How to Self-Assess Your Bank's Compliance Program Before an Exam

A structured self-assessment exposes compliance gaps before examiners do. Here's a framework for evaluating your program, identifying weaknesses, and documenting results.

By Canarie Team·

The worst time to discover a compliance gap is during a regulatory examination. Examiners don't penalize you for finding your own problems, they penalize you for not finding them. A structured self-assessment conducted before an exam identifies weaknesses you can address proactively, demonstrates management awareness to examiners, and turns a reactive exam-prep scramble into a deliberate improvement cycle.

Key Takeaways:

  • Self-assessments that identify and remediate issues before an exam are viewed favorably by examiners, they demonstrate CMS effectiveness
  • The assessment should mirror the examiner's methodology: evaluate board oversight, compliance program, and audit independently
  • Documenting the self-assessment (methodology, findings, remediation) creates evidence of proactive risk management
  • Gaps found and fixed are far better than gaps examiners find, repeat findings carry significantly more weight

Why Self-Assessment Matters to Examiners

The FFIEC Compliance Management System framework expects institutions to identify and correct compliance weaknesses before they become examination findings. An institution that conducts meaningful self-assessment and remediates identified issues demonstrates a functioning CMS, which directly influences the consumer compliance rating.

Per the FFIEC Uniform Interagency Consumer Compliance Rating System, a "1" rating requires that "any violations are self-identified and promptly corrected." A "2" rating requires that weaknesses are "being addressed." In both cases, the institution's ability to find its own problems is a positive factor.

Conversely, an institution where every deficiency is identified by the examiner, where no internal mechanism flagged the issue first, signals a CMS that isn't working. The compliance program may have policies and procedures, but the monitoring and self-assessment functions aren't catching problems.

This creates a practical dynamic: the same deficiency found by your team and remediated before the exam may result in no finding at all. Found by the examiner, it becomes a formal finding in the Report of Examination.

Building a Self-Assessment Framework

A compliance self-assessment should be structured, documented, and cover the same ground an examiner would. The framework below aligns with FDIC and FFIEC examination methodology.

Step 1: Define Scope and Methodology

Before starting, document what you're assessing, why, and how. This documentation is important because examiners may review your self-assessment methodology as evidence of your CMS.

Scope options:

  • Full compliance program assessment (all applicable regulations)
  • Targeted assessment of specific high-risk areas (BSA/AML, fair lending, UDAAP)
  • Prior exam finding verification (focused on whether previous findings have been fully remediated)
  • New product or activity assessment (evaluating compliance infrastructure for recent changes)

Methodology documentation should include:

  • Assessment date range and review period
  • Regulations and risk areas covered
  • Sampling methodology for transaction testing (sample sizes, selection criteria)
  • Assessor(s), independence from the functions being assessed adds credibility
  • Evaluation criteria (what constitutes a "satisfactory" versus "needs improvement" finding)

Step 2: Evaluate Board and Management Oversight

Using the FFIEC CMS framework as your guide, assess the first component:

  • Are compliance policies current, board-approved, and reviewed within the required timeframe?
  • Do board minutes reflect substantive discussion of compliance risk (not just "report received")?
  • Does the board receive regular compliance reporting with sufficient detail for informed oversight?
  • Is the compliance function adequately staffed and resourced for the institution's risk profile?
  • Are prior examination findings tracked to completion with documented evidence?
  • Is there a documented compliance risk assessment that's updated at least annually?

Rate each element and document specific evidence supporting your assessment. Where you identify gaps, note the remediation action needed and assign a responsible party and deadline.

Step 3: Evaluate the Compliance Program

Assess the four sub-elements of the compliance program:

Policies and procedures:

  • Is there a policy and procedure for each applicable regulation?
  • Are procedures specific enough to guide employee behavior (not just restated regulatory language)?
  • When were policies last reviewed and updated?
  • Are policies accessible to the employees who need them?

Training:

  • Is there a documented training plan covering all applicable regulations?
  • Are training records complete (date, content, attendees, completion confirmation)?
  • Is training current with recent regulatory changes?
  • Does training cover regulation-specific requirements (not just general compliance awareness)?
  • Is new employee compliance training delivered within a defined timeframe?

Monitoring and testing:

  • Is there a documented monitoring schedule covering high-risk regulations?
  • Are monitoring results documented with methodology, sample size, findings, and corrective actions?
  • Does monitoring identify actual exceptions, or does it consistently report zero findings (which suggests insufficient depth)?
  • Is transaction testing performed on a periodic basis with adequate sample sizes?

Consumer complaint response:

  • Is there a centralized complaint tracking system?
  • Are complaints analyzed for trends and patterns?
  • Do complaint trends trigger compliance reviews when they identify potential systemic issues?
  • Are complaints resolved within defined timeframes?

Step 4: Evaluate the Compliance Audit Function

The third CMS component requires independent assessment:

  • Is the compliance audit independent from the compliance function?
  • Does the audit plan reflect a risk-based approach (higher-risk areas tested more frequently)?
  • Is audit scope sufficient, does it include transaction testing, not just policy reviews?
  • Does the audit produce meaningful findings (zero findings suggests insufficient depth)?
  • Are audit findings tracked to remediation with evidence of completion?
  • Does the audit function report directly to the board's audit committee?

