Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Regulatory Compliance

OCC's 2026 Supervisory Reset: What the Shift from Checklists to Risk-Based Judgment Means for Your Next Exam

The OCC eliminated mandatory exam activities for community banks, removed reputation risk from its toolkit, proposed narrowing MRA authority, and reorganized into bank-size-specific units. What changed, what it means for exam prep, and what examiners are still looking for in 2026.

By Rebecca Leung · June 28, 2026 ·
Table of Contents

TL;DR

  • Effective January 1, 2026, the OCC dropped mandatory examination activities for community banks not required by statute — exam scope is now risk-based and tailored, not checklist-driven
  • The OCC and FDIC proposed redefining “unsafe or unsound practice” in October 2025, which would narrow MRA authority significantly if the rule is finalized
  • Reputation risk was eliminated as an examination category effective June 9, 2026 — and 15 interagency guidance documents were reissued without it
  • None of this relieves pressure on credit risk, cybersecurity, BSA/AML, or third-party risk — those remain high-priority examination areas under the Spring 2026 Semiannual Risk Perspective

The OCC has spent the past twelve months dismantling significant parts of its supervisory framework and rebuilding them on a different foundation. The changes are real and the direction is clear: less procedural burden, more examiner judgment, and a supervision approach calibrated to each bank’s actual risk profile rather than a checklist that applies identically to a $400 million community bank and a $4 billion regional.

For bank risk managers and compliance officers, the reset creates both an opportunity and a trap. The opportunity: eliminating mandatory exam activities that consumed examiner time and documentation effort without commensurate risk insight. The trap: interpreting the supervisory reset as a signal that examiners are backing off. The Spring 2026 Semiannual Risk Perspective is explicit that credit, operational, and compliance risk priorities remain unchanged. What changed is how examiner time gets allocated to find them.


The Timeline of Changes

The OCC’s supervisory reset isn’t a single event — it’s a series of overlapping changes that started in mid-2025 and continue into 2026.

September 18, 2025 — OCC reorganizes supervision into three units by bank size. Effective October 1, 2025, the OCC split bank supervision and examination into three distinct functions: Large and Global Financial Institutions (over $500 billion in assets), Regional and Midsize Financial Institutions ($30–500 billion), and Community Banks (under $30 billion). Each unit is now led by a Senior Deputy Comptroller reporting directly to the Comptroller. The stated rationale from Comptroller Jonathan Gould: aligning with the “historic risk-based supervision approach” and committing to tailor supervision to each bank’s risk profile.

October 7, 2025 — OCC and FDIC jointly propose redefining “unsafe or unsound practice.” The Notice of Proposed Rulemaking would establish, for the first time in statute, a definition of what constitutes an unsafe or unsound practice — and tether MRA authority to instances of demonstrable material financial harm. The comment period closed December 29, 2025.

January 1, 2026 — Mandatory examination activities removed for community banks. OCC Bulletin 2025-24 (Examinations: Frequency and Scope for Community Banks) codified the elimination of mandatory examination activities not required by statute or regulation. Exam scope and frequency are now fully risk-based. The bulletin explicitly targets activities like CRA reviews, fair lending examinations, and end-user derivatives as categories that need not appear in every community bank exam regardless of risk profile.

April 2026 — OCC, FDIC, and Federal Reserve issue updated model risk management guidance. OCC Bulletin 2026-13 replaced SR 11-7 and OCC 2011-12 with a revised framework. Most significant change: a standalone section on vendor/third-party model risk, acknowledging that model risk management principles apply even when banks cannot access model internals from third-party developers.

April 2026 — OCC and FDIC finalize the rule eliminating reputation risk as an examination category. Effective June 9, 2026, reputation risk is formally prohibited as a supervisory tool.


What Reputation Risk Elimination Actually Changes

The reputation risk removal is the most structurally significant change in the OCC’s supervisory toolkit — and its practical impact is wider than the headline suggests.

Before the rule: a bank considering a partnership with a crypto firm, a firearms dealer, or a payday lender could receive examiner feedback that the relationship created “reputational risk” to the institution. That feedback wasn’t always tied to a documented safety and soundness concern — it was a softer form of supervisory pressure that effectively discouraged certain business relationships without a formal prohibition.

After the rule: OCC Bulletin 2026-23 bars the agency from using reputation risk in risk assessments, and from influencing bank-customer relationships based on political, social, cultural, or religious views or lawful business activities. The same day, the OCC, FDIC, and Federal Reserve jointly reissued 15 interagency guidance documents — covering lending, risk management, cybersecurity, and third-party relationships — with all reputation risk references removed.

For bank-fintech partnerships, this is particularly significant. Acting Comptroller Hood characterized fintech partnerships as “critically important” to the banking system in his first major speech. The OCC conditionally approved SmartBiz Loans’ conversion of a community bank in March 2025, framing it as demonstrating that “a safe, sound and fair fintech business model has a place in today’s federal banking system.” Reputation risk was the informal supervisory lever most often invoked when examiners had concerns about bank-fintech arrangements. Its removal changes the conversation.

