📄 Template ✨ Updated May 2026

RCSA (Risk & Control Self-Assessment)

Name: RCSA (Risk & Control Self-Assessment)
Price: 69 USD
Availability: InStock

141 pre-populated fintech risks with control assessments, questionnaire framework, and testing calendar.

$69

🔒 Secure Checkout ⚡ Instant Download 📝 Fully Editable ✅ 30-Day Money-Back Guarantee

Used by compliance teams at banks, fintechs, and asset managers

When control failures make the news

These aren't hypothetical control gaps. They happened at real institutions, were uncovered by regulators, and ended in headline-grabbing penalties. Each one is the kind of finding an honest RCSA — one that scores effectiveness, not just existence — would have surfaced years before the consent order arrived. Your examiner, bank partner, and board read these the same way you should: as evidence that documented controls are not the same as working controls.

October 2024

TD Bank — $3.1B Historic AML Settlement

TD Bank pleaded guilty to conspiracy to commit money laundering — the largest US bank ever to do so. From 2014-2023, executives prioritized the bank's "flat cost paradigm" over an adequate AML program. Transaction monitoring intentionally excluded all domestic ACH and most check activity.

Impact: Total $3.1B: $1.43B DOJ + $452.4M forfeiture, $1.3B FinCEN, $450M OCC, $123.5M Fed. 92% of transaction volume — roughly $18.3T from Jan 2018 to Apr 2024 — went unmonitored. OCC imposed a $434B asset cap until remediation is complete.

Lesson: Documented controls are not effective controls. TD's AML monitoring existed on paper but excluded 92% of transactions by design. The RCSA effectiveness scoring rubric — "does it work," not "do we have it" — and the testing calendar by risk tier are built to surface gaps like this.

August 2020

Capital One — $80M OCC Penalty for Failed Risk Assessment

OCC fined Capital One $80M for "failure to establish effective risk assessment processes" before its 2015 cloud migration. Capital One didn't implement effective network controls, DLP, or alerts. In 2019, a former AWS employee exploited a misconfigured firewall and posted ~30GB of card application data on GitHub.

Impact: 100M US + 6M Canadian consumers affected — names, addresses, credit scores, and ~140,000 SSNs exposed. Cease and desist order required an independent compliance committee, enhanced risk assessment processes, and board oversight. ~$190M in customer remediation and response costs.

Lesson: A new operating environment is a control environment reset. The OCC's exact language — "failure to establish effective risk assessment processes" — is RCSA-speak. The template's chapter on running an assessment without existing controls documentation is built for exactly this scenario.

October 2020

Citigroup — $400M OCC Penalty for ERM Failures

OCC fined Citibank $400M for "long-standing failure" in enterprise risk management, compliance, data governance, and internal controls. Risk management policies failed to identify, measure, and control risks across the enterprise. Board and senior management oversight was inadequate.

Impact: Original $400M penalty + additional $75M in July 2024 for failure to remediate. Cease and desist order required OCC non-objection before significant acquisitions. Remediation cost Citi $2B+ across 2021-2024 and forced major board and management changes.

Lesson: Inadequate board reporting on control effectiveness is itself a control failure. The OCC explicitly cited that "inadequate reporting hinder[ed] effective oversight." The RCSA Results Dashboard and Board Report tab translate assessment output into the heat map a board can act on.

February 2020

Wells Fargo — $3B Settlement for Sales Practices Misconduct

DOJ and SEC fined Wells Fargo $3B for the cross-selling scandal. From 2002-2016, branch employees opened ~3.5M unauthorized accounts to meet sales quotas. Sales-practice controls were self-attested by the same managers being incentivized on volume — and executives denied the connection for over a decade.

Impact: $3B combined DOJ/SEC settlement, 5,300+ employees fired, ~3.5M unauthorized accounts. Earlier $185M to CFPB/OCC/LA City Attorney in 2016. Fed imposed an unprecedented asset growth cap (still partially in place). Multi-year remediation under heightened supervision.

Lesson: Self-attestation is not control testing. The same managers incentivized on sales volume signed off saying their controls worked. The RCSA questionnaire requires evidence-based scoring, and the 1LOD/2LOD/Joint approach selection pairs every self-assessment with explicit 2LOD challenge.

If you're reading this trying to make sure your control environment doesn't end up as someone else's case study — that's exactly what RCSA is for. Here's what you'd recognize:

If any of these sound familiar, you're in the right place

Your bank partner just asked for your RCSA — and the only documentation you have is a Risk Register that doesn't answer "are your controls actually working?"

A Risk Register lists risks. An RCSA evaluates whether your controls are working against those risks. This kit gives you the 141 pre-populated risk-control mappings, the effectiveness scoring rubric, and the questionnaire framework — what your bank partner actually wants to see.

