all communications related to [topic X]” may include emails that require review before production.
Create a DRL tracker. A simple spreadsheet with each DRL item, the document owner, expected production date, actual production date, and status covers the mechanics. Add a flag column for items that need legal review or have a privilege question. The goal: clear visibility into where you stand on every item, updated daily, with no surprises on Day 1.
The Document Request List: What Compliance Exams Ask For
A compliance examination DRL for a community or midsize bank typically includes 50-100 line items. The exact list varies by exam type, bank size, and prior findings, but the common categories:
| Category | Typical Scope |
|---|---|
| Board and committee governance | 12-24 months of minutes; charters; membership rosters |
| Compliance program documentation | Written compliance program; policies and procedures; training records; compliance calendar |
| Consumer complaint management | Complaint log; resolution records; trends analysis; management reporting |
| Third-party risk management | Critical vendor list; contracts; due diligence records; oversight reports |
| BSA/AML program | BSA policy; risk assessment; SAR logs; CIP samples; OFAC screening records |
| Consumer product files | Sample origination files or transaction records by product type |
| Prior exam history | Prior exam reports; management responses; remediation evidence |
| Audit and testing | Internal audit reports; compliance testing results; work papers |
| Regulatory filings | HMDA LAR; CRA data; regulatory reports as applicable |
| Legal and regulatory matters | Active regulatory inquiries; litigation; DOJ/AG correspondence |
The 2026 exam environment adds three categories that weren’t standard five years ago: AI and model risk documentation (model inventory, pre-deployment assessments, ongoing monitoring reports), detailed third-party vendor oversight records aligned with the June 2023 interagency guidance on third-party relationships, and CRA compliance documentation under the 2023 final CRA rule for institutions that had to implement it.
Document Production Protocols
How you produce documents shapes how examiners interpret them. Three protocols that protect you:
Include a document index. Produce a one-page index identifying every document submitted, its title, date, version, and the DRL item it responds to. This prevents an examiner from receiving 400 pages of PDFs and spending three days building their own organizational picture. It also prevents them from questioning whether something is missing.
Mark drafts as drafts. Never produce a draft policy without clearly marking it as such. If you’re in the middle of updating a policy and produce the current version in a directory alongside the draft revision, a tired examiner may treat the draft as your operative document. Mark drafts with the date, version number, and “DRAFT — NOT FOR REGULATORY PRODUCTION” in the header until finalized.
Review email before producing it. Email requests are increasingly common in compliance exams — “all communications regarding [consumer complaint process / AML alerts / third-party oversight] during the examination period.” These productions often include frank internal discussions about gaps, counsel discussions that may be privileged, and draft assessments that weren’t intended as final positions. Have legal counsel or senior compliance review any email thread production before it goes to examiners.
Managing Examiner Interactions
Examiners are professionals doing a job. The adversarial instinct that some compliance teams bring to examinations usually makes exams worse, not better. At the same time, passive deference to examiner questions isn’t the right posture either.
The right model: cooperative, prepared, and precise.
Cooperative: Respond to requests promptly. If you need more time, say so immediately — don’t let deadlines pass silently. If something on the DRL is ambiguous, ask for clarification rather than guessing at scope. Examiners respond well to an institution that’s engaged and responsive.
Prepared: When an examiner asks a process question in a meeting, the person in the room should know the answer from direct experience — not be reading from a policy document they’ve never worked with. Walk key staff through their process areas before examiners interview them. “Tell me how you handle a consumer complaint from receipt through closure” should produce a confident, consistent answer from anyone in the complaint function.
Precise: Answer the question asked, not a broader version of it. If an examiner asks when you last tested your third-party vendor relationships, the correct answer is the specific date and scope of the last review — not a general explanation of your TPRM philosophy. Volunteering information beyond the question scope is one of the most common ways institutions create new examination findings.
Log every interaction. Your exam POC should keep a daily log of examiner meetings, document requests made verbally, and any oral commitments to produce additional information. If an examiner mentions verbally that something looks like a concern, that conversation should be documented before you leave the room. The formal findings process starts with those conversations.
What’s Different in 2026
Three exam environment changes that affect preparation this year:
OCC community bank policy update (effective January 1, 2026): The OCC eliminated mandatory examination activities not required by statute for community banks, shifting to risk-based tailoring. Examiners now scope based on a bank’s specific activities and risk profile. This can mean a shorter examination for lower-risk institutions — but the OCC also identified specific areas for increased attention: AI/model risk in credit and operations, TPRM compliance with the June 2023 interagency guidance, and CRA implementation for affected institutions. If you’re in any of those categories, plan for examiner depth.
FFIEC CAMELS revision proposal: As we covered in this morning’s post on the CAMELS rating system overhaul, the FFIEC’s May 2026 proposed revisions would require evidence of material financial risk to downgrade a management component — process or documentation gaps alone wouldn’t be sufficient under the proposal. Until that proposal is finalized (comments due August 17, 2026), examiners are still using the existing 1996 UFIRS framework. But the direction of travel is relevant to how you frame management capabilities.
Third-party risk scrutiny: The June 2023 OCC/FDIC/FRB interagency guidance on third-party relationships is now fully integrated into examination procedures. Examiners are asking for documentation of critical vendor risk assessments, contract provisions mapping to the guidance’s expectations, and evidence of ongoing monitoring — not just due diligence at onboarding. Teams that haven’t updated their TPRM programs to reflect the June 2023 guidance are finding this in findings.