What doesn’t change: everything else. Banks pursuing new fintech partnerships or crypto activities still must satisfy BSA/AML program requirements, consumer protection obligations, third-party risk management expectations from OCC Bulletin 2023-17, and model risk management requirements. The OCC’s consent order against Community Federal Savings Bank in mid-2026 — issued over BSA/AML failures in its fintech payment processing business — arrived in the same quarter as the reputation risk rule. The supervisory embrace of fintech does not extend to fintech that enables compliance failures.


The Proposed MRA Narrowing — And Why It’s Not Final Yet

The October 2025 proposed rulemaking on MRAs is the piece of the supervisory reset that compliance officers most want to understand — and most frequently misread.

The current situation: an examiner can issue an MRA for practices that are “unsafe or unsound” — a term that has never been defined in statute. In practice, it has encompassed a wide range of concerns, from genuine safety and soundness risks to practices the examiner views as suboptimal or inconsistent with best practice, even absent a demonstrable financial impact.

The proposed change: the NPR would limit MRA authority to circumstances where the practice could reasonably be expected to materially harm the institution’s financial condition, present a material risk of loss to the DIF, or violate a law or regulation. “Material financial harm” in the proposal means a direct, clear, and predictable impact on capital, asset quality, earnings, liquidity, or sensitivity to market risk — or actual financial loss.

The practical effect if finalized: an examiner who identifies a gap in governance documentation, a weakness in board oversight structure, or an operational practice that departs from regulatory guidance — but who cannot trace a direct link to demonstrable financial harm — would lose authority to issue an MRA about it. They could still note concerns in the examination report; they just couldn’t bind the bank to a formal remediation timeline through an MRA.

The important caveat: the comment period closed in December 2025. As of mid-2026, no final rule has been issued. Examiners continue to operate under the current MRA framework until the rule is finalized. Banks preparing for examinations should comply with current standards, not anticipated future ones.


What the Three-Category Framework Means for Exam Prep

The Spring 2026 Semiannual Risk Perspective reorganized the OCC’s examination priority structure into three categories: financial risk, operational risk, and compliance risk. Reputation risk — formerly a fourth category — is gone. This isn’t just a labeling change; it reflects a substantive shift in how examiner attention gets allocated.

Financial risk includes credit, market, interest rate, and liquidity risk. Examiner focus in 2026: credit quality concerns in commercial real estate (especially office properties and refinancing risk), private credit markets, and consumer credit for lower-credit-score borrower segments. The OCC’s Spring 2026 report notes that past-due and nonaccrual loan ratios remain below long-term averages at the system level — but the trajectory in specific segments is what drives examiner attention. Institutions with material CRE concentrations or consumer portfolios weighted toward lower-score borrowers should expect credit risk to be a primary examination focus.

Operational risk covers cybersecurity, third-party risk, technology, and payments. The Spring 2026 SRP specifically called out artificial intelligence as “significantly transforming” the cybersecurity threat landscape — AI lowers the barrier to entry for threat actors and increases the speed, scale, and sophistication of attacks. Examiners are asking about multifactor authentication, patch management, AI-enhanced defensive tools, and — for institutions that have deployed GenAI — governance frameworks and kill-switch protocols. Third-party risk management received its own dedicated section in the FY2025 Bank Supervision Operating Plan; examiners are looking for enterprise-wide TPRM governance, not just individual vendor reviews.

Compliance risk focuses on BSA/AML program adequacy and consumer fraud. For community banks, the OCC updated BSA/AML minimum examination procedures effective February 1, 2026 (OCC Bulletin 2025-37). For large institutions, the TD Bank BSA enforcement action — resulting in $1.75 billion in combined penalties — remains the reference case for what systemic AML program failure looks like.


What the Reset Looks Like in an Actual Exam

Risk-based supervision means examiner time is allocated to high-risk areas. For a community bank that doesn’t touch CRE, has a simple correspondent banking structure, and runs a standard consumer product set, the new approach likely means shorter examinations focused on the risks that actually matter to that institution.

For a community bank that does have CRE concentrations, or that’s launching a fintech partnership, or that’s deployed AI tools in its compliance function, the new approach likely means more intensive examination of exactly those areas — with less time spent on checklist activities that don’t reflect where the real risk lives.

The practical implication: documentation and governance now matter more, not less. When examiners aren’t following a fixed checklist, they’re making judgment calls. The judgment calls go better for institutions that can show their board is engaged with material risks, that KRI dashboards connect to board reporting, and that management demonstrates it identified emerging risks before the examiner did.


What to Do Now

Run a gap analysis against what actually changed. Specifically:

On exam scope: Review OCC Bulletin 2025-24. For each mandatory activity that’s been removed from standard community bank scope, confirm whether your institution actually has material risk in that area. If you do, your exam will still cover it — and you want to be prepared for that conversation, not caught off guard by the assumption it wasn’t coming.

On MRAs: Current standards apply until a final rule is issued. Build your program to current expectations. But if you have open MRAs or past examination findings, start documenting the financial risk rationale for your remediation approach — that framing will be more relevant under a final rule.

