- Key insight: The OCC is moving to ease money-laundering compliance burdens for community banks.
- Supporting data: New "Community Bank Procedures" take effect Feb. 1, 2026.
- Forward look: Regulators may weigh new tools to improve transparency and competition among core service providers.
The OCC on Monday released new Bank Secrecy Act guidance that simplifies anti-money laundering examination procedures for community banks, a significant tailoring effort they say is aimed at reducing the burden for smaller institutions.
The new streamlined "Community Bank Procedures," which take effect Feb. 1, 2026, allow examiners to rely more on independent audit testing from third parties, reduce duplicative reviews and scale back review of specific transactions or files at banks, when a bank's risk profile warrants it, particularly banks presenting low money-laundering risk.
"Using these procedures as a baseline, examiners must tailor examination procedures based on the instructions below," the procedures state. "The level of scrutiny within each procedure may be heightened or reduced based on a bank's risk profile and examiners' ability to leverage independent testing, past examination findings, or additional resources as appropriate."
The bulletin, which applies to all banks supervised by the OCC's community bank group — those with up to $30 billion in assets — says examiners may rely on satisfactory third-party audit work "as appropriate," and to carry forward prior findings on training and BSA officer performance for an exam cycle when a bank's risk profile hasn't changed in a material way. Examiners should focus on three objectives: scoping and planning; assessing the BSA/AML program; and finalizing conclusions, adding procedures only when a bank's risk profile justifies it. Reviews from Treasury's Office of Foreign Assets Control are no longer automatic and will occur only on an as-needed basis.
In a separate bulletin Monday, the OCC moved to eliminate an annual information request that has been sent to community banks since 2005 aimed at helping the agency assess money-laundering and terrorist-financing risk across smaller firms.
Under the elimination of the review, known as the Money Laundering Risk System data call, examiners no longer need bank-reported product and customer data, citing what leadership views as lower risk of community banks and the utility of other supervisory tools. Large banks were never subject to the requirement.
"The OCC believes that the MLR System is no longer necessary and that the OCC can obtain appropriate information on the ML/TF risks of the community bank portfolio in a less burdensome manner, including more tailored requests for information in connection with on-site examination activities," the agency
Alongside the regulatory simplification, the OCC also requested for information from community banks Monday about their core processors and other essential third-party tech vendors.
The RFI signals the agency's growing concern with increasing consolidation amongst companies that offer back-end software for banks.
"Continued consolidation in the core service provider and other essential third-party service provider markets can result in reduced competitive pressure to provide innovative and effective solutions for community banks; reduced negotiating power for many community banks vis-à-vis their core service providers, resulting in potentially burdensome contractual provisions and bundled products that raise fees; and a sense that many community banks do not believe that their core service providers … are partners committed to their long-term success," the RFI stated. "Many of these same banks believe these potentially anti-competitive forces are preventing them from taking full advantage of the rapid pace of innovation in the financial technology marketplace, leaving them exposed to changing consumer expectations they may not be able to meet."
The OCC asks banks to detail, among other things the barriers they face in negotiating with core providers, issues around navigating fees and billing errors, conducting due diligence on core providers, AI uses, stablecoin and crypto-related services. The agency will take comments for 60 days after publication in the Federal Register.
The agency also floats potential policy responses for banks' input, including the idea of creating a publicly searchable database of service-provider performance, a registry of provider contract terms, improving access to service-provider exam reports and revisiting how examiners apply the OCC's third-party risk management guidance.
