Prepare for an OCC Examination

OCC data-focused examinations typically assess your institution's compliance with BCBS 239, SR 11-7 (model risk), and the OCC's own data governance guidance for national banks. Examiners look for three things: that you know what data you have and who owns it, that your data is materially accurate and you can prove it, and that governance over critical data is continuous rather than episodic. CoComply is purpose-built to produce evidence for all three. Before the exam begins, review the OCC's formal Information Request (IR) list and map each requested artifact to a CoComply module or report.

• OCC examiners increasingly request data lineage documentation — confirm your CDE-to-source-system mapping is current in CoComply.
• SR 11-7 compliance requires documented model inputs; CDEs used as model inputs should be tagged in CoComply's classification layer.
• Request a pre-examination briefing call with your OCC examiner-in-charge to clarify data-related requests before the examination window opens.

In CoComply, navigate to the Operate module and pull your governance metrics dashboard. Review: data asset coverage (what percentage of Tier 1 and Tier 2 assets have complete metadata), ownership assignment completeness, open DQ findings and their age, and certification cycle completion rates for the past two or three reporting periods. Any red or amber metrics need remediation before examiner arrival — document the remediation plan in CoComply's Findings Management module.

• Examiners will compare what you say your coverage is to what CoComply's audit log shows. Ensure the two are consistent.
• Focus first on CDEs tied to the report schedules the OCC has indicated will be in scope for the exam.
• Print or export the Governance Metrics dashboard as a baseline snapshot before you begin remediation — this shows progress over time.

OCC examiners will request your Enterprise Data Governance Policy and supporting procedures. In CoComply's Govern module, navigate to the Policies section. Confirm that your EDG Policy is current, approved, and version-controlled. Pull the Policy Implementation Plan — this document maps each policy commitment to an operational control and a responsible owner. Export both documents and stage them for production in your examination management tool (or directly in CoComply's evidence vault).

• Your EDG Policy should reference BCBS 239, FFIEC guidance, and your internal data governance framework by name.
• The Policy Implementation Plan should be dated within the last 12 months and show a completion status for each control.
• Examiners will look for evidence of Board or senior leadership approval — confirm your approval workflow is documented in CoComply.

The OCC's key question on data governance is whether you can trace the data in a regulatory report back to its source system and confirm who is accountable for its accuracy. In CoComply, use the Data Catalog to export CDE lineage records for the report schedules in scope. Each record includes: CDE name, MDRM code, source system, transformation logic (if documented), data owner, data steward, and the most recent attestation date.

• Export the CDE lineage package as an Excel or PDF file — OCC examiners prefer tabular formats for structured review.
• For CDEs sourced from third-party systems (core banking, loan origination), document the data transfer method and validation controls.
• If any CDEs lack lineage documentation, log them as an open finding in CoComply and note the remediation timeline.

One of the most powerful artifacts you can present to an OCC examiner is a complete certification record for your most recent regulatory filing. In the Certify module, pull the Certification Report for your last completed filing cycle. The report shows: which CDEs were in scope, who attested to their accuracy, when attestations were submitted, any exceptions raised, and how they were resolved. This is direct evidence that your data governance program is operational, not theoretical.

• Bring the last three certification cycles, not just the most recent one — this demonstrates a continuous program.
• Highlight any CDEs where exceptions were raised and resolved — this shows your controls actually catch problems.
• Examiners give credit for transparency. A well-documented exception with a clear resolution is better than a clean report with no history.

During the examination, examiners may request additional detail on specific CDEs, policies, or findings. CoComply gives you a real-