Community banks interpreting recent OCC supervisory changes might consider re-examining their risk profiles and shifting effort to risk management processes and reporting in areas of greatest institutional concern, experts say. With the regulator moving away from what some observers felt was a one-size-fits-most approach to community-bank oversight, going deep in key risks rather than broad across a menu of many could yield the lighter regulatory burden the OCC intended and healthier banks overall, these experts believe.
“The OCC is shifting toward a less prescriptive, more principles-based approach to supervision—scaling back from a more direct, hands-on oversight model,” said Brendan Mulvey, managing director and compliance and risk management leader at Huron, a global professional services firm. “The thread pulling through the OCC and other agencies is a move toward more flexibility, and a re-grounding in core financial risk.”
Signaling this flexibility, the FDIC recently proposed limiting the actions for which examiners could issue warnings or impose penalties, while the Fed is exploring easing qualifications for banks to achieve its “well managed” rating.
In its early-October announcement, the OCC said it would shift to “risk-based” assessments for community banks tailored to the specific profiles of each institution. Comptroller of the Currency Jonathan Gould said the actions would “relieve these banks of regulatory burden and unproductive reporting requirements, so they are better positioned to support their communities and drive economic growth.”
The OCC is hoping to reduce the regulatory creep of rules that were designed for larger banks. It is also focusing less programmatically on a standard range of risks and drawing a line between the large-bank risks that have potential to affect the financial system overall and the small-bank risks whose impacts are usually limited to communities and local customers.
“We’re seeing a push by the federal banking agencies to say, ‘Look, community banks have a different set of risk profiles,’” said Bobby Bean, managing director in the regulatory consulting practice at Forvis Mazars. Bean, a former FDIC regulator, said the changes were a potentially welcome relief for a segment of banking that is particularly challenged to allocate the resources necessary to meet regulatory expectations.
The new rules apply to all banks regulated by the OCC with $30 billion or less in assets. More than 80% of the institutions it supervises are community banks and federal savings associations.
Preparing for Change
The changes present a moment for community banks to rethink their approach to compliance, reporting, and examinations. They’re a catalyst for prioritizing management of the risks that matter most and shifting the narrative, and conversation, with regulators, says Shaun Harms, principal of the regulatory consulting practice at Mazars.
“This is an opportunity to look at your institution in the mirror and ask what you could be doing better. And it’s about aligning your efforts to those areas that examiners are truly going to look at,” he said.
It does imply, though, that banks will need to be proactive in integrating risk practices more thoroughly across all lines of defense, the experts say. And they’ll need to do more self-monitoring which, paradoxically, could come at a higher price. “If I’m a chief risk officer at a community bank right now I’m asking myself, ‘Do I have enough of a self-policing framework in place?’ said Mulvey. “That means more than just having policies, programs, and a defined risk appetite.”
Those relying on regulators as their “last line of defense,” for example, may now need to skill up in certain risk areas to harden their internal guardrails and self-assessment practices. Audit functions may feel added strain without a regulator as backstop, while institutions will need to ensure they’ve sufficiently elevated the risk function to backfill any regulatory voids, Mulvey added. “For boards and executives, the question will be, ‘How do we navigate in the dark, without this [regulator] flashlight showing us where it is safe to operate?’”
Greater bank self-sufficiency might be just what the OCC wants, suggests Bean. “As banks bring this approach on board, it will be a win-win for everyone,” he said. “It reduces everyone’s burden if the bank takes a more integral approach to risk management as they go along instead of waiting for an MRA (Matter Requiring Attention) on the back end. The OCC is saying, ‘If you do it all along, we’re going to reward you and reward the system.’”
Watching Models, Staying Adaptable
As part of the announcement, the regulator also clarified that it would not subject community banks to prescriptive model validation examinations, leaving banks instead to review their models at their own discretion, commensurate with risk.
Risk professionals already decide the frequency of model review and validation themselves. “None of what has been outlined here represents a change to how we’ve been examined in the past,” noted the head of model risk at one community bank. “This just codifies the policy.”
Data from ProSight’s 2025 Model Risk Management Survey show divergence in banks’ approach to model validation and review. Among those institutions using three tiers of risk for their model risk frameworks, the majority (57%) of banks perform full-scale independent validations every 24 months and reviews every year (63%) on their highest-risk models. Validations fall to every three years (52%) for tier-two models. About a third (37%) validate lowest risk-tier models every five years.
This was the first of multiple steps, the OCC said, to improve flexibility and remove some burdens of model risk management compliance. For now, examiners will have greater flexibility to focus on the most important models should risks appear, Harms said. “This gives them a better framework than they had. Before they were in a box, going through the checklist, and now they can look at models from a bank’s perspective to understand what’s happening and what needs to be done.”
Among other recent proposed changes, the OCC also said it wants to make licensing for certain corporate activities and transactions faster and less expensive for some community banks, using new guidance to qualify more institutions for expedited or reduced filing procedures. And it wants to rescind its Fair Housing Home Loan Data System regulation, removing what it says are largely duplicative and inconsistent with other legal authorities requiring larger banks to collect application information on home loans. Both proposals are out for industry comment.
With this latest swing from stiffer regulation underway, it’s important to remember that laws and oversight trends change, Mulvey said. As community banks realign their risk processes and resourcing for this new supervisory approach, building a framework tuned to risk appetite—rather than regulatory winds—is essential to the long-term durability of any risk management program.
The OCC changes have encouraged clients “to circle back to this idea of why risk management matters in the first place, and what the potential costs, benefits, and risks are in what they offer and how they operate,” Mulvey said. “They really need to be prepared for changes down the road, which may include potential reversals on the things that are happening now.”
By Michael Bender
