The Problem
Regulators are no longer distinguishing between "important" banks and "less important" banks when it comes to data governance expectations. The OCC's guidance on operational risk has broadened. The FDIC's expectations around data integrity and risk reporting now extend well beyond the top tier. And BCBS 239, originally aimed at banks whose failure could destabilize the system, is being used as a benchmark for supervisory expectations across the board.
The reasoning is straightforward, even if the implications are uncomfortable. Regulators watched what happened when mid-sized institutions ran into trouble during recent stress events. They saw the same data quality failures, the same reporting gaps, the same inability to produce accurate risk data on time. The only difference was scale. The root causes were identical: fragmented data architectures, manual reconciliation processes, governance structures built around individuals rather than systems.
If the problem is the same, the regulatory expectation will eventually be the same. That "eventually" has arrived.
Why It Matters Now
Three things have shifted simultaneously, and Tier 2 banks are caught in the convergence.
First, supervisory technology has improved. Examiners no longer rely solely on sample-based testing and periodic reviews. They have tools that let them analyze data submissions at scale, spot inconsistencies across reporting cycles, and flag anomalies that would have been invisible five years ago. You cannot hide governance gaps behind the sheer volume of data anymore. The examiners can see through it.
Second, the regulatory narrative has moved from "encouragement" to "expectation." The language in recent supervisory communications is deliberate. Words like "should" have been replaced by "must." Timeframes for remediation have shrunk. Matters requiring attention are being issued for deficiencies that would have earned a polite letter three years ago.
Third, the competitive landscape punishes governance weakness indirectly but severely. Tier 2 banks seeking to grow, whether through M&A, new product lines, or geographic expansion, find that regulatory findings become friction points. A clean exam is no longer just a good outcome. It is a strategic enabler. A dirty one is a strategic blocker.
The Wrong Approach
The most common response we see from Tier 2 banks facing this pressure is what we call "compliance by presentation." Governance frameworks get redesigned in PowerPoint. Policy documents are updated to reference the right standards. Committee charters are rewritten to include the right mandates. Org charts are reshuffled to create a Chief Data Officer role or a Data Governance Committee, even when neither has real authority.
This is governance theater. It works exactly long enough for the next exam, and then it fails.
Here is why. Regulators are not stupid, and they are not new. They have seen every variation of the governance slide deck. When they dig past the presentation layer, they look for three things: can the bank produce accurate risk data when asked? Can it trace that data back to its source? And does the governance structure actually function when the person who designed it is on vacation, or has left the bank entirely?
If the answer to any of those questions is no, the framework on paper does not matter. The finding will come. The only question is severity.
Another wrong approach: throwing headcount at the problem. Hiring more data stewards, more governance analysts, more compliance officers. This works temporarily, because people can compensate for broken processes. But it does not scale. And it creates the very dependency that governance is supposed to eliminate. If your data quality depends on five specific people doing manual reconciliation every morning, you do not have governance. You have a vulnerability.
The Right Approach
The banks that are navigating this pressure well share a few characteristics, and none of them involve larger teams or prettier presentations.
They start with critical data elements. Not all data. Not everything. They identify the specific data elements that drive risk calculations, regulatory reporting, and management decisions. They define them precisely. They assign ownership unambiguously. They build controls around them that operate whether or not a particular person is at their desk.
They invest in lineage. Not the kind of lineage that lives in a metadata repository that nobody looks at. Actual, operational lineage that lets someone trace a number in a board report back through transformations, aggregations, and source systems to the original transaction. This is what regulators mean when they say "data provenance." They do not mean a diagram. They mean the ability to demonstrate, on demand, where a number came from and what happened to it along the way.
They make governance a function of systems, not people. Policies are enforced through automated controls. Attestation workflows are built into platforms, not managed through email chains. Data quality thresholds are monitored continuously, not sampled quarterly. This is not about replacing human judgment. It is about ensuring that the judgment is applied to exceptions, not to routine processes that should not require judgment at all.
And they certify. Not document. Certify. There is a critical difference. Documentation describes what should happen. Certification confirms what does happen, who confirmed it, when they confirmed it, and what evidence they relied on. Certification is repeatable, transferable, and auditable. Documentation is none of those things.
The CoComply Angle
This is the problem CoComply was built to solve. Not the advisory problem of telling banks what their governance frameworks should look like. The operational problem of making governance actually work.
CoComply's certification approach replaces the heroic individual with institutional memory. When a data domain owner attests to quality, that attestation is captured, evidence-linked, and repeatable. When they leave, the certification persists. The next owner picks up where the last one left off, with full visibility into what was certified, why, and when.
For Tier 2 banks facing regulatory pressure with limited resources, this is not a nice-to-have. It is the difference between governance that breaks when people leave and governance that survives turnover, reorgs, and the inevitable churn of mid-sized institutions. It is the difference between presenting a framework and proving that it works.
The Test
Ask yourself this. If your lead data steward, the one person who knows where every reconciliation spreadsheet lives and how every manual fix works, if that person resigned tomorrow, would your next regulatory exam go smoothly?
If the answer makes you uncomfortable, you have work to do. The regulators already know the answer. They are just waiting for you to figure it out.