Why compliance still matters: Navigating reduced oversight in a deregulatory era
- Despite reductions in regulatory agency staffing and a deregulatory environment, financial institutions must maintain a strong focus on compliance.
- Examiners will rely more on an institution’s own risk assessments and internal controls.
- Weak compliance programs may result in rapid downgrades of your compliance rating.
Senior management may be pushing to ease up on resources dedicated to regulatory compliance, citing the deregulatory environment or reductions in staffing at regulatory agencies. Even as compliance professionals, you may be thinking, “Do I really need to focus as much as I have in the past? The answer is “Yes”, now more than ever.
Implications of a reduced workforce for compliance
It has become clear that regulatory agencies have reduced or will be reducing their workforce. In January, a presidential executive order was released directing executive departments and agencies to identify at least 10 existing regulations to repeal for every new regulation proposed. It’s tempting to think that these developments could make compliance a lower priority for financial institutions, but that may be a huge mistake.
The Office of the Comptroller of the Currency (OCC) issued Bulletin 2025-24 on October 6, 2025, stating the OCC was updating its policies to eliminate mandatory examination activities not required by statute or regulation to reduce the supervisory burden for community banks, defined as those with up to $30 billion in assets. The Bulletin states that examinations will be risk-focused, with heightened focus on material financial risks. Examiners will retain discretion to conduct supervisory activities beyond those in statute, but will not be required to conduct certain reviews based solely on OCC policy.
Examples provided included OCC policy to conduct a fair lending risk assessment every examination cycle and flood insurance coverage once out of every three cycles. This testing will now be at the discretion of the examiners conducting the review.
Why is this being done? To reduce the agencies’ staffing by as much as 30%, the number of hours spent by examiners during examinations must be reduced by a similar percentage. The easiest reduction in hours would be to:
- Eliminate testing of areas that are not required by law.
- Reduce sample sizes.
- Streamline testing to cover only the riskier areas.
- Rely on bank-provided reports.
How will the regulators address risks and reduce staffing and testing?
Several new regulations that were not yet effective were repealed or vacated by the courts earlier this year, thereby eliminating some of the new regulatory risks that were on the horizon. In addition, the Consumer Financial Protection Bureau (CFPB) removed 67 of its guidance documents, interpretive letters and bulletins this year, stating that the documents were unnecessary and that statutory limitations were already in place.
However, all existing laws and regulations are mainly intact, meaning the level of risk has not decreased as much as some may like to think.
So how will regulators address the ongoing risks of noncompliance with laws and regulations, given the reduced workforce? They will rely on your compliance management system (CMS) rather than conducting the testing themselves.
If the examiners do not have the resources to thoroughly test your compliance with consumer protection laws and regulations themselves, they will make sure someone else is conducting this testing.
What does that mean? It means your first, second and third lines of defense will need to be stellar. It will take your examiners significantly less time to review and opine on someone else’s testing than it will to test it themselves. Therefore, examiners will be reviewing your risk assessments and testing to help ensure all risks have been identified and mitigated.
Risk mitigation steps
Risk assessments
To assess the risks in your organization, examiners may be relying on your risk assessments to help them determine where they should focus their efforts. Therefore, your risk assessments need to be thorough and up to date. Confirm your fair lending, compliance, BSA/CFT/OFAC, UDAAP and other risk assessments accurately reflect your current risk profile and are updated regularly as risks change.
First line of defense
You will want to be sure your frontline has controls in place to help ensure that consumer protection laws and regulations are being followed throughout the lifecycle of your products and services. This includes new account checklists, automated system controls, pre- and post-closing reviews, reviews of system reports, ticklers and tracking systems and similar controls. An effective first line of defense reduces the number of issues identified by the second and third lines of defense, as well as reduces the need for additional training and oversight.
Second line of defense
Your second line of defense, the compliance department, should be conducting ongoing testing to help ensure the first line is complying with applicable laws and regulations. This testing should be risk-based, with results communicated to senior management and the frontline, and these results should direct the need for adjustments in policies and procedures, as well as further training and testing.
Third line of defense
The third line of defense, internal audit, should be auditing compliance with federal consumer protection regulations, as well as your CMS to help ensure its effectiveness. The audit scope and frequencies should be based on the applicable risk assessments. Results should be reported to senior management and the audit committee.
Remediation should be tracked, and follow-up testing should occur to be confident identified issues are promptly resolved.
Examiners will most likely focus efforts on assessing the structure of your CMS system to determine if it is reliable, and reviewing the results and remediation plans from the audits conducted, rather than conducting extensive testing of compliance with laws and regulations themselves. A weak compliance program that lacks the components listed above may result in a quick downgrade to your compliance rating, as examiners may not have the resources to conduct this testing themselves.
While we may see a significant reduction in the costs to the government in administering compliance oversight at our institutions, these costs may be passed on to you, allowing your regulators to rely on your CMS.
While it may appear that there is less focus from the government on compliance, the expectation is that financial institutions will focus more on developing and maintaining a reliable, effective CMS with robust controls and testing plans. Unless the laws and regulations are repealed, the need to comply will always remain.
How Wipfli can help
Addressing compliance challenges is still a priority for financial institutions. Our team can advise your organization on how to manage risk and maintain compliance with federal banking regulations. Start a conversation about your compliance management system.
