Community Bank Exam Preparation: A Practical Operations Checklist

Effective January 1, 2026, the OCC shifted its examination approach for community banks. Under OCC Bulletin 2025-24, mandatory policy-based examination requirements were eliminated in favor of a risk-proportionate model where examiners tailor their review to each institution's size, complexity, and risk profile, with heightened focus on material financial risks.

This sounds like relief. In some ways it is. But it carries an important implication that many community bank COOs and compliance officers have not yet fully absorbed: when examiners focus on material risks rather than procedural checklists, documentation quality becomes more consequential, not less. An examiner who is specifically looking at credit risk, liquidity, or BSA/AML effectiveness will ask harder questions and expect cleaner answers than one running through a fixed procedure list. The shift does not change what good exam preparation looks like. It changes why it matters.

Checklist Area #1: Data Sourcing and Integrity

Source mapping for regulatory filings

• Each field in the Call Report, HMDA submission, and other regulatory filings has a documented source system, extract date, and any transformation logic applied

• That mapping is maintained in a current document, not a spreadsheet someone built two years ago and last updated before a staff change

• The mapping document is accessible to the compliance and finance teams, not stored on a single analyst's workstation

Reconciliation between source systems

• Where the same data element appears in multiple systems, a documented reconciliation confirms they agree before each filing

• Discrepancies are resolved and logged with a rationale before the filing is submitted

• The resolution record is maintained and can be retrieved independently of the analyst who performed it

Change log for methodology updates

• When calculation methods, data sources, or reporting logic change, the change is documented with an effective date and rationale before the next filing that reflects it

• Prior period comparisons are explainable: if a figure moved significantly, the movement can be traced to a documented cause rather than attributed to a data shift that nobody recorded

Data sourcing documentation is the foundation of regulatory defensibility. For a deeper treatment of what examiners specifically look for and why contemporaneous records matter more than reconstructed ones, see the discussion of data lineage in financial services.

Checklist Area 2#: BSA/AML Records

Transaction monitoring and alert documentation

• Every alert generated by the transaction monitoring system has a documented disposition: what was reviewed, who reviewed it, the rationale for the decision, and a timestamp

• Batch clearances, where multiple alerts are cleared with a single notation, are supported by documented criteria that justify the batch treatment

• Alert aging is tracked: items open beyond defined thresholds have documented status and are not simply sitting in a queue

SAR filing records

• Supporting documentation for every SAR filed: the transaction data that triggered the referral, the investigation steps taken, the individuals and entities reviewed, and the decision basis

• SARs that were considered but not filed have documented rationale for the non-filing decision

• The filing record confirms timely submission within the required timeframe from the decision date

Independent testing currency

• Independent BSA/AML testing has been completed within the required cycle and the results are documented

• Findings from prior independent testing have been addressed: remediation actions are documented and completed, not pending

• The scope and methodology of independent testing are documented and calibrated to the bank's current risk profile, not carried over unchanged from prior years

Transaction monitoring system validation

• Evidence that the transaction monitoring system is performing as intended: alert rates, false positive rates, and tuning decisions documented with rationale

• Any significant changes to the transaction monitoring system since the last examination are documented, including changes made by the vendor

• The bank's review of vendor model changes is documented. See the AI and model governance section below.

Checklist Area #3: Reconciliation Workpapers

Completeness and consistency of reconciliation records

• Reconciliation workpapers exist for each reconciled account for each period, in a consistent format that supports comparison across periods

• Each workpaper identifies the reconciler, the date performed, the source systems reconciled, and the conclusion

• The workpaper is complete: open items are listed with aging, amounts, and status, not summarized as a count with no detail

Exception item documentation

• Items that remained open at period end have documented status at the time of the next period's reconciliation

• Items open more than 30 days have documented explanations and are on a resolution timeline

• Write-offs and adjustments are supported by documentation of approval authority and business justification

Supervisory account completeness

• Suspense accounts, due-to/due-from accounts, and clearing accounts are reconciled on the required cycle and the reconciliation workpapers are current

• Items that have aged in supervisory accounts have documented explanations

• The reconciliation cycle for each account type matches the bank's policy and the examination expectation

Checklist Area #4: Loan Review Documentation

Credit file completeness

• A current document defines required contents for each loan category: commercial, consumer, residential, and specialty

• Spot sampling of files against that document has been performed recently enough to reflect current origination practices, not just a prior audit cycle

• Gaps identified in spot sampling have been documented and addressed: either the missing items have been obtained or the gap has been formally risk-accepted with documented rationale

Policy exception documentation

• Policy exceptions are documented at origination, not added retroactively

• Each exception record identifies the exception type, the approval authority, and the compensating factors that supported the exception

• The exception approval authority matches the bank's loan policy: exceptions requiring board or senior credit committee approval are documented at that level

Loan review and QC records

• The loan review function has documented findings for the current and prior cycle

• Findings have documented dispositions: either the risk was accepted with rationale or a correction was made and documented

• The loan review scope covers the required portfolio segments and is calibrated to the bank's current risk concentrations, not a fixed legacy approach

Criticized and classified asset documentation

• Criticized and classified credits have current credit analyses that support their classification grade

• Watch list items are reviewed on a defined cycle and the review records are current

• Any grade changes since the last examination are documented with the basis for the change

Checklist Area #5: AI and Model Governance

Model inventory

• The bank has a current, documented inventory of every model in use, including models embedded in vendor products

• Each model entry identifies what the model does, what data it uses, what decisions it informs, and who is responsible for overseeing it

• The inventory was reviewed and confirmed current within the past 12 months

Validation documentation

• Each model on the inventory has validation documentation, either the bank's own or the vendor's

• The bank has reviewed vendor validation documentation and can demonstrate it was evaluated for fit to the bank's specific operating environment

• Validation documentation is dated and matches the current version of the model in use

Human oversight records for model-assisted decisions

• Where a model output influences a consequential decision, there is a documented record that a human reviewed the output before it took effect. See the AI governance for community banks post for what the April 2026 OCC guidance expects from community banks specifically.

• The bank's policy defines which model outputs require human review before they affect a customer decision, regulatory filing, or risk classification

• Exceptions (where a model output was used without the defined review) are logged and explained

How to Use This Checklist

Working through these five areas produces one of two results: either the documentation is current and retrievable, in which case exam preparation is largely pulling together what already exists, or gaps surface that need to be addressed before the next examination cycle.

The practical starting point is to assign ownership. Each checklist area should have a named individual who is responsible for the documentation being current and retrievable. For most community banks, this maps to existing management structure: the CFO or controller owns data sourcing and reconciliation, the BSA officer owns BSA/AML records, the chief credit officer owns loan review, and the CRO or a designated compliance function owns model governance.

The second step is to test retrievability, not just existence. A policy document that exists but cannot be located quickly under examination conditions is not operationally useful. Each documentation set should be accessible within minutes, not hours, and should not depend on any single employee knowing where to find it. Shore's free CORE Assessment evaluates operational readiness across five categories including data readiness and regulatory compliance. It identifies where documentation gaps are concentrated so you know what your examiner will find before they find it.