Atlan named a Visionary in the 2025 Gartner® Magic Quadrant™ for Data and Analytics Governance.

How Can Financial Institutions Navigate OCC Regulations and Stay Audit-Ready in 2025

author avatar
by Team Atlan

Last Updated on: June 11th, 2025 | 12 min read

Unlock Your Data's Potential With Atlan

Quick Answer: What are OCC regulations? #


OCC regulations are a set of supervisory guidelines from the Office of the Comptroller of the Currency (a bureau within the U.S. Department of the Treasury) that apply to:

  • National banks
  • Federal savings associations
  • Federal branches and agencies of foreign banks

OCC regulations ensure that national banks and federal savings associations ensure secure operations, fair customer treatment, and full compliance with banking laws. Non-compliance with OCC regulations can result in supervisory action, fines, or loss of charter.

Up next, explore what OCC regulations require, why compliance matters and how to ensure it, and how a metadata control plane like Atlan helps you stay audit-ready.

Table of contents #

  1. OCC regulations explained
  2. Understanding the history of OCC oversight and heightened standards
  3. What are the key requirements to ensure compliance with OCC regulations?
  4. What are the common challenges to OCC compliance readiness?
  5. How can you ensure compliance with OCC regulations using a metadata control plane like Atlan?
  6. Final thoughts on OCC regulations and ensuring compliance
  7. OCC regulations: Frequently asked questions (FAQs)

OCC regulations explained #

OCC (Office of the Comptroller of the Currency) regulations supervise the US federal banking system.

The Office of the Comptroller of the Currency, an independent bureau of the U.S. Department of the Treasury, established in 1863, is the primary regulator of:

Its mission is to ensure that federally chartered banks operate safely, treat customers fairly, provide equitable access to services, and comply with all relevant banking laws and regulations.

As mentioned earlier, the OCC also supervises federal branches of foreign banks operating in the U.S. Its core responsibilities include:

  • Supervising banks through regular on-site examinations
  • Issuing regulations that govern national banks and savings associations
  • Chartering and licensing new financial institutions
  • Enforcing corrective actions when risks or violations are found
  • Protecting consumers and overseeing fair lending practices

How does the OCC work? #


The OCC uses a risk-based supervisory model to assess the health and compliance of financial institutions. Examiners conduct regular reviews — typically every 12 or 18 months.

These evaluations assess a bank’s governance, operational resilience, and compliance with OCC’s Heightened Standards (12 CFR Part 30, Appendix D). This process involves:

  • Continuous supervision with regular examiner meetings and off-site monitoring
  • Comprehensive exams covering capital adequacy, asset quality, earnings, liquidity, and sensitivity to market risk (CAMELS)
  • Evaluation of third-party risk, model governance, and IT systems
  • Use of enforcement actions (e.g., consent orders, civil penalties) if serious deficiencies are identified

OCC’s examination process intersects with data governance, especially in areas like model risk, data quality, vendor oversight, and real-time reporting. Non-compliance can trigger severe enforcement actions, such as consent orders, business restrictions, or civil money penalties.

For instance, in March 2024, the OCC assessed a $250 million civil money penalty against JPMorgan Chase Bank, N.A. for gaps in its trade surveillance program. The bank lacked adequate data controls, resulting in billions in unmonitored trades across at least 30 global venues.

Another notable case is the OCC’s enforcement action against Citibank in 2024, where the bank faced a $75 million civil money penalty. This penalty was due to Citibank’s inadequate progress in addressing deficiencies in enterprise-wide risk management, compliance risk management, data governance, and internal controls as outlined in the original 2020 order.

What do OCC regulations ask for from financial institutions? #


While the exact expectations depend on bank size and complexity, key requirements include:

  • Board and senior management oversight with clear lines of accountability
  • Formal risk governance frameworks for institutions with $50B+ in assets
  • Internal controls and audit coverage over both business and technology domains
  • Data quality and lineage visibility to support accurate regulatory reporting
  • Model validation and monitoring for credit, AML, and AI/ML systems
  • Vendor management policies to ensure outsourced data/services meet regulatory standards
  • Consumer protection and fair lending compliance, particularly for ECOA and BSA

In practice, this means data leaders must ensure end-to-end visibility, auditable processes, strong metadata practices, and the ability to prove compliance during OCC exams.

Understanding the history of OCC oversight and heightened standards #

OCC regulations have evolved over 160 years, shaped by financial crises, innovation, and increasing reliance on data-driven systems. This evolution reflects a growing emphasis on risk governance, model oversight, and operational resilience.

Key laws and regulations under OCC oversight #


The following laws and regulations form the backbone of OCC’s supervisory framework:

  • National Bank Act (1864): Established the OCC and the federal bank charter system.
  • Bank Secrecy Act (1970): Mandated AML compliance and suspicious activity reporting.
  • Equal Credit Opportunity Act (1974): Enforced fair lending and anti-discrimination in credit.
  • FDIC Improvement Act (1991): Introduced risk-based capital rules and prompt corrective actions.
  • 12 CFR Part 30 – Safety and Soundness Standards (1995): Set governance expectations for operations and risk controls.
  • 12 CFR Part 30, Appendix D – Heightened Standards (2014): Required formal risk frameworks for large national banks.
  • OCC Bulletin 2011-12 – Model Risk Management (MRM): Established governance protocols for model development and validation.

