Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Compliance Strategy

OCC's 2026 Exam Rightsizing: What Community Banks Should Stop Doing—and What Still Gets You Written Up

Effective January 1, 2026, OCC Bulletin 2025-24 eliminated mandatory examination activities that aren't required by law for community banks. That means fair lending risk assessments and flood insurance transaction testing are no longer mandatory every exam cycle. Here's what actually changed, what didn't, and where compliance teams are misreading this shift.

Table of Contents

If your compliance program hasn’t been updated since OCC Bulletin 2025-24 took effect January 1, there’s a good chance your team is still running activities that OCC examiners no longer require—and possibly underinvesting in the areas where examiners are now applying heightened scrutiny. That’s a double mistake: wasted resources and misallocated attention.

TL;DR

  • Effective January 1, 2026, OCC Bulletin 2025-24 eliminated mandatory examination activities not required by statute or regulation for community banks (institutions up to $30 billion in assets)
  • Specifically removed: fair lending risk assessments were mandatory every supervisory cycle; flood insurance transaction testing was mandatory every three cycles — neither is required by OCC policy anymore
  • The new approach is risk-based: examiners focus on material financial risks, tailored to the institution’s size, complexity, and risk profile
  • This doesn’t eliminate fair lending or flood insurance compliance obligations — it removes the mandatory examination cadence, not the underlying legal requirements

How OCC Examination Worked Before

For most of the past decade, OCC examination of community banks operated on a calendar-driven compliance checklist model. Examiners conducted a defined set of activities during each supervisory cycle, some of which were required by statute, some by regulation, and some purely by OCC internal policy. The policy-driven requirements were mandatory regardless of whether they reflected actual risk at a particular institution.

The fair lending risk assessment was the most significant example. It required OCC examiners to formally assess every community bank’s fair lending risk profile during every supervisory cycle — even at a bank with a simple product set, a long history of clean HMDA data, and no recent complaints. The same amount of fair lending examination effort applied to a large agricultural lender with a new fintech partnership and a small community bank with a $40 million commercial loan portfolio.

The OCC’s October 2025 announcement — and the January 1, 2026 effective date — was a deliberate break from that model.

What OCC Bulletin 2025-24 Actually Changed

OCC Bulletin 2025-24 was issued October 6, 2025, effective January 1, 2026. The headline: the OCC is removing mandatory examination activities set by OCC internal policy (not statute or regulation) for community banks, defined by OCC News Release 2025-89 as institutions with up to $30 billion in assets.

Going forward, OCC community bank examiners will tailor examination activities to the institution’s specific size, complexity, and risk profile, with heightened focus on material financial risks — not a standardized checklist.

The two specific mandatory activities removed:

1. Fair lending risk assessment — every supervisory cycle. The OCC previously required examiners to conduct a fair lending risk assessment during every full-scope examination of a community bank. Under the new framework, examiners will determine whether a fair lending examination is warranted based on the bank’s actual risk profile. Institutions with new credit products, AI-assisted decisioning, recent complaints, or HMDA data anomalies should expect fair lending scrutiny. Institutions without those risk factors may not see it every cycle.

2. Flood insurance transaction testing — every three supervisory cycles. The OCC previously required examiners to conduct flood insurance transaction testing once during every three examination cycles, regardless of the bank’s loan mix or flood zone exposure. Under the new approach, examiners assess whether transaction testing is needed based on risk. A bank whose loan portfolio is primarily non-real estate secured, or whose real estate loans are concentrated outside Special Flood Hazard Areas, will face less mandatory testing. A bank with significant mortgage origination volume in high-risk flood zones will still see testing — the risk profile warrants it.

What “Material Financial Risk” Means in Practice

The new framework redirects examiner attention toward what regulators have always cared most about in community banking: whether the institution is financially sound. The specific focus areas under the risk-based approach:

  • Credit quality: Loan performance, non-performing asset trends, concentration levels (CRE, agriculture, C&I), and provisioning adequacy
  • Capital adequacy: Whether the bank holds sufficient capital against its risk-weighted assets and has a credible capital plan
  • Earnings: Core vs. non-core earnings stability; whether earnings are sustainable given the bank’s business model
  • Liquidity: Funding concentration, brokered deposit reliance, and contingency funding availability
  • Operational risk tied to the business model: Third-party dependencies, technology infrastructure, and key person risk

Notice what’s absent from that list: the documentation trail around fair lending risk assessments and the flood insurance transaction testing log. Those things don’t disappear as concerns — but they’re not the lens through which the examination now starts.

