What Documents Does the FDIC Request at the Start of an Exam

Three to six weeks before an FDIC examination begins on-site, your institution receives a document request list. This list isn't a suggestion, it's the starting point of the exam, and how quickly and completely you respond shapes the examiner's first impression of your compliance posture. Disorganized or incomplete responses signal control weaknesses before the examiner even walks through the door.

Key Takeaways:

• The FDIC document request typically arrives 3-6 weeks before the on-site exam and covers governance, financials, compliance, IT, and audit
• The request follows the structure of the FDIC Risk Management Manual of Examination Policies
• Missing or delayed items are noted and may expand the exam's scope into areas the examiner wasn't originally planning to review
• Organizing documents by exam category (not by internal department) dramatically reduces response time

What the Standard Document Request Covers

The FDIC's pre-examination document request is tailored to each institution, but it follows a predictable structure based on the Risk Management Manual's examination modules. Most requests cover these categories:

Governance and Board Oversight

This section targets evidence that the board and senior management actively oversee the institution's risk profile:

• Board and committee minutes for the period since the last examination (typically 12-18 months of board minutes, audit committee minutes, loan committee minutes, ALCO minutes, compliance committee minutes, and IT steering committee minutes)
• Organizational chart showing current management structure, reporting lines, and compliance function placement
• Strategic plan and any recent updates, including new business line proposals
• Management succession plans where they exist
• Board-approved policies, not just the policies themselves, but evidence of board approval (dated signatures, board resolution references in minutes)

Examiners pay close attention to the gap between policy approval and actual oversight. Board minutes that rubber-stamp policies without discussion are a red flag. Minutes that reflect genuine deliberation, questions asked, concerns raised, follow-up items assigned, demonstrate the kind of active oversight that satisfies the FFIEC Compliance Management System framework.

Financial and Capital Information

• Most recent Call Report (FFIEC 031/041/051) and any amendments
• Internal financial statements (balance sheet, income statement, trial balance) for each quarter since the last exam
• Capital calculations including risk-weighted assets and leverage ratio computations
• ALCO reports and interest rate risk analyses including model assumptions, sensitivity scenarios, and back-testing results
• Investment portfolio reports showing composition, duration, credit quality, and any impairment analyses
• Liquidity reports including contingency funding plans and borrowing capacity analyses

Loan Portfolio Documentation

Loan review is typically the most time-intensive part of a safety and soundness exam. The document request will include:

• Loan trial balance as of the most recent quarter-end
• Concentrations of credit report showing exposure by category (CRE, C&D, C&I, consumer, agricultural)
• Loan policy including underwriting standards, approval authorities, and exception tracking
• Loan exception reports, examiners will sample these to assess policy adherence
• Allowance for Credit Losses (ACL) methodology under CECL (ASC 326), including qualitative factor analysis and supporting documentation
• Watch list and classified asset reports with trending data
• Loan review reports (internal and external) from the review period

The ACL documentation is particularly scrutinized since the CECL implementation. Examiners expect to see not just the model output but the qualitative adjustments, management judgment, and the data supporting those judgments.

Compliance Program Documentation

The compliance-specific portion of the request may be combined with the safety and soundness request or arrive separately if consumer compliance examiners are joining:

• Compliance risk assessment, the current version, with evidence of periodic updates
• Compliance monitoring and testing schedules with results of completed reviews
• Consumer complaint log with trend analysis and resolution documentation
• Training records showing completion by regulation area, with particular attention to BSA/AML, fair lending, and UDAAP training
• Compliance audit reports (internal or external) from the review period
• Change management records showing how regulatory changes were identified and implemented

If your bank has a compliance management system, the documentation should tell a coherent story: policies were approved, training was delivered, monitoring was conducted, issues were identified, and corrective actions were completed.

BSA/AML Documentation

BSA requests are extensive and may constitute a standalone section of the document request:

• BSA/AML risk assessment (institution-wide and by product/service/geography)
• BSA/AML policies, procedures, and controls including CDD/EDD procedures
• Independent BSA audit or review report
• SAR filing log with narrative samples (examiners will request specific SARs during on-site work)
• CTR filing log and exemption documentation
• OFAC screening procedures and hit-resolution documentation
• 314(a) and 314(b) program documentation including information-sharing agreements
• BSA officer qualifications and organizational reporting structure
• CDD/beneficial ownership documentation per 31 CFR § 1010.230

The FFIEC BSA/AML Examination Manual outlines what examiners evaluate in detail. See our BSA/AML exam prep checklist for a structured approach to staging these documents.

