Back to Sia Partners A Sia product
Back to RegAI Book a demo
RegAI  /  Blog  /  OCC Heightened Standards
Practical guide · Banking

OCC Heightened Standards: mapping 12 CFR §30 with AI.

Published April 26, 2026 9-minute read By Sia

When a state-chartered bank applies for an OCC national charter — or when an existing OCC bank crosses the $50B threshold — Heightened Standards (12 CFR §30, Appendix D) is the document that defines pass / fail. The standards are five years old; the operational expectations behind them keep tightening. Here is how to map your current program to them, with AI doing the heavy reading.

This guide is built from a recent engagement we did with a large US bank converting from FDIC oversight to a national OCC charter. The full case study is on the banking page; this is the workflow underneath it.

What Heightened Standards actually demands

The OCC's Heightened Standards (codified in 12 CFR §30, Appendix D) apply to insured national banks, federal savings associations, and federal branches with $50 billion or more in average total consolidated assets. It sets out two top-level pillars:

  1. A risk-governance framework covering risk appetite, three lines of defense, talent, and compensation.
  2. The board's role in providing active oversight of management and that framework.

Within those pillars sit dozens of operational expectations on risk-management programs, board independence, escalation, and audit. The OCC also publishes guidance on its expectations for matters requiring attention (MRAs) and matters requiring immediate attention (MRIAs) — those are the enforcement teeth.

Why this is hard without AI

A converting bank typically has 200–400 internal policies, procedures, and standards spread across business lines. Heightened Standards has roughly 80–120 distinct operational requirements when you count the risk-governance framework (Section II), the board's role (Section III), and the implicit expectations from §30 Appendix A (operational risk) and §30 Appendix B (information security).

Mapping them by hand is a 12–16 week sprint. Most banks bring in three to five FTEs from internal audit, risk, and compliance. The output is a binder. The binder ages out the moment it's printed because OCC bulletins keep coming.

The five-phase AI workflow

Phase 1 — scope and source list

OCC Heightened Standards Level 1 text plus all OCC bulletins from the last 5 years that touch on it. Plus 12 CFR §30 Appendices A (operational risk) and B (info security) for cross-references. Plus any prior OCC examination reports if the bank has them.

On the internal side: the policy taxonomy (most banks use a three-tier policy / standard / procedure model), the current policy library, the board charter, the risk appetite statement, the board pack, and prior audit findings.

Phase 2 — obligation extraction

RegAI parses the OCC text and produces a structured list of obligations, each linked back to its source paragraph. Expect roughly:

  • ~30 obligations from Section II (risk-governance framework)
  • ~25 obligations from Section III (board oversight)
  • ~25 obligations from Appendix A (operational risk implications)
  • ~15 obligations from Appendix B (information-security implications)

So ~95 distinct, scorable obligations. After deduplication (Section III often restates Section II in board terms), you land at ~80.

Phase 3 — applicability triage

For most converting banks, all of Heightened Standards applies. The triage matters more for the cross-references: not every Appendix A operational-risk requirement maps cleanly. RegAI flags the ambiguous ones (e.g., requirements pegged to "covered subsidiaries") for legal review.

Output: applicability status per obligation with rationale.

Phase 4 — gap analysis against your policy library

Each obligation is mapped against the bank's policies, with coverage scored Full / Partial / Not covered. The most common gap pattern in our engagements:

  • Risk appetite framework exists but doesn't tie to credit, market, operational, and compliance risk consistently. Score: Partial.
  • Three lines of defense articulated but escalation thresholds undefined. Score: Partial.
  • Board reporting covers metrics but lacks a defined cadence for risk-appetite breaches. Score: Partial.
  • Talent and succession for risk-management roles often missing entirely. Score: Not covered.

Roughly 60–70% of obligations are Full, 20–25% are Partial, 10–15% are Not covered. A clean partial is much better than a clean nothing — the partial means the bank has the program, just not all the documentation.

Phase 5 — drafting controls and policies for the gaps

For Partial scores: RegAI drafts a delta — exactly what's missing from the existing policy. Legal review tightens; the policy is republished. For Not-covered scores: RegAI drafts a new policy or standard from a template aligned to OCC's expected language.

Practical tip: draft in batches by topic. Risk-appetite-related drafts together, board-oversight-related together, etc. The drafts read more consistently and review is faster.

What the OCC actually looks at

Examiners don't grade the binder. They observe the operating mechanism. The binder is just the answer key. So the gap analysis is the start, not the end:

  • Board-pack quality. Risk-appetite-breach reporting needs to be visible in the actual quarterly pack, not just defined in policy.
  • Escalation evidence. Internal-audit reports from the last 12 months should show clear MRA / MRIA escalation paths.
  • Risk-function independence. Reporting lines, compensation structure, dotted lines — examiners look for actual independence, not just an org chart.
  • Talent. CRO succession, risk-function tenure, training. Heightened Standards explicitly calls these out.

RegAI's evidence-pack module pulls this together: each obligation gets a citation graph linking to the policy passage AND (where configured) to the operating evidence — a board pack page reference, an audit finding, a training record.

Charter conversion timeline — what's realistic

From the recent engagement:

  • Week 1–2: Source ingestion, internal corpus loading, applicability triage.
  • Week 3–6: Gap analysis, batch drafting, legal review of the first wave.
  • Week 7–10: Second-wave drafts, board-pack alignment, three-lines-of-defense documentation refresh.
  • Week 11–12: Internal audit walkthrough, OCC pre-filing meeting prep.

Net: a 12-week charter-readiness sprint that closes ~340 specific gaps and produces a defensible compliance package. That's what the OCC charter case study quoted in the case-studies section sums up.

Common pitfalls

  • Treating Heightened Standards as a documentation exercise. The OCC's actual evaluation looks at operating mechanism. Document gaps are easier to close than mechanism gaps — start there but don't stop there.
  • Ignoring the board. Section III is the OCC's most active enforcement area. Board independence, board reporting, board-level escalation — these are not delegable.
  • Single-shot delivery. OCC bulletins keep arriving. Heightened Standards is a living standard. The matrix needs to live in a system that updates with the source.

What this looks like at scale

On the recent engagement: 2,400+ obligations mapped (Heightened Standards + supporting OCC + adjacent bulletins), 12-week charter sprint, 340 policy gaps closed. Charter submission was on time. See the full banking case studies →

Get started

If you're prepping for a national charter or an OCC heightened-standards review, we run a 45-minute walkthrough on a slice of your scope and a sample policy. Real numbers, no slides. Book a demo →

Related reading

Run RegAI on your OCC scope.

A 45-minute walkthrough. We bring the platform, you bring the regulation.

Book a demo More on banking