On reputation risk removal: This doesn’t change what you need to do in high-risk customer segments. It changes the basis on which examiners can object to it. BSA/AML, consumer protection, and third-party risk management requirements still apply.

On the three-category framework: Map your program against financial risk, operational risk, and compliance risk. Where your KRI monitoring is weakest — probably the intersection of credit model performance and third-party risk — is where the new framework will show you the most gaps.

For institutions building or refreshing their KRI library for a risk-based exam environment, the KRI Library includes 132 pre-built key risk indicators organized across these exact categories — with board-ready reporting formats and calibrated thresholds that reflect current OCC examination expectations.



Sources:

  1. OCC Bulletin 2025-24: “Examinations: Frequency and Scope for Community Banks”: https://www.occ.gov/news-issuances/bulletins/2025/bulletin-2025-24.html
  2. OCC Bulletin 2026-23: “Bank Supervision: Removing References to Reputation Risk”: https://www.occ.gov/news-issuances/bulletins/2026/bulletin-2026-23.html
  3. OCC News Release: “OCC Advances Priority of Reducing Regulatory Burden for Community Banks” (NR-OCC-2026-38): https://www.occ.gov/news-issuances/news-releases/2026/nr-occ-2026-38.html
  4. OCC Spring 2026 Semiannual Risk Perspective (NR-OCC-2026-35): https://www.occ.gov/news-issuances/news-releases/2026/nr-occ-2026-35.html
  5. OCC Bulletin 2026-13: “Model Risk Management: Revised Guidance”: https://www.occ.gov/news-issuances/bulletins/2026/bulletin-2026-13.html
  6. Federal Register: “Unsafe or Unsound Practices, Matters Requiring Attention” NPR: https://www.federalregister.gov/documents/2025/10/30/2025-19711/unsafe-or-unsound-practices-matters-requiring-attention
  7. OCC Organizational Restructuring (NR-OCC-2025-89): https://www.occ.gov/news-issuances/news-releases/2025/nr-occ-2025-89.html

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What changed about OCC examinations for community banks in 2026?
Effective January 1, 2026, the OCC eliminated mandatory examination activities for community banks that are not required by statute or regulation — replacing them with a risk-based, tailored approach. Exam scope and frequency now reflect each institution's specific risk profile rather than a fixed checklist. For example, activities like CRA reviews, fair lending examinations, and end-user derivatives were removed from mandatory scope for institutions where they aren't a material risk. The change flows from OCC Bulletin 2025-24 and is part of a broader supervisory reset under Comptroller Jonathan Gould.
What is the OCC's proposed change to MRAs (Matters Requiring Attention)?
On October 7, 2025, the OCC and FDIC jointly proposed redefining 'unsafe or unsound practice' and narrowing the conditions under which examiners may issue MRAs. Under the proposed rule, MRAs would be limited to practices that, if continued, could reasonably be expected to materially harm the financial condition of the institution or present a material risk of loss to the Deposit Insurance Fund — or violations of law. 'Material financial harm' would require a direct, clear, and predictable impact on capital, asset quality, earnings, liquidity, or sensitivity to market risk. If finalized, examiners would lose authority to issue MRAs for practices that are merely suboptimal or depart from best practice without demonstrable financial impact. The comment period closed December 29, 2025.
Why did the OCC eliminate reputation risk from bank examinations?
The OCC and FDIC finalized a rule in April 2026 (effective June 9, 2026) prohibiting the agencies from using reputation risk in supervisory programs. The OCC concluded that reputation risk 'has not proven useful in predicting bank failures or enhancing safety and soundness' and 'injected a high degree of subjectivity into examinations.' OCC Bulletin 2026-23, issued the same week, removed reputation risk references from 15 interagency guidance documents. The rule bars agencies from instructing banks to terminate relationships with customers, partners, or industries based on reputational concerns.
How did the OCC reorganize its supervision structure in 2025?
Effective October 1, 2025, the OCC divided its bank supervision function into three units organized by bank size: Large and Global Financial Institutions (over $500B in assets, plus foreign-parent institutions), Regional and Midsize Financial Institutions ($30B–$500B), and Community Banks (up to $30B). Each unit is led by a Senior Deputy Comptroller reporting directly to the Comptroller. Comptroller Jonathan Gould characterized the restructuring as aligning with the OCC's 'historic risk-based supervision approach' — tailoring examination intensity to the actual risk profile of each institution.
What are OCC examiners still focused on in 2026 despite the supervisory reset?
The supervisory reset reduces procedural burden — it does not reduce substantive scrutiny on high-risk areas. The Spring 2026 OCC Semiannual Risk Perspective identifies three active examination priorities: credit risk (specifically CRE office vacancy and refinancing risk, private credit markets, and consumer credit in lower-score borrower segments), operational risk (AI-enhanced cybersecurity threats, aging infrastructure, and third-party risk management), and compliance risk (BSA/AML program adequacy and consumer fraud). Any institution with material exposure in these areas will receive more intensive examination attention under the new risk-based approach, not less.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

KRI Library (132 Key Risk Indicators)

132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.