OCC Heightened Standards — what 12 CFR §30 Appendix D actually demands.
Published 2014, refined repeatedly. Applies to insured national banks, federal savings associations, and federal branches of foreign banks with average total consolidated assets of $50 billion or more. State-chartered banks moving to OCC supervision under a national charter inherit the full set.
What "heightened" actually means
The Guidelines codify expectations the OCC was already enforcing through examination ratings (CAMELS, the Risk Assessment System for Institutions). The codification is what gives examiners the explicit hook for matters-requiring-attention and consent orders. Three components:
- A formal Risk Governance Framework, board-approved.
- Active board oversight of management and the framework.
- Specific responsibilities for the three lines of defense.
The Risk Governance Framework
Section II of the Guidelines lays out the framework requirements:
- Risk appetite statement — qualitative and quantitative limits across risk categories.
- Concentration risk limits.
- Strategic plan with horizon and tied-back risk profile.
- Risk identification, measurement, monitoring, and reporting processes.
- Independent risk management with direct CRO reporting line to the board.
- Independent internal audit with direct CAE reporting line to the audit committee.
Three lines of defense, defined
- Front-line units — own and manage risks of their activities. They are the first line.
- Independent risk management — separate from front-line, with authority to challenge. CRO is the head; the framework is the CRO's artefact.
- Internal audit — independent of both, reporting to the audit committee, providing assurance on the framework's effectiveness.
The Guidelines are explicit that the three lines must have distinct staffing, reporting, and incentives. "Independent" is a structural test, not just a label.
Talent, compensation, performance management
Section II.J: the bank should maintain a talent management process that ensures qualified people fill the key roles, and a compensation programme that ties incentives to risk-adjusted performance. This is the section that most often drives MRA findings during charter conversions — compensation models built for state-charter levels of scrutiny rarely meet OCC documentation expectations.
Charter conversion playbook
For a state-chartered bank applying for an OCC national charter, the heightened-standards mapping is the single largest workstream. The clause-level playbook from a recent FDIC-to-OCC conversion: ingest both rule sets, map clause-by-clause, surface gaps, draft remediation plans, build the evidence pack for the application.
Where Sia RegAI fits
Sia RegAI ingests 12 CFR §30, related OCC Bulletins (most recently the 2025 climate guidance and the 2024 third-party risk-management guidance), the SR Letters from the Federal Reserve (where the bank is also Fed-supervised), and your existing risk-governance documentation. Outputs: a normalised obligation tree, a clause-level gap analysis against your three-lines structure, drafted control language for every gap, and an evidence pack mapped to OCC supervisory expectations.
Related guides
- OCC Heightened Standards — mapping 12 CFR §30 with AI
- Regulatory change management software — a buyer's guide
- EU AI Act compliance for banks — obligations decoded