The OCC’s “Persistent Weakness” Timer Is Ticking, And Banks Must Comply

In 2023, the Office of the Comptroller of the Currency (“OCC”) issued a revised approach to enforcement for larger banks. The revised approach states that the OCC will take additional action against banks and executives that exhibit “persistent weaknesses”  in governance, risk management or operational practices and lays out heightened standards that large banks must adhere to.

The OCC has since been true to its word, recently fining Citi $400m for risk management failures. Earlier this year, the OCC announced three fines targeting specific leaders at Wells Fargo for unsafe and unsound banking practices. 

Taking the Revised Approach Seriously

Under the updated policy, the OCC will take formal enforcement actions—such as consent orders or directives—against banks that fail to remediate long-standing deficiencies despite prior supervisory efforts. This shift signals the regulator’s intent to ensure timely corrective action rather than relying solely on informal agreements or management promises.

These measures are rooted in the OCC’s heightened standards framework under 12 CFR Part 30, which applies to banks with $50 billion or more in consolidated assets. The standards require covered banks to implement comprehensive risk governance frameworks and maintain strong, independent oversight structures to protect their safety, soundness, and resilience in an increasingly complex banking environment.

OCC Heightened Standards Requirements

Below are the key requirements set forth by the OCC for risk governance at large financial institutions:

• Risk Governance Framework: Establish and maintain a written framework that defines risk governance processes consistent with the bank’s size, complexity, and risk profile.

• Front Line Units and Independent Risk Management: Clear delineation of roles between business units (front line) and independent risk management functions.

• Comprehensive Risk Appetite Statement: Board-approved statement defining aggregate risk levels, types of risk the bank is willing to take, and limits for material risks.

• Roles and Responsibilities: Clear responsibilities for the board, CEO, independent risk management, and internal audit.

• Standards for Board of Directors: The board must actively oversee risk-taking activities and hold management accountable for adhering to the risk governance framework.

• Independent Risk Management Function: Led by a Chief Risk Officer (CRO) with sufficient authority and access to the board.

• Internal Audit Function: Led by a Chief Audit Executive (CAE) reporting directly to the board or audit committee.

• Risk Data Aggregation and Reporting: Systems and processes that produce timely, accurate, and comprehensive risk data for decision-making.

Signs of Persistent Weakness Are Everywhere

Despite years of regulatory focus and internal investment, many banks continue to grapple with fundamental weaknesses in their risk management and governance frameworks. A common shortfall is fragmented risk oversight, where business lines operate in silos with limited coordination across credit, operational, compliance, cyber, and third-party risk domains. Without a unified risk taxonomy or integrated data environment, leadership teams lack the holistic visibility needed to anticipate emerging threats. As a result, banks often rely on static risk assessments and manual processes that are too slow to keep pace with today’s dynamic threat landscape—particularly in areas such as AI model governance, cyber resilience, and third-party risk exposure.

Another persistent challenge is insufficient board and senior management engagement in risk strategy. While regulatory expectations require boards to actively oversee and challenge management on risk decisions, many institutions still treat governance as a compliance exercise rather than a strategic imperative. This manifests in risk appetite statements that are broad but unenforced, risk committees that focus narrowly on compliance checklists rather than enterprise risk interdependencies, and internal audit functions that lack the real-time intelligence needed to test control effectiveness in a proactive manner. This results in a governance environment that leans heavily on compliance, often reacting to issues after they emerge rather than proactively anticipating them—ultimately limiting the strategic foresight needed to navigate today’s complex and dynamic risk landscape.

The following persistent weaknesses are commonly observed in banks, reflecting gaps in insight, data integration, oversight, and compliance:

Siloed Risk Data Systems - Banks often maintain fragmented data architectures where credit risk, operational risk, compliance monitoring, and cybersecurity data are housed in separate systems without integration. This prevents leadership from generating a holistic risk profile, delaying detection of interconnected threats such as cyber incidents that trigger financial or compliance risks.

Reactive Third-Party Risk Management - Many institutions lack centralized visibility into their vendor ecosystem, leading to incomplete assessments of critical dependencies and delayed, reactive mitigation efforts. This weakness was highlighted in incidents like the SolarWinds breach, where banks struggled to identify affected vendors and systems due to fragmented third-party data and contract oversight.

Inadequate AI Model Governance - Banks deploying AI models in underwriting, fraud detection, or compliance often lack explainability frameworks and consistent monitoring of model drift and bias. Without unified AI governance, decisions remain opaque to risk committees and regulators, exposing the institution to compliance failures and reputational damage.

Weak Board Risk Oversight - Boards frequently approve risk appetite statements but fail to operationalize them, with risk limits and controls misaligned to stated thresholds. This lack of enforcement reflects inadequate board oversight and an over-reliance on management summaries, without independent validation or real-time risk dashboards.

Manual Compliance Mapping and Attestations - Institutions often rely on spreadsheets and quarterly manual attestations to map controls to regulatory requirements. This reactive approach limits insight into compliance drift or emerging regulatory gaps, leading to enforcement actions for failures in areas like AML, sanctions screening, or operational resilience.

Weave.AI Turns Weaknesses into Strengths

Weave.AI is purpose-built to transform governance, risk, and compliance (GRC) from fragmented, reactive processes into a unified, proactive intelligence capability for large banks. By integrating neuro-symbolic AI with an enterprise knowledge graph, Weave.AI delivers continuous, explainable, and holistic insights across all risk domains—from operational resilience and cyber to model governance and third-party oversight. This enables banks to move beyond static dashboards and manual attestations toward real-time, defensible governance that aligns with the OCC’s revised approach and heightened standards. Leadership teams gain not only faster visibility into emerging risks, but also targeted recommendations that accelerate remediation and ensure strategic board-level decisions are grounded in traceable logic and regulatory requirements.

The following core capabilities of Weave.AI directly support this transformation, enabling alignment with OCC Heightened Standards through integrated intelligence, real-time monitoring, and role-specific governance outputs:

Unified Risk Governance Framework - Maps and integrates risk data across first-party, second-party, and third-party exposures into a single, live view aligned with OCC’s risk governance expectations.

Explainable Neuro-Symbolic AI - Provides defensible insights with traceable reasoning, ensuring risk decisions meet board, audit committee, and regulatory requirements for transparency and accountability.

Knowledge Graph - A proprietary enterprise-grade context engine that connects data, policies, controls, and regulations into an integrated framework, enabling accurate risk mapping, fast issue escalation, and board-ready reporting.

Real-Time Compliance Monitoring - Continuously tracks compliance with OCC heightened standards, identifying drift or emerging regulatory gaps and recommending tailored remediation actions.

Role-Based Strategic Outputs - Generates targeted outputs—such as risk assessments, board briefings, and compliance attestations—aligned to CRO, CISO, internal audit, and board oversight responsibilities.

Automated Control Testing and Benchmarking - Benchmarks frameworks, policies, and controls against OCC expectations and peer institutions, highlighting weaknesses and accelerating enforcement action readiness.

Weave.AI is designed to strengthen oversight, reduce compliance risk, and increase regulatory confidence by automating outputs tailored to CROs, CISOs, boards, and audit committees. Its autonomous agents deliver continuous, high-level analysis across internal operations, affiliates, and third parties—surfacing risks before they escalate into enforcement actions, identifying gaps, benchmarking against peers, and providing tailored guidance, recommendations, and next-best actions through the lens of OCC Heightened Standards and related regulatory frameworks. By transforming fragmented controls into enterprise-wide accountability, Weave.AI helps institutions meet OCC regulatory requirements while improving operational efficiency, decision velocity, and strategic foresight in today’s increasingly complex risk environment.