Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Compliance Strategy

Regulatory Examination Readiness: The 60-Day Checklist for Banks, Credit Unions, and Fintechs

The notification letter arrives with 30–60 days' notice. What happens in those weeks determines whether you walk out with a clean report or spend the next year managing MRAs. Here's the pre-examination preparation framework that actually reduces examination duration and findings count.

By Rebecca Leung · June 29, 2026 ·
Table of Contents

The notification letter lands on a Tuesday morning. Forty-five days until the examination begins. The Document Request List will arrive in two weeks, and examiners expect the entire package ready on Day 1.

If your reaction is “we have time,” you’re probably behind. If your reaction is “we have the issues tracker, the policies, and the testing results ready and current,” you’re probably fine.

The examination readiness gap between those two positions is almost entirely a documentation and process management problem. Not a compliance failure problem. Most findings don’t come from institutions that have a bad compliance program — they come from institutions that have a reasonable program with lousy documentation, stale issues logs, policies that were updated last year but not approved by the board, and testing results that live in someone’s email draft.

Here’s the preparation framework that actually reduces examination duration and findings count.

TL;DR

  • The formal notification typically arrives 30–60 days before the on-site exam; the DRL follows 2–4 weeks later with items expected Day 1
  • The core documents examiners always want: org chart, board/committee minutes, policies, issues log, risk assessments, compliance testing calendar and results, prior audit reports
  • 2025–2026 focus areas: TPRM (interagency guidance lifecycle documentation), AI/model risk, BSA/AML program adequacy, UDAAP, and cybersecurity
  • Self-identified issues with documented remediation plans consistently receive better treatment than examiner-discovered issues
  • Pre-exam mock exercise surfaces more actionable gaps than any checklist

The Examination Lifecycle

Understanding the structure of a regulatory examination helps you allocate preparation effort correctly.

Notification phase (Day −45 to −30): Your primary regulator sends a formal notification letter specifying the examination type (safety and soundness, compliance, BSA/AML, IT, CRA, or some combination), the anticipated scope, the on-site start date, and the primary examiner contact. This is when your preparation clock starts.

Document request phase (Day −28 to −14): The Document Request List (DRL) arrives. Examiners specify exactly what they want and in what format. Most DRL items will already have been produced if your preparation was effective — the DRL is a quality check, not a sprint to create documents from scratch.

On-site phase (Day 0 to Day 10–20): Examiners arrive on-site (or in a virtual examination portal) and begin their review. This phase involves document review, process walkthroughs, and staff interviews. Your role shifts from document production to transaction: answering questions, providing additional information as requested, clarifying procedures, and explaining issues.

Examination report and response phase (Day 30–90): The draft examination report arrives with findings, ratings, and any matters requiring attention (MRAs) or matters requiring immediate attention (MRIAs). You have a formal response period — typically 30 days — to write your management response to each finding.

The leverage point is the document request phase. Everything that happens in the on-site phase is shaped by what examiners find in your documentation before they ask their first question.

The 60-Day Preparation Checklist

Days 60–45: Scope the Exam and Run a Pre-Exam Gap Assessment

The notification letter tells you the exam type and likely scope areas. Use that information immediately to:

Pull your last examination report and management responses. Prior MRAs are the single most predictive indicator of what the next examination will probe. Examiners specifically check whether prior findings have been remediated, and repeat findings are treated more harshly than new ones. If you have an open MRA from a prior exam, your first priority is getting it closed — with documented evidence of closure — before the on-site begins.

Run a self-assessment against the exam scope. For a compliance examination covering TPRM, pull your vendor inventory, your due diligence files for critical and high-risk vendors, and your ongoing monitoring documentation. Ask yourself honestly: if an examiner asked for the complete file for our three most critical vendors, what would it show? Policy gaps, missing questionnaires, and overdue annual reviews will be found. Better to find them yourself.

Check policy currency. Policies should be board-approved, dated within the last 12 months (or per your policy review schedule), and consistent with your actual practices. A policy that says “quarterly vendor reviews” but where you actually conduct annual reviews creates a finding regardless of whether annual reviews are sufficient — the gap between policy and practice is the problem.

Days 45–30: The Document Package Preparation Sprint

Build your examination binder — the organized document package you’ll provide at the start of the on-site. Even if your examiner uses a virtual portal rather than physical binders, the same organizational logic applies.

Governance documentation:

  • Current organizational chart with titles and reporting lines
  • Board of directors list, committee structure, and charter documentation
  • Board meeting minutes for the last 12–18 months, including any compliance committee, risk committee, or audit committee minutes relevant to the examination scope
  • Board-approved policies for each area within the examination scope, with most recent approval date

Issues and findings documentation:

  • Your complete issues log with current status for every open item, including examiner-identified MRAs from prior examinations and self-identified compliance issues
  • Evidence of closure for any issues resolved in the last 12 months
  • Root cause analysis documentation for significant or recurring issues

This is the part of examination preparation where your issues management system either earns its keep or creates problems. If your open issues are documented in a spreadsheet with no owner, no due date, and no evidence of management attention, examiners will interpret that as a governance failure independent of what the issues themselves say. A structured, current issues tracker with documented owners, clear due dates, and evidence of closure validates that your compliance program is operationally real. Get the Issues Management Tracker →

Risk assessments:

  • Your current compliance risk assessment covering the examination scope areas
  • Any product-level or transaction-type risk assessments relevant to the exam
  • Enterprise risk assessment or KRI report if the exam includes safety and soundness scope

See How to Build an Annual Compliance Risk Assessment for the methodology that regulators look for in 2025–2026.