For compliance teams at community banks, this means the question shifts from “Do we have the documentation this examiner is required to check?” to “Do our controls actually reduce the risks that examiners are now empowered to prioritize?”

A current RCSA — a risk and control self-assessment that evaluates whether your controls are actually working, not just whether they exist on paper — is the tool that gives you an honest answer to the second question. It’s also the tool that helps you prioritize where to invest limited compliance resources when examiners are asking about material risks, not procedural checklists.

What’s Still Required — Laws Don’t Change Because OCC Policy Does

This is the part most teams misread.

OCC Bulletin 2025-24 removed examination activities that were required by OCC internal policy. It cannot and does not change the statutory and regulatory requirements that govern community banks. All of the following remain fully in force:

  • Equal Credit Opportunity Act (ECOA) and Regulation B: Fair lending prohibitions apply to every credit transaction. Removing a mandatory examination activity doesn’t change whether a discriminatory lending outcome violates ECOA.
  • Fair Housing Act: Applies to mortgage lending regardless of exam cadence.
  • National Flood Insurance Program Act / Regulation H: Banks are legally required to require flood insurance on applicable loans. The frequency of examiner review of that compliance isn’t the same as the compliance obligation itself.
  • HMDA: Data collection, reporting, and public disclosure requirements are statutory and regulatory, not examiner-driven.
  • CRA: Continues to apply under the applicable regulations for community banks.

Regulators removing mandatory examination activities is not a signal that underlying compliance obligations have softened. It’s a resource allocation decision — where examiners spend their time — not a change in what institutions are required to do.

An institution that eliminates its fair lending risk assessment process entirely on the theory that examiners no longer require it is making a serious error. If a fair lending complaint materializes, if HMDA data shows unexplained disparity, or if a new product launch creates demographic skew in approval rates, the absence of any internal fair lending monitoring becomes the first finding of a now-necessary examination. The regulatory exam preparation playbook remains applicable — what changed is the trigger for certain examination activities, not the underlying posture you should maintain.

What This Means for Fintech Partners of Community Banks

If your bank partner is a community bank, their OCC examination is now risk-based and focused on material financial risks. That changes how your relationship is viewed in examination.

Under the prior model, examiners had a checklist that included third-party relationship documentation — policies, due diligence files, contracts, monitoring reports. Banks scrambled to produce documentation before each exam. The focus was on demonstrating that the process existed.

Under the new model, examiners are asking whether the third-party relationships your bank has represent material financial risk, and whether the bank has controls proportionate to that risk. A fintech partnership that represents 30% of the bank’s revenue, creates concentrated funding dependency, or routes significant consumer deposits through a middleware layer — that relationship will receive scrutiny regardless of how complete the documentation file is.

What this means for fintechs: your bank partner is now more concerned with demonstrating that your relationship is financially sound and operationally controlled than with producing paperwork. Compliance conversations with your bank partner will increasingly focus on business performance, risk metrics, and operational reliability — less on policy documentation and more on whether the partnership is actually safe and sound.

The shift doesn’t reduce what examiners need to see — it shifts what they look at first.

The Deregulatory Trap

Some compliance teams are treating the OCC’s announcement as permission to reduce compliance program investment. That’s a mistake, and Wipfli’s analysis identifies the dynamic clearly: deregulatory signals at the federal examination level often coincide with increased enforcement by state regulators, private litigants, and private attorneys general — precisely because the reduced federal examination pressure opens space for other actors.

Fair lending, in particular, is an area where state AG enforcement has been expanding even as federal fair lending examination has been streamlined. An institution that reduces its fair lending monitoring because examiners aren’t requiring a formal risk assessment every cycle may find itself better positioned for federal examination and worse positioned for a state AG inquiry or private class action.

The OCC’s framework change is a resource allocation signal, not a compliance permission slip.

So What? Three Adjustments for 2026

1. Run an RCSA to identify where your material risks actually are. The OCC’s new approach rewards institutions that can demonstrate genuine risk-based decision-making about their controls. An RCSA — assessing which controls are working, which have gaps, and which risks are highest — gives you the factual foundation to prioritize examination preparation. Examiners under the new framework are more likely to accept “we examined this and the risk was low” than “we didn’t do it because OCC no longer requires it.” The RCSA is your evidence that the risk-based judgment was made intentionally.

