Examiners Are Now Looking at Your Non-Core Systems

SPONSORED CONTENT PRESENTED BY NEXCESS

• Formal risk programs cover the core. The systems built around it — customer portals, fraud tools, digital platforms, AI models — are outside scope. Examiners are now looking there.
• Since January 1, 2026, examiners no longer follow a fixed checklist. They follow your risk, wherever it lives.
• Federal regulators updated model risk rules in April 2026. Every AI tool your bank runs — including vendor-supplied tools — now requires documented governance.
• Three questions will tell you whether your non-core systems are ready for an exam. Walk through them before your next supervisory cycle opens, not during it.
• Moving non-core systems to the right infrastructure is a single decision. It does not require replacing your core or running a multi-year program.

Every bank has a core: the ledger, payment rails and transaction processing. Those systems were built for stability. Change is slow and deliberate. That is the right design for a ledger.

Over the last decade, a second layer grew around the core: customer portals, loan origination platforms, digital account opening tools, fraud analytics, AI models, real-time reporting dashboards. These systems face your customers directly. When one fails or produces a wrong result, the impact shows up in complaints, regulatory flags, and examiner questions — not in the ledger.

Most formal risk programs have not kept up with that growth. The structured process your institution uses to identify, document and manage operational risk — your Risk and Control Self-Assessment (RCSA) — was built to cover core banking. The customer portals, fraud analytics tools and digital platforms added since were never brought into scope. That gap is where the risk actually lives today.

This is not a theoretical concern. At the ABA Risk and Compliance Conference in Charlotte this May, a session titled “Updating Risk Assessments in the Current Environment: Modernizing RCSA – Turning Risk Assessments into Actionable Intelligence” addressed exactly this issue. Presenters Daniel Birbal (Risk and Controls Leader, TD Bank), Charles Corbezzolo (SVP Consumer Business Controls, TD Bank) and Bill Tucker (Chief Compliance Officer, First Carolina Bank) covered what happens when institutions expand RCSA scope to include non-core processes: They find risk that was never formally assessed.

Where non-core systems run matters because infrastructure is not a neutral backdrop. A fraud analytics tool on a shared public cloud carries different accountability and documentation requirements than the same tool on a dedicated, isolated environment. Examiners are now asking which one you are running — and whether you can show it.

The Exam Is No Longer a Checklist. It Follows Your Risk.

Under OCC Bulletin 2025-24, the fixed examination checklist for community banks was replaced with risk-based supervision starting January 1, 2026. Examiners no longer work through a required list of topics. They follow your documented risk decisions—across every system your institution runs.

That means a system does not need to touch the ledger to attract examiner attention. It needs to handle customer data, support a regulated process, or run a model that influences a credit or fraud decision. Your customer portal qualifies. Your digital account opening platform qualifies. Your fraud analytics tool qualifies.

In April 2026, the OCC, Federal Reserve, and FDIC went further. They replaced prior model risk management guidance with a new risk-based framework that explicitly covers AI tools supplied by vendors. Every AI model your institution runs — fraud detection, credit scoring, customer analytics — now requires documented governance: where the model runs, who owns the environment, and how your institution can show control over it.

If your fraud detection tool runs on infrastructure you do not control, under a contract that predates AI, with a vendor you cannot fully audit, your governance trail runs out before an examiner’s questions do.

Three Questions to Walk Through Before Your Next Exam

Run these against each customer-facing system your institution runs outside of core banking. No technical review needed — just clear answers.

1. If an examiner asked about this system today, could you answer in one conversation?

This is a documentation question, not a compliance checkbox. Generic cloud environments are shared — other companies’ workloads run on the same hardware as your customers’ financial data. That creates a documentation gap that cannot be closed with a policy document. It requires a dedicated environment with its own audit trail. More than half of community bank IT leaders say cloud technology risk is a top concern. The gap is usually not the application. It is where the application lives.

2. When this system fails, do you know exactly who is responsible — before it fails?

A vendor contract is not an accountability plan. When a system fails during peak hours, the question of who owns the problem needs an answer in minutes, not after a conference call. Ownership questions surface under pressure, not in planning. Document the answer now.

3. Can your AI vendor explain its model governance to an examiner on your behalf?

The April 2026 guidance requires that AI models be governed end-to-end — including models your vendors supply. If a vendor’s AI tool runs in an environment your institution cannot describe or audit, your governance documentation ends before the examiner’s review does.

If any of these questions gave you pause, that is where the work needs to happen before your next exam cycle opens.

Be Ready

Being able to answer an examiner’s questions clearly requires four things at the infrastructure level. A full breakdown is here, but the short version is:

• A dedicated environment for each system. Shared infrastructure cannot produce a clean, institution-specific audit trail. Separation is the only way to close that gap.
• Named ownership in writing. Who patches this? Who handles an incident at 6am? Who produces documentation for an examiner? These answers need to exist before something goes wrong.
• Controls built in from the start, not added later. Exam standards require that management verify controls exist — not assume them. Access controls, audit logs and responsibility boundaries need to be present at deployment.
• A contract that reflects what you are actually running. AI workloads consume compute differently than transactional banking systems. An agreement written for transactional workloads will not govern AI deployments correctly. Review your infrastructure contracts against what your systems do today.

One Decision Before the Exam Cycle Opens

The presenters at the ABA Risk and Compliance Conference were not describing a problem that requires a technology overhaul to fix. They were describing a decision that has not been made: Separate the systems that carry examiner risk onto infrastructure that was built to carry it.

That is a single architecture decision. It does not require replacing your core or launching a multi-year program. It requires placing non-core, customer-facing systems on dedicated, governed infrastructure with documented ownership — before your next exam cycle begins.

These systems are already in scope. The only question is whether your infrastructure is ready to show that clearly.

Erin Raese is CMO at Nexcess, a Specialty Cloud provider focused on high-performance, compliance-ready environments for community and regional banks. She has 30+ years in technology and 15+ years advising large financial institutions on infrastructure strategy and go-to-market execution.