The evolution of OCC: A brief overview #


Founded in 1863 and formalized by the 1864 National Bank Act, the OCC regulates and supervises national banks and federal savings associations.

Over the decades, particularly after the passage of the National Bank Act of 1864, its role has expanded from basic oversight to enforcing enterprise-wide risk governance, vendor management, and data integrity.

Two key milestones reshaped the regulatory landscape:

  • 12 CFR Part 30 (1995) introduced enforceable safety standards under the FDIC Improvement Act.
  • Appendix D (2014) responded to the 2008 crisis with stricter governance for banks with assets over $50 billion. These include formal risk frameworks, engaged board oversight, and independent audit and risk functions.

The OCC expects institutions to operationalize controls from ingestion to modeling, complying with regulatory requirements such as the Bank Secrecy Act (1970) and the Equal Credit Opportunity Act (1974).

These enforceable guidelines apply to large national banks such as JPMorgan Chase, Citibank, Bank of America and Wells Fargo Bank with total consolidated assets of $50 billion or more, requiring a formal risk governance framework, oversight by an engaged board of directors, and independent risk and audit functions.

For data teams, these requirements translate into mandates for auditable pipelines, model transparency, and system-wide data governance.

With OCC Bulletin 2011-12, model risk management has become a focal point. Failures in explainability, drift detection, or bias mitigation—especially in ML systems used for credit, AML, or fraud detection—can result in regulatory scrutiny or action.

What are the key requirements to ensure compliance with OCC regulations? #

OCC compliance requires financial institutions to meet a set of rigorous expectations across governance, risk management, data integrity, and operational controls. These requirements are structured to ensure safety, soundness, and consumer fairness in federally chartered banks.

For data and risk leaders, compliance isn’t just about meeting audit requirements — it’s about embedding robust, auditable processes into the data stack and aligning governance with regulatory expectations.

Core requirements under OCC supervision include:

  1. Effective corporate governance: An engaged board and senior management must establish a clear risk appetite, oversee risk exposure, and review data-driven decisions.
  2. Comprehensive risk management frameworks: Institutions must identify, measure, monitor, and control risks across functions — with particular emphasis on credit, liquidity, operational, and compliance risks. For instance, set up accurate and well-governed data for stress tests like CCAR and DFAST, assessing capital adequacy in adverse conditions.
  3. Internal controls and audit: Banks are expected to maintain strong internal controls, periodic assessments, and an independent audit function that covers IT and data systems.
  4. Compliance management systems (CMS): A well-defined CMS must ensure ongoing adherence to laws like the BSA, ECOA, and AML rules, especially in data collection and reporting processes.
  5. Model risk management (MRM): Models (including AI/ML models) must be documented, validated, monitored for drift and bias, and governed as per OCC Bulletin 2011-12.
  6. Third-party risk oversight: Track third-party access to sensitive data to ensure vendors comply with OCC guidelines. Data shared with vendors must be secured, and potential vulnerabilities must be mitigated.
  7. Accurate and timely reporting: OCC examiners rely on institution-reported data. Poor data quality, missing lineage, or undocumented transformations can trigger findings or enforcement actions.

What are the common challenges to OCC compliance readiness? #

Financial institutions often face steep challenges in aligning with OCC standards:

  • Fragmented metadata and documentation: Without a unified metadata system, tracking data lineage, ownership, and usage across platforms becomes difficult, especially during audits.
  • Legacy systems and outdated infrastructure: Legacy platforms aren’t built for modern compliance standards, making it difficult to track, audit, or integrate metadata effectively.
  • Poor visibility into third-party data risk: As institutions rely more on cloud providers, data processors, and AI vendors, they need consistent processes to evaluate and monitor external data access and usage.
  • Manual, error-prone compliance processes: Spreadsheets and static documents are still common, creating risk of outdated information, human error, and inefficiencies in responding to audits or supervisory exams.
  • Inconsistent data quality and reporting: Compliance requires accurate, timely, and auditable reporting. But poor data quality, conflicting definitions, and missing context undermine trust in regulatory submissions.
  • Siloed risk and compliance functions: Risk, compliance, audit, and engineering often operate in silos, leading to misaligned controls and duplication of effort and overlooked gaps.
  • Inadequate model governance: With increased reliance on AI/ML, many institutions struggle to validate models, track changes, or explain outcomes — all of which are required under OCC guidelines like Bulletin 2011-12.
  • Lack of real-time policy enforcement: Static policies buried in PDFs are hard to scale. Institutions need metadata-driven policy engines that can automate enforcement across data platforms.

Addressing these challenges requires metadata as infrastructure. A metadata control plane can help bridge silos, automate lineage, enforce policies, and surface the insights needed to stay OCC-ready.

How can you ensure compliance with OCC regulations using a metadata control plane like Atlan? #

A metadata control plane like Atlan provides the foundation for aligning technical systems with supervisory expectations.