IT and Information Security

• IT risk assessment and any third-party technology risk assessments
• Information security policy and incident response plan
• Business continuity/disaster recovery plan with testing results
• Vendor management program documentation, including due diligence on critical vendors
• Cybersecurity assessment results (if the institution uses the FFIEC Cybersecurity Assessment Tool)
• Network architecture diagrams and access control documentation

Audit

• Internal and external audit reports from the review period
• Audit plan showing the risk-based audit cycle
• Tracking log of audit findings with remediation status and timelines
• Management's responses to audit findings with evidence of completion
• External auditor management letters and any communication of significant deficiencies or material weaknesses

Common Gaps That Slow Down Response

Most community banks can produce the documents themselves. The problem is producing them quickly and completely. Common gaps include:

Version control failures. The examiner requests the current loan policy. Your compliance team sends a version from 2024 because the 2025 update wasn't saved in the shared drive. Or worse, they send a draft that was never formally approved. Every policy should have a clear version history, approval date, and approval evidence.

Missing evidence of action. You conducted compliance monitoring, but the results were communicated verbally. You updated the risk assessment, but the previous version wasn't retained. You briefed the board, but the minutes don't reflect the specific topics discussed. Without contemporaneous documentation, these activities might as well not have happened.

Scattered storage. Board minutes live in one system, compliance reports in another, audit findings in a spreadsheet, training records in the LMS, and BSA documentation in a separate case management tool. Assembling the document request response requires pulling from six or seven systems and hoping nothing falls through the cracks.

Incomplete remediation tracking. The prior exam resulted in three findings. Your team resolved them, but there's no single document showing what was done, when, and what evidence supports the resolution. Examiners will ask about every prior finding, having a clean remediation tracker with supporting evidence is non-negotiable.

Organizing by Exam Category, Not Internal Department

The most effective approach to the document request is organizing your response to mirror the examiner's workflow, not your org chart. Examiners think in modules: governance, credit risk, BSA, compliance, IT, audit. If your response package mirrors those categories, examiners find what they need faster, and the exam runs more smoothly.

This means your compliance team, lending team, IT department, and finance team all need to contribute to a single organized response. A central point of contact (usually the compliance officer or a designated exam coordinator) should own the assembly process and track completion against each line item.

A practical approach:

1. Convert the document request into a tracking spreadsheet the day it arrives
2. Assign each line item to the responsible department with a due date (at least one week before the FDIC's deadline)
3. Collect all items into a single repository organized by exam category
4. Review for completeness, version accuracy, and date coverage before submission
5. Document what was provided and any items that require explanation

How Canarie Helps You Respond to Document Requests Faster

The reason exam prep takes weeks instead of days is that evidence is scattered, undated, and disconnected from the obligations it supports. Canarie captures compliance evidence as work happens, when a policy is reviewed, when monitoring is completed, when training is delivered, so that when the document request arrives, your response is largely pre-assembled.

Instead of pulling from six systems and hoping you haven't missed anything, Canarie organizes evidence by regulation and exam area, with timestamps and completion records already attached.

See how Canarie eliminates the pre-exam scramble →

Frequently Asked Questions

How far in advance does the FDIC send the document request?

The FDIC typically sends the pre-examination document request 3-6 weeks before the on-site examination begins. The exact timeline varies by FDIC regional office and the scope of the examination. Larger or more complex exams may come with earlier requests. The FDIC generally expects the documents to be available before or on the first day of the on-site portion.

What happens if we can't produce a requested document?

If a requested document doesn't exist (for example, you don't have a formal succession plan), inform the examiner proactively rather than ignoring the line item. The absence of a document is a finding, but being transparent about it is better than appearing uncooperative. If a document exists but needs more time to compile, communicate the expected delivery date. Unresponsive or evasive handling of document requests can expand the exam's scope and duration.

Are document requests the same for every FDIC exam?

No. The request is tailored to the institution's risk profile, size, complexity, and the focus areas of the particular examination. A bank with a recent BSA/AML finding will receive a more detailed BSA document request. A bank that recently launched a new lending product will see requests specific to that product's underwriting and compliance. However, the core categories (governance, financials, loans, compliance, BSA, IT, audit) appear in virtually every request.

Should we provide more documents than requested?

Generally, provide exactly what was requested, no more, no less. Providing unsolicited documents can open examination areas the examiner wasn't planning to review. If you have supplementary materials that provide important context (for example, a management response that explains a finding's remediation), include them only if they directly support the requested item. When in doubt, ask the examiner-in-charge during the entrance conference.