Examiner expectations have evolved meaningfully since the 2024 cycle. Banks that were considered well-positioned then are now finding themselves with multiple matters requiring attention. Across the engagements our team has supported in the first quarter of 2026, five themes have emerged consistently.
1. Third-party risk programs are under deeper scrutiny
Examiners are no longer satisfied with a vendor inventory and an annual SOC 2 review. They're asking about risk-tiering methodology, evidence of right-sized diligence per tier, contract security provisions, and continuous monitoring. Banks that treat TPRM as a procurement function rather than a risk function are getting findings.
2. Cybersecurity governance, not just controls
The shift from 'do you have controls' to 'how does the board oversee cyber risk' continues. Risk committees that meet quarterly with high-level dashboards are getting follow-up questions. Examiners want evidence that the board understands the actual risk posture and the basis for decisions about where to invest.
3. Resilience that has been actually tested
Documented DR plans aren't enough. Examiners are asking when the plan was last tested, what was learned, and what changed as a result. Banks with paper plans are being asked to schedule live tests.
4. Identity and privileged access
MFA everywhere, conditional access for sensitive operations, privileged access management with vaulting and session recording. Banks running on basic SSO without these layers are increasingly considered behind the curve.
5. AI governance even before deployment
Examiners are asking about AI governance even at banks that have not deployed AI in customer-facing functions. The expectation is that you have a position, a policy, and an oversight mechanism — before the first use case ships.
Banks that engage early — six to twelve months before their next exam — have the time to address findings before they become formal. Those that wait are managing the cycle reactively.