Your last exam came back with a finding citing "inadequate risk assessment processes" — and you don't know where to start.

"Risk assessment process" is examiner shorthand for "we don't see evidence you've evaluated your controls against your risks." The 30-day RCSA cycle in this kit is built around answering exactly that — including a chapter on running your first cycle when you have no existing controls inventory.

Your business line owners are supposed to self-assess controls every year — but the forms are 80 questions of jargon and nobody fills them out.

The questionnaire framework in this kit is designed for non-risk people. Each question includes context explaining why it matters, examples of strong vs. weak controls, and a plain-English scoring rubric. Business line owners complete their section in under an hour.

📅

Updated for the 2024–2026 enforcement focus on control effectiveness

TD Bank pleaded guilty to AML conspiracy in October 2024 — a $3.1B settlement — because controls existed on paper but excluded 92% of transaction volume. Citigroup's 2020 $400M OCC penalty was extended in July 2024 with another $75M for failure to remediate. The OCC, Fed, and FDIC are no longer accepting "we have a control" as the answer; they want "we tested it, and here's the evidence." Bank partners now require RCSA documentation as a standard precondition for fintech onboarding and renewal. This kit reflects that shift — control effectiveness scoring with evidence requirements, evidence-based questionnaires, and a testing calendar with frequencies mapped to risk tiers.

About This Template

RCSA sounds like something that requires a 20-person risk department. It doesn't. This kit gives you a complete RCSA program — pre-populated with 141 fintech risks, a questionnaire framework for self-assessments, a control testing calendar, and a 34-page guide walking you through running your first RCSA cycle in 30 days. Includes a chapter on running an RCSA when you have no existing controls documentation — because that's the reality for most early-stage fintechs.

The questionnaire framework is designed so business line owners can self-assess without needing a risk background — each question includes context, examples, and a plain-English scoring rubric. The control testing calendar maps out what to test and when, with suggested frequencies based on risk tier. By the end of your first cycle, you'll have a defensible view of your control environment that actually means something.

🎉 First-Time Buyer?

Enter your email to get 20% off this purchase.

Who Is This For?

→ You're building a risk program and need to show your control environment
→ An examiner or bank partner asked for your RCSA and you don't have one yet
→ You have a Risk Register but can't answer "are your controls effective?"
→ Your business line owners need to self-assess but don't have risk backgrounds
→ You need board-level reporting on control effectiveness within 30 days

Where this fits in your risk program

If you have a Risk Register but can't answer "are your controls effective?" — this completes the picture. The 141 pre-populated assessments map directly to the same risk taxonomy as our Risk Register, so the two work together seamlessly.
If you're building from scratch — start here. The 141 risks across 21 categories give you a defensible inventory; the questionnaire framework gives your business owners a way to fill it out without a risk background.
If you're preparing for an exam — bring the Risk and Control Inventory, the effectiveness ratings, the testing calendar, and the board reporting tab. That's the package examiners and bank partners want to see.
If you're replacing a broken process — the 1LOD/2LOD/Joint approach selection lets you redesign who owns what, and the questionnaire framework replaces the 80-question jargon form your business owners refuse to fill out.

What this is not

✕ Not a replacement for a Chief Risk Officer or 2LOD review function — this is the toolkit they use, not a substitute for the role.
✕ Not a software platform — Excel + PDF templates, not a SaaS GRC tool.
✕ Not a Risk Register — a Risk Register lists risks; an RCSA evaluates whether controls work against them. They're complementary (and we offer the Risk Register as a free download).
✕ Not theoretical — pre-populated with 141 risks, scoring rubrics, and a 30-day implementation plan you can run on a real cycle this quarter.

Preview

RCSA benefits explained — what each one actually means for your risk program

RCSA approach selection guide — 1LOD, 2LOD, and Joint models by function and risk type

How RCSA connects to your Risk Register and KRI Library — the risk program ecosystem

Board-level RCSA reporting — top risks, heat maps, and movement trends

Excel template — Risk and Control Inventory with 141 pre-populated assessments and effectiveness ratings

RCSA Results Dashboard — control effectiveness distribution, high-risk areas, and remediation priorities

What's Included

141 pre-populated risk assessments
Control effectiveness scoring
Self-assessment questionnaire framework
Control testing calendar
Guide for teams with no existing controls
RCSA cycle implementation in 30 days

What this saves you

Building a defensible RCSA program from scratch typically takes:

Task a practitioner would do from scratch	Hours
Read COSO Internal Controls + ERM frameworks, FFIEC operational risk handbook, OCC heightened standards	25–35
Build risk-and-control inventory across 21 risk categories with 100+ risk-control mappings	30–45
Develop control effectiveness scoring rubric with evidence requirements	15–25
Design questionnaire framework non-risk owners can actually use	15–20
Build control testing calendar with frequencies by risk tier	10–15
Develop dashboard and board-reporting tab	10–20
Total practitioner time	105–160 hours

At typical loaded compliance/risk rates ($100–150/hr), that's $10,500–24,000 of internal time. The $69 kit replaces the research and template construction phase, so your team can spend their time on what only they can do — applying it to your specific business.