2. Document your risk rationale for reduced-activity areas. If you decide to reduce the frequency of fair lending risk assessments or flood insurance testing because the risk profile doesn’t warrant it, document that decision. Record what you assessed, what the risk indicators showed, and how you concluded the activity frequency was appropriate. The OCC’s new framework rewards risk-based judgment — but only if it’s documented judgment, not undocumented omission.

3. Shift examination preparation to material financial risk areas. Your CAMELS components — capital, asset quality, management, earnings, liquidity, and sensitivity — are where examiner attention is now concentrated. CAMELS rating preparation and stress testing of credit concentrations, liquidity assumptions, and earnings sustainability deserve more of your pre-exam investment than they did under the documentation-driven model. And as covered in our post on compliance training program requirements, your training calendar should reflect where the actual examination focus has moved.

The OCC’s direction since the February 2026 “rightsizing” initiative is clear: focus compliance effort where it changes outcomes, not where it completes paperwork. That’s a challenge for teams built around checklist execution — and an opportunity for teams that actually understand their institution’s risk profile.

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What specific examination activities did OCC remove as mandatory requirements in Bulletin 2025-24?
OCC Bulletin 2025-24 specifically removed two mandatory policy requirements: (1) the fair lending risk assessment, which was previously required during every supervisory cycle; and (2) transaction testing for flood insurance coverage, which was previously mandatory once every three supervisory cycles. Examiners can still conduct both activities when risk warrants it — they simply aren't required to do so every cycle regardless of the institution's risk profile.
What does the OCC now define as a 'community bank' for purposes of these exam changes?
OCC News Release 2025-89 (September 18, 2025) defines community banks for these purposes as institutions with up to $30 billion in assets. Banks above this threshold are not covered by the same mandatory-activity removal and continue to operate under the prior OCC examination framework.
Does removing the mandatory fair lending risk assessment mean the OCC won't check fair lending compliance anymore?
No. The underlying fair lending obligations — ECOA, the Fair Housing Act, and all applicable rules — remain fully in force. What changed is that examiners no longer have to conduct a formal fair lending risk assessment in every supervisory cycle regardless of risk. Examiners will now exercise judgment about whether to conduct fair lending examination activities based on the institution's actual risk profile. An institution with recent fair lending complaints, an AI-driven credit model, or a new product launch will almost certainly see fair lending scrutiny. An institution with a simple product set and clean complaint history may not be examined on fair lending in every cycle.
What does 'material financial risk' mean in the OCC's new examination framework?
The OCC hasn't defined 'material financial risk' with a bright-line rule — but in practice it refers to risks that could meaningfully impair capital adequacy, earnings, liquidity, or asset quality: credit quality deterioration, concentration risks, funding structure, interest rate exposure, and operational risks tied to the business model. Process compliance and documentation — evidence of policies, procedures, and governance controls — was the focus of prior examination cycles. Under the new framework, whether your institution's actual financial risk profile is sound takes priority over whether the paper trail is complete.
Do these changes apply to my fintech's bank partner examination?
If your bank partner is a community bank (up to $30 billion in assets), the new OCC exam approach applies to how your partner is examined. That means the OCC examiner reviewing your bank partner's third-party relationships will focus on whether those relationships create material financial risk for the bank — not whether the bank has met a checklist of documentation requirements. For fintechs, this shifts the due diligence focus: your bank partner is now more concerned with demonstrating that fintech relationships are financially sound and operationally controlled than with producing documentation for documentation's sake.
How should our compliance program change under this new framework?
Three adjustments: First, conduct an RCSA to identify your institution's actual high-risk areas — material financial risks that examiners will focus on. Second, shift compliance resources toward monitoring, testing, and evidence in those high-risk areas rather than maintaining documentation in lower-risk areas where mandatory examination no longer requires it. Third, don't eliminate fair lending, flood insurance, or other compliance activities entirely — ensure decisions about what to test and how often are documented with a risk-based rationale. The exam approach changed; the underlying compliance obligations did not.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

RCSA (Risk & Control Self-Assessment)

141 pre-populated fintech risks with control assessments, questionnaire framework, and testing calendar.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.