The OCC Just Moved the Goalposts. The Smart Banks Are Not Walking Off the Field.
CoComply Regulatory Insight
The OCC wants to raise the Heightened Standards threshold from $50 billion to $700 billion in average total consolidated assets. If you are a bank sitting between those two numbers, this is the most important governance moment of the year, and the worst thing you can do is treat it like a gift.
The Proposal, Stripped Down
The OCC has proposed amendments that would pull hundreds of banks out of the formal Heightened Standards framework. The threshold jump is dramatic, from $50B to $700B. Fewer institutions would be formally subject to Appendix D. The OCC retains discretion to apply the standards below the new threshold where complexity warrants it. The proposal also opens the floor for comment on whether parts of the Guidelines should be revised, rescinded, or reissued as supervisory guidance.
That last piece matters more than most people realize. Asking whether something should become guidance instead of a rule is not the same as saying it no longer matters. Guidance still drives examination behavior. It just gives examiners more room to apply judgment, which can work for you or against you depending on what your evidence trail looks like.
Why This Is Not a Governance Holiday
Here is what is actually happening on the ground. Supervisory teams are building their view of governance effectiveness from a wider and deeper evidence base than the formal Heightened Standards framework ever required. They are looking through internal audit reports. Management action plans. Regulatory reporting issues. Process oversight gaps. Known control weaknesses. Remediation patterns, not just what got flagged, but what got fixed, what stayed open, what got extended, and whether fixes actually held after closure.
Audit findings and MAPs have become a practical supervisory roadmap. Not just for data governance, for process oversight, regulatory reporting quality, control execution, and governance effectiveness across the board.
The question examiners are bringing to the table is no longer "Are you covered by Appendix D?" It is "Can you prove governance is working against the issues you, your auditors, and your supervisors are already tracking?"
That question does not care about your asset size. It cares about your evidence.
The Questions That Follow You Below the Threshold
Regardless of whether your bank is formally subject to Heightened Standards, supervisors are working through a consistent set of questions:
- Who owns the process, the risk, the data, the report, the control, and the evidence?
- What controls are in place, and are they actually operating, not just documented?
- What evidence supports management's assertion that controls work?
- Which findings and MAPs remain open, overdue, or keep getting extended?
- How is remediation validated, and is the fix sustained after closure?
- How do management and the board know what they need to know?
These questions are not Heightened Standards questions. They are governance effectiveness questions. They apply at any size. The threshold change does not make them go away. It makes answering them well even more important, because the prescriptive framework that told you how to answer them is being replaced by your own judgment, and you have to defend that judgment with evidence.
The Governance Models That Will Fail
Banks that respond to threshold relief by pulling back on governance investment will find that supervisory pressure does not recede with the threshold. It migrates. Instead of showing up as a formal Appendix D finding, it shows up through MRA escalation, reporting restatements, repeat audit findings, and board-level conversations about why governance problems keep surfacing without sustained remediation.
The governance models that will struggle are the ones that depend on manual effort and institutional memory. Spreadsheets tracking controls. Email chains as attestation evidence. Shared drives as documentation repositories. Periodic control reviews that capture a snapshot and miss the operating reality. Fragmented process documentation that no single person can piece together.
These models were already fragile under Heightened Standards. Without the framework's structure holding them in place, they will crack faster.
The Governance Models That Will Win
The banks getting this right are not reducing governance. They are right-sizing it. That means tailoring governance to actual risk profile, complexity, business model, regulatory obligations, and audit history, not to a one-size-fits-all framework designed for institutions ten times their size.
The models that will hold up under the new supervisory approach share several characteristics:
Risk-based, not framework-based. Governance activity maps to what audit has found, what MAPs require, what regulatory reporting depends on, and where process failures have appeared, not to a generic compliance checklist.
Process-aware. Critical processes tied to regulatory reporting, risk reporting, financial controls, and customer impact are owned, governed, controlled, monitored, and evidenced end to end. Ownership is named. Accountability is traceable.
Evidence-driven. Certification of critical data, reports, processes, controls, and remediation activities creates an evidence layer that supervisors can review without narrative interpretation. Structured, traceable, auditable. Not slide decks and meeting minutes.
Remediation-connected. Audit findings and MAPs are not tracked in a separate issue log. They are wired directly into governance execution, closure validation, and sustainability monitoring. Open MAPs are a governance KPI, not a compliance artifact.
Scalable by design. Technology, automation, AI, and workflow reduce manual burden and produce reusable audit-ready outputs. Governance scales without proportional headcount growth.
This is not replacing governance professionals. It is giving them a better operating model.
What to Do Before the Threshold Moves
First, assess your governance against your risk profile, not against the Heightened Standards checklist. Does your model reflect your current size, complexity, regulatory obligations, and control environment? If it was built to satisfy a framework designed for much larger institutions, it is probably carrying overhead you do not need and missing coverage you do.
Second, align governance activity to what audit and supervisors are actually tracking. Map it to audit reports, MAPs, regulatory reporting issues, process oversight gaps, and control weaknesses. If your governance program is not connected to the same evidence trail examiners are using, you are governing in a different conversation than the one that matters.
Third, get serious about process ownership. Identify the critical processes, regulatory reporting, risk reporting, financial controls, customer-impacting operations, and demonstrate who owns them, what controls operate within them, what evidence exists, and how remediation sustainability is monitored.
Fourth, prioritize reporting and risk data. Source systems, manual adjustments, reconciliations, data quality controls, critical data elements, process handoffs, and lineage. This is where supervisory attention concentrates, and it is where most governance gaps live.
Fifth, adopt certification as your evidence layer. Not documentation. Certification, structured, repeatable, defensible proof that critical assets are governed, controlled, and accurate.
The Question That Matters
The OCC is moving from prescriptive compliance to supervisory judgment. That is a harder environment to operate in, not an easier one. Prescriptive frameworks tell you what to do. Judgment-based supervision tells you to prove what you are doing works.
The banks that treat threshold relief as an opportunity to right-size, remediate, modernize, automate, and certify will be positioned for the environment that is actually arriving, one where governance is measured by evidence, not by framework applicability.
The ones that treat it as permission to step back will find that the supervisory questions do not get easier. They just get asked without a playbook.
Right-size. Remediate. Modernize. Automate. Certify.
This is a CoComply regulatory insight. We track supervisory signals, regulatory proposals, and examination trends so banks can build governance that holds up when it is tested, not just when it is presented.