Step 5: Review Prior Examination Findings

This is the most time-sensitive element of a pre-exam self-assessment. Pull the most recent Report of Examination and verify every finding:

  • Was the corrective action completed?
  • Is there documented evidence of completion (not just an assertion)?
  • Was the corrective action sustained (did the fix hold, or did the issue recur)?
  • Were underlying root causes addressed, or was only the symptom corrected?

Repeat findings, issues identified in the prior exam that appear again, carry disproportionate weight in the current exam. They suggest the institution either didn't remediate effectively or has a systemic problem. See our compliance exam preparation guide for additional detail on managing prior findings.

Gap Identification and Prioritization

The self-assessment will produce a list of findings ranging from minor documentation issues to significant program gaps. Prioritize them:

Critical (remediate before the exam):

  • Prior exam findings that haven't been fully corrected
  • Regulatory violations (e.g., systematic TILA disclosure errors, CDD documentation failures)
  • Missing compliance program components (no monitoring for a high-risk regulation)
  • Board oversight gaps with no evidence of remediation planning

Significant (begin remediation, document the plan):

  • Training gaps for specific regulations
  • Policies that haven't been updated to reflect recent regulatory changes
  • Monitoring that's informal and undocumented
  • Audit scope that doesn't cover identified high-risk areas

Moderate (schedule for remediation):

  • Documentation improvements needed (better meeting minutes, more detailed monitoring records)
  • Process improvements that would increase efficiency but aren't compliance failures
  • Enhancements to reporting or tracking systems

For each gap, document: the finding, the regulation or CMS component affected, the severity, the remediation action, the responsible party, the target completion date, and the evidence that will confirm remediation.

Documenting the Self-Assessment

The self-assessment report itself becomes evidence of your CMS effectiveness. Document it formally:

Executive summary: Key findings, overall assessment of CMS health, and priority remediation items.

Detailed findings: Organized by CMS component (board oversight, compliance program, audit) with specific observations, evidence reviewed, and gap identification.

Remediation tracker: A matrix showing each finding, severity, action item, owner, due date, and status.

Supporting evidence: References to the specific documents, records, and testing results that informed each finding.

Present the self-assessment results to the compliance committee or the board, and document the presentation in the meeting minutes. This creates a clear record that management identified issues and the board was informed, exactly the governance behavior examiners want to see.

How Examiners View Self-Assessment Results

Examiners treat self-assessments as a positive indicator when they're genuine. A well-documented self-assessment that identified real issues and led to corrective action demonstrates:

  • Management is aware of compliance risk
  • The institution has mechanisms to identify problems before they become examination findings
  • Remediation is underway for known issues
  • The board is informed of compliance program health

However, a superficial self-assessment that reports no findings will be viewed skeptically, particularly if the examiner identifies deficiencies the self-assessment missed. The credibility of your self-assessment depends on its thoroughness and honesty.

How Canarie Makes Self-Assessment Continuous

The challenge with annual self-assessments is that compliance evidence is scattered across systems. Pulling together monitoring results, training records, evidence of completed tasks, and board reporting for a point-in-time assessment takes weeks of effort.

Canarie captures compliance evidence as work happens, organized by regulation and exam category. Self-assessment becomes a review of an existing evidence inventory, not a reconstruction of what happened over the past 18 months.

See how Canarie turns self-assessment from a project into a capability →

Frequently Asked Questions

How far before an exam should we conduct a self-assessment?

Start at least 90 days before the expected exam date. This gives you time to complete the assessment (2-4 weeks), remediate critical and significant findings (4-8 weeks), and document both the assessment and the remediation. If your exam cycle is predictable, build the self-assessment into your annual compliance calendar rather than treating it as an exam-driven activity.

Can the compliance officer conduct the self-assessment, or does it need to be independent?

The compliance officer can and should lead the self-assessment, it's distinct from the compliance audit, which requires independence. However, the compliance officer assessing their own program carries some inherent bias. Consider involving other departments or engaging an external consultant for higher-risk areas. What matters most to examiners is that the assessment is documented, thorough, and leads to action, not who performed it.

What if the self-assessment finds serious deficiencies we can't fix before the exam?

Document the findings, the remediation plan, and the expected completion date. Being transparent with examiners about known issues you're actively addressing is far better than having them discover undisclosed problems. Examiners evaluate whether management is aware of and responding to deficiencies, a credible remediation plan in progress is a stronger signal than pretending the problem doesn't exist.

Should we share the self-assessment results with the examiners?

This is a judgment call. You're not required to share the self-assessment report, and doing so makes it part of the examination file. However, if the self-assessment led to meaningful remediation, sharing it demonstrates proactive risk management. Discuss with legal counsel before sharing, as self-assessment documents may lose certain protections once provided to regulators. At minimum, the remediation actions taken as a result of the self-assessment should be documented and available.

Topics:Exam PreparationCompliance OperationsCommunity Banks

Related Articles

January 7, 2026

FDIC Exam Process for Banks Under $1B in Assets

November 6, 2025

Fair Lending Exam Prep for Community Banks

October 31, 2025

What Does Examiner-Ready Evidence Actually Look Like

Ready to automate your compliance workflows?

See how Canarie transforms regulatory requirements into executed tasks with built-in evidence capture.

Explore the PlatformTalk to Sales