Compliance program documentation:

  • Your compliance management system documentation: CMS policy, monitoring and testing results, training records, complaint management summary
  • Compliance testing calendar and most recent testing results — not just the passing results, but the complete record including any exceptions found and how they were resolved
  • Complaint log and trend analysis for the examination period

Third-party risk documentation (if in exam scope):

  • Vendor inventory or critical/high-risk vendor list
  • Due diligence files for your top 5–10 critical vendors
  • Vendor contract exception log
  • Most recent annual reviews for critical vendors

Days 30–14: Staff Preparation and Process Walkthroughs

Two weeks before the on-site, shift your focus from documents to people.

Identify staff who will likely be interviewed. Examiners typically want to speak with: the BSA officer (if BSA exam), the compliance officer or CML, technology and operations staff responsible for processes in the exam scope, vendor management program owner, internal audit or testing team, and line-of-business managers for products in scope.

Conduct a process walkthrough for each likely examination focus area. Walk through the same process an examiner would: what does a vendor onboarding look like end-to-end? Who approves it? Where are the documents? What monitoring occurs post-onboarding? Process walkthroughs routinely surface gaps — especially between what the procedure document says and what actually happens.

Brief staff on examination conduct. Three instructions that matter:

  1. Answer the question asked — completely and honestly. Examiners are trained to distinguish coached from genuine responses. Hedging on clear questions looks worse than a straightforward answer about a known weakness.

  2. “I don’t know, let me confirm that” is an acceptable answer. Guessing or estimating creates risk if the guess is wrong. Examiners respect staff who know the limits of their knowledge.

  3. Escalate unusual requests. If an examiner asks for something outside the expected scope or requests something that creates legal or privilege concerns, the staff member should say “let me check with our compliance officer and get back to you within the hour” rather than producing documents on the spot.

Days 14–0: The Mock Exercise

Running a pre-examination mock exercise — where you internally audit the same documents and processes an examiner will review — is the highest-leverage use of the final two weeks.

Assign someone who wasn’t involved in document preparation to play the role of examiner. Have them:

  • Review the issues log as a new examiner would: do the issues make sense? Is the evidence of closure convincing? Are there patterns that suggest systemic problems?
  • Pull three random vendor files and assess their completeness against your own vendor management policy
  • Ask three compliance staff members to walk them through a specific process without advance notice
  • Test whether the answers in your examination binder are consistent with what staff actually say when asked

What the mock exercise finds is far more valuable than any checklist, because it surfaces the gaps between your documented program and what examiners actually encounter.

2025–2026 Examination Focus Areas

Based on published examination priorities from OCC, FDIC, CFPB, and NCUA for 2025–2026, these are the areas receiving heightened attention:

Third-party risk management: The June 2023 interagency TPRM guidance created new expectations for documenting the full vendor lifecycle — not just due diligence at onboarding, but ongoing monitoring, periodic review, and exit planning. Examiners are checking whether firms have updated their programs to reflect the guidance and whether critical vendor files contain documented risk assessments, ongoing monitoring evidence, and concentration risk analysis. See the MRA Remediation Playbook for how prior TPRM findings typically translate into current examination focus.

AI and model risk: Both OCC and FDIC have published guidance on AI risk governance expectations. Examiners are asking about model inventory completeness, governance committee oversight, pre-deployment risk assessment processes, ongoing monitoring for drift and bias, and what happens when an AI model’s output is challenged. If your firm uses AI in credit decisioning, fraud detection, or customer communications, expect examiner questions about the governance structure.

BSA/AML program adequacy: FinCEN, OCC, and FDIC continue to focus on BSA program sufficiency — particularly transaction monitoring effectiveness, SAR quality, and beneficial ownership procedures. The interagency statement on BSA/AML compliance program assessment remains current guidance. Key examiner concerns: transaction monitoring tuning documentation, false positive rates, and SAR narrative quality.

Consumer protection and UDAAP: CFPB supervision continues to focus on the gap between what products promise and what consumers receive. Marketing materials, fee disclosures, and complaint patterns are primary evidence. Recent CFPB enforcement involving fintech products shows the ongoing relevance of consumer testing, plain-language disclosures, and documented UDAAP review at product launch.

Cybersecurity program maturity: IT examinations and the IT component of safety and soundness exams increasingly focus on patch management (timeliness and exception handling), privileged access management, MFA deployment for remote and critical system access, and incident response plan currency. The FFIEC IT Examination Handbook is the primary reference, and examiners are looking for documented evidence that controls are operating, not just that they exist.