Common Mistakes That Create Findings
A short list of exam preparation errors that generate findings from situations that weren’t problems before the exam:
Producing everything on the DRL without review. The completeness instinct is right, but speed without judgment produces privilege issues and scope-expanding document surprises. Build 48 hours of senior review time into the production schedule for any category that includes email, legal analysis, or draft risk assessments.
Sending the wrong person to examiner interviews. Examiners interview operational staff to verify that policies are actually implemented as written. If the person who runs your complaint intake process can’t accurately describe it without referring to the policy document, that inconsistency becomes a finding about training or process clarity.
Over-promising on remediation timelines. When an examiner identifies a potential finding in a meeting, the natural instinct is to propose an aggressive remediation date to demonstrate responsiveness. Be honest about what’s achievable. A 30-day commitment to fix a systemic process issue that takes 90 days to fix properly results in a violation of your written management response commitment — which is worse than asking for 90 days to begin with.
Letting examiner conversations be the record. If an examiner verbally characterizes your TPRM program as having a gap, and you don’t document that conversation or push back before the exit meeting, that characterization may appear in the report. The time to correct a factual misunderstanding is during the exam, not in your management response.
The Exit Meeting: Don’t Waste It
The exit meeting is the transition from examination to findings management. Regulators present their preliminary findings verbally — typically in order of severity — before the formal written report and management response process begins.
Your goal at the exit meeting is full understanding, not immediate agreement. Ask clarifying questions:
- What’s the specific regulatory citation for this finding?
- What evidence would a management response need to address this?
- Is this an MRA (Matter Requiring Attention) or a less formal observation?
- What’s the expected response timeline?
Write down every finding and the examiner’s characterization of severity. This is your baseline for the management response — the formal written document where you commit to specific remediation actions and timelines.
For handling MRAs from that written response through to closure, the same structured MRA remediation framework applies: issue characterization, root cause analysis, corrective actions with owners and dates, and closure evidence.
For teams building exam-readiness infrastructure, the Issues Management Tracker includes an MRA and exam findings tracking module with status dashboards and documentation templates that work for both examiner-produced findings and self-identified issues.
So What? Build the Infrastructure Before You Need It
The teams that handle exams well aren’t smarter about regulations than everyone else. They’re better organized about where their documents live, clearer about who manages examiner interactions, and more disciplined about what goes out the door and why.
Three things worth doing before your next exam notice arrives:
Run a mock DRL exercise. Pick 15 items from a standard compliance examination DRL and time how long it takes your team to locate, compile, and review those documents. The gaps that emerge — missing dates, unclear owners, draft policies posing as final — are exactly what examiners will find. Better to find them yourself.
Update your issues log to exam-ready standard. Every open finding from the last 24 months should have: a clear description, root cause analysis, remediation owner, target date, and closure evidence (or current status). If an examiner asks “what did you do about the third-party oversight gap your last audit found?” and the answer is in a live tracker rather than in your memory, you’ve answered the question and demonstrated a compliance management system at the same time.
Brief your board. Examiners form views of management culture in part from board minutes. If your minutes reflect engaged risk oversight — questions asked, concerns documented, management responses challenged — that signal matters. If minutes are pro forma with no record of substantive discussion, that’s what they see.
The notice of examination isn’t the beginning of exam preparation. It’s the beginning of execution. The preparation happens in the months before it arrives.
Sources: OCC Comptroller’s Handbook — Bank Supervision Process, OCC Bulletin 2025-24: Examinations — Frequency and Scope for Community Banks, OCC Examinations Overview, FDIC Bank Examinations, Canarie: What Happens During a Bank Examination (2026)
◆ Related template
Issues Management Tracker & Template
End-to-end issues tracking and remediation management for risk and compliance teams.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
How far in advance do bank regulators send the document request list?
What's typically on a compliance exam document request list?
What's the biggest document production mistake compliance teams make during exams?
What does the OCC's 2026 community bank examination policy change mean in practice?
How should we handle an examiner who asks for something that creates privilege concerns?
What happens at the exit meeting, and who should attend?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Issues Management Tracker & Template
End-to-end issues tracking and remediation management for risk and compliance teams.
◆ Keep reading
Related posts.
Compliance Strategy
FinCEN's June 2026 Update Turns Section 314(b) Into a Real-Time Fraud-Fighting Tool
FinCEN's June 12, 2026 guidance expanded the Section 314(b) safe harbor to explicitly cover fraud—wire fraud, bank fraud, mail fraud, computer fraud—without requiring an institution to connect the activity to money laundering first. Here's what changed, why it matters for BSA programs, and what enrollment and real-time sharing actually look like in practice.
Jul 8, 2026
Compliance Strategy
OCC's 2026 Exam Rightsizing: What Community Banks Should Stop Doing—and What Still Gets You Written Up
Effective January 1, 2026, OCC Bulletin 2025-24 eliminated mandatory examination activities that aren't required by law for community banks. That means fair lending risk assessments and flood insurance transaction testing are no longer mandatory every exam cycle. Here's what actually changed, what didn't, and where compliance teams are misreading this shift.
Jul 7, 2026
Compliance Strategy
Compliance Training Program Requirements: What OCC, FDIC, CFPB, and FINRA Examiners Actually Test
Most financial institutions have a training program. Fewer have one that survives examiner scrutiny. Here's what each regulator actually looks for — and the documentation gaps that turn a training calendar into an exam finding.
Jul 3, 2026