How to roll this out in 30 days

Most RCSA programs fail because they're built by compliance and never owned by the business. The 30-day rollout below puts business line owners at the center.

Week 1

Setup, scoping, and approach selection

Choose your 1LOD/2LOD/Joint approach by function and risk type. Scope your business lines, identify owners per risk category, communicate the cycle timeline. Output: signed scoping document with risk categories in play and accountable owners.
Week 2

Self-assessments with business line owners

Each business owner completes their section of the questionnaire using the 141 pre-populated risks as the starting point. Each question has plain-English context and scoring rubric so risk background isn't required. Output: completed self-assessments with control effectiveness ratings by area.
Week 3

2LOD challenge and effectiveness scoring

Risk function challenges the self-assessments with evidence requests, finalizes control effectiveness ratings, identifies gaps, and prioritizes remediation. Output: residual risk view with prioritized remediation actions and assigned owners.
Week 4

Dashboard, board reporting, action item tracker

Populate the RCSA Results Dashboard, format the quarterly Board Report tab, log action items with deadlines and owners. Outcome: a defensible RCSA your examiner, bank partner, and board can review with confidence — and a baseline you can re-run next cycle.

📄 Full playbook in the PDF guide: The complete rollout including workshop agendas, sample messaging to business owners, and the board-meeting brief format is in the 34-page guide that comes with the template.

Aligned with the 2024–2026 control-effectiveness enforcement landscape

Every section cites its regulatory or framework source so examiners and bank partners get traceable answers when they ask "where did this requirement come from?":

COSO Internal Controls — Integrated Framework
COSO Enterprise Risk Management — Integrating with Strategy and Performance
OCC heightened standards (12 CFR 30 Appendix D)
FFIEC IT Examination Handbook (Management and Operations booklets)
OCC Bulletin 2023-17 (interagency third-party risk management)
Basel Committee Principles for Sound Management of Operational Risk
ISO 31000 Risk Management
NYDFS Part 500 (control effectiveness assessment for cybersecurity)

Used by risk and compliance teams at fintechs, community banks, BaaS sponsors, and credit unions to run defensible RCSA cycles their bank partners and examiners accept.

Last updated: May 2, 2026

🛡️

30-Day Money-Back Guarantee

If this template doesn't meet your expectations, email us within 30 days for a full refund. No questions asked.

Frequently Asked Questions

How are the 141 risk assessments organized?

They're grouped by the same 21 risk categories used in our Risk Register — credit, compliance, cyber, vendor, model risk, etc. Each assessment includes a risk description, control mapping, effectiveness rating, and residual risk score. If you're already using the Risk Register, the risk IDs map directly.

Do I need existing controls documentation to use this?

No — the guide includes a dedicated chapter on running your first RCSA when you have no existing controls inventory. It walks you through documenting controls as you discover them during the assessment process, so the RCSA itself becomes your first controls inventory.

What's the difference between this and a Risk Register?

A Risk Register lists your risks. An RCSA evaluates whether your controls are actually working against those risks. Think of the Risk Register as "what could go wrong" and the RCSA as "are we doing enough about it." They're complementary — most mature programs have both.

Can business line owners fill this out without a risk background?

Yes — the questionnaire framework is designed for non-risk people. Each question includes context explaining why it matters, examples of good vs. weak controls, and a plain-English scoring rubric. You send it to a business line owner, they fill it out, you review the results.

How long does the first RCSA cycle take?

The guide includes a 30-day implementation plan. Most teams spend week 1 on setup and scoping, weeks 2-3 on assessments with business line owners, and week 4 on analysis and reporting. After the first cycle, subsequent cycles are faster because you're updating rather than building from scratch.

How does this connect to KRIs and the ERMF?

The RCSA results feed directly into your KRI thresholds (if a control is rated weak, the related KRI threshold should be tighter) and your ERMF reporting (the RCSA provides the control environment view your board needs). All three products use the same risk taxonomy for seamless integration.

Not ready to buy?

Try our free Risk Register first — no payment required.

Download Free Risk Register →

Ready to Get Started?

Get the RCSA (Risk & Control Self-Assessment) and start building a defensible risk program today.

Buy $69 →