Managing the On-Site Examination

Once examiners arrive, your role shifts from preparation to transaction. The behaviors that matter:

Designate a single point of contact. All examiner requests should flow through one named individual — typically your compliance officer or examination manager — who coordinates document production, schedules staff interviews, and tracks what’s been provided. This prevents duplicate responses, accidental production of privileged material, and conflicting information.

Respond to requests promptly. Examiners work from lists. If they request something and don’t receive it within a few hours, they note the delay. Document production responsiveness signals operational competence. Slow responses signal the opposite — even if the delay is innocent.

Don’t volunteer problems you haven’t already documented. If you become aware of an issue during the examination that you genuinely didn’t know about before, disclose it and explain it with the same management response approach you’d use for any other finding. But don’t proactively identify concerns that are speculative or outside the examination scope — that creates issues from nothing.

Brief your executive leadership daily. Each evening, give leadership a brief status update: what areas are being reviewed, what requests came in, what questions were asked. Surprises in the examination report that senior management didn’t know were coming during the exam are avoidable — and they undermine the management credibility that goes into your CAMELS Management rating.

So What?

Most examination findings don’t reveal a compliance program that doesn’t exist — they reveal a compliance program that exists but isn’t well-documented, current, or consistently operated. The gap between “we do this” and “we have evidence that we do this” is where most MRAs live.

The preparation framework above isn’t about passing an exam on performance. It’s about having an accurate, current picture of your compliance program before examiners arrive — one where you’ve found the gaps yourself, fixed what you can, and documented what you’re working on. That’s the record that produces fewer findings, shorter examinations, and management responses that aren’t in crisis mode.

Start with your issues log. It’s the document that most directly signals whether your compliance program is operationally real. If it’s current, documented, and shows evidence of active remediation, most other documentation problems become manageable.


Sources: FDIC Examination Processes and Procedures | FDIC Risk Management Manual of Examination Policies (Updated March 2026) | FDIC Consumer Compliance Examination Manual | OCC Examination Resources | FFIEC IT Examination Handbooks

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

How much notice do you typically get before a regulatory examination?
Primary federal banking regulators (OCC, FDIC, Federal Reserve, NCUA) typically send a formal notification letter 30–60 days before the on-site examination begins. Community banks and credit unions often receive closer to 30 days. The Document Request List (DRL) usually arrives 2–4 weeks after notification, with examiners expecting most items available on Day 1 of the on-site visit. CFPB supervisory exams and state exams vary but generally follow similar timelines.
What is always in the Day 1 document package?
While every exam scope differs, certain documents almost always appear in the Day 1 request: your organization chart, board and committee minutes for the last 12 months, your current policies and procedures for the exam's focus area, your issues tracker or MRA log with current status, your risk assessment(s) covering the exam scope, your compliance testing calendar and most recent monitoring/testing results, and your most recent audit reports covering the exam area. Having these organized and current before the DRL arrives is 80% of exam preparation.
What are examiners focused on in 2025–2026?
Based on OCC, FDIC, and CFPB examination priorities published for 2025–2026: third-party risk management under the June 2023 interagency guidance (specifically documentation of the full third-party lifecycle and concentration risk), AI and model risk governance (whether firms using AI have documented risk assessments, oversight mechanisms, and explainability procedures), BSA/AML program adequacy (transaction monitoring tuning, SAR quality, beneficial ownership), consumer protection compliance (UDAAP analysis of products and marketing), and cybersecurity program maturity (IT controls, patch management, access management, incident response). CRA compliance continues to receive attention following the 2023 final rule.
How should you handle staff examiner interviews?
Brief your staff on three things: (1) the scope of the examination and the specific processes they're likely to be asked about; (2) the instruction to answer questions honestly and completely — examiners are experienced at detecting prepared or coached responses; and (3) the instruction to say 'I don't know' or 'let me confirm that and get back to you' rather than guessing. Over-preparation that produces scripted, inconsistent answers is worse than honest imperfection. Brief team leads the week before; individual staff the day before their expected interview.
What's the difference between a safety and soundness exam and a compliance exam?
Safety and soundness exams evaluate the financial condition and management quality of the institution — capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk (the CAMELS framework). Compliance exams evaluate adherence to consumer protection laws, fair lending statutes, CRA, BSA/AML, and other regulatory requirements. Both types of exams may include components of the other. Your notification letter will specify the exam type and scope — use that to focus preparation.
What should you fix before the exam versus what should you disclose and explain?
Fix anything that can be fixed legitimately before the exam begins — update stale policies, close out issues with complete evidence, resolve open MRAs from prior exams. Cosmetic changes made in the final days before an exam (e.g., suddenly escalating issues that have been sitting for months, backdating documents) are discoverable and often make findings worse. What you should disclose and explain: issues you've identified, are actively remediating, and can show a documented action plan with timeline. Self-identified issues with a documented remediation plan consistently receive better treatment than examiner-discovered issues with no prior awareness.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Issues Management Tracker & Template

End-to-end issues tracking and remediation management for risk and compliance teams.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.