Here’s how Atlan helps:

  • Centralize metadata across systems: Bring together metadata from data warehouses, BI tools, data quality systems, and third-party platforms into one unified view—crucial for demonstrating end-to-end data flow during OCC exams.
  • Automate lineage and impact analysis: Automatically map upstream and downstream dependencies to show how data originates, moves, transforms, and is used.
  • Set and enforce data policies at runtime: Use metadata-powered access controls (e.g., tag-based policies, column-level restrictions) to enforce data handling rules dynamically across platforms like Snowflake, Databricks, and BigQuery.
  • Track ownership and accountability: Assign personas and responsibilities to every asset, ensuring that risk, audit, and data owners can be clearly identified during supervisory reviews.
  • Monitor data quality with context: Tie data quality checks to business definitions and usage, enabling proactive resolution of issues that could compromise regulatory reporting or model reliability.
  • Enable audit-ready documentation: Automatically generate documentation from metadata (and using AI), such as policy lineage, usage logs, and asset descriptions, cutting down manual work and reducing audit risk.
  • Strengthen model risk management (MRM): With integrations into ML platforms and built-in model context, Atlan supports traceability, explainability, and governance of models under OCC’s model risk standards.

Real-world impact: How North drives millions in value by governing Snowflake with Atlan #


Consider North, a leading payments solution provider processing over $100 billion in annual transactions and a vast data estate – 225,000 assets, totaling 41 terabytes on Snowflake.

As data volume and variety grew, so did the demand for access, shifting the challenge from mere data accessibility to the more complex issues of data governance and discovery.

With Atlan, North:

  • Transformed data discovery by eliminating silos and improving searchability.
  • Embedded governance into workflows by integrating the Atlan Chrome Extension with Jira and Slack. As a result, North’s data consumers could raise issues directly in their tool of choice, with a hyperlink to specific assets included automatically.
  • Scaled policy enforcement–dynamic data masking at scale–using Atlan Playbooks (rule-based automation).

As a result, North witnessed $1.4 million in annual efficiency gains and a 700% increase in tagged assets in Snowflake.

Final thoughts on OCC regulations and ensuring compliance #

OCC regulatory compliance is a rigorous, evolving mandate that demands technical precision and system-wide coordination. For data leaders in finance, this means aligning data pipelines, models, access controls, and documentation with regulatory expectations.

A metadata control plane like Atlan helps you centralize context, enforce policies at scale, and stay audit-ready—turning compliance from a reactive burden into a proactive advantage.

OCC regulations: Frequently asked questions (FAQs) #

1. What are OCC regulations? #


OCC regulations are supervisory standards issued by the Office of the Comptroller of the Currency to ensure that national banks and federal savings associations operate safely, treat customers fairly, and comply with U.S. banking laws.

2. Who does the OCC regulate? #


The OCC regulates national banks, federal savings associations, and U.S. branches of foreign banks. It oversees their licensing, operations, and risk management practices.

3. How often does the OCC conduct examinations? #


OCC conducts risk-based exams typically every 12 or 18 months, depending on a bank’s size, complexity, and risk profile. These assessments cover capital, compliance, governance, and operational risk.

4. What laws and regulations fall under OCC oversight? #


Key laws and regulations include:

  • National Bank Act (1864)
  • Bank Secrecy Act (1970)
  • Equal Credit Opportunity Act (1974)
  • FDIC Improvement Act (1991)
  • 12 CFR Part 30 – Safety and Soundness Standards
  • 12 CFR Part 30, Appendix D – Heightened Standards
  • OCC Bulletin 2011-12 – Model Risk Management

5. What are the key components of OCC compliance? #


Core components include effective board oversight, risk governance frameworks, internal controls, model risk management (MRM), data quality and lineage, third-party risk management, and consumer protection.

6. What happens if a bank fails to comply with OCC regulations? #


Non-compliance can lead to enforcement actions such as consent orders, civil money penalties, business restrictions, or, in extreme cases, revocation of the bank’s charter.

7. What are some common pitfalls in ensuring OCC compliance? #


Common challenges include:

  • Disconnected metadata and documentation
  • Legacy systems lacking transparency
  • Manual compliance processes prone to error
  • Poor third-party risk visibility
  • Inadequate model validation and auditability
  • Siloed governance and unclear accountability

8. What is the role of metadata in ensuring compliance with OCC regulations? #


Metadata provides the foundation for traceability, accountability, and policy enforcement across the data stack. It enables institutions to track lineage, document ownership, enforce dynamic access and data handling rules, and maintain audit logs and regulatory reports on demand, among others.

9. How does a metadata control plane help with OCC compliance? #


Platforms like Atlan act as a metadata control plane, centralizing metadata across systems, automating lineage and documentation, enforcing policies at runtime, and supporting audit-readiness. This helps data teams align with OCC expectations at scale.

Share this article

signoff-panel-logo

Atlan is the next-generation platform for data and AI governance. It is a control plane that stitches together a business's disparate data infrastructure, cataloging and enriching data with business context and security.

Book a DemoStart Tour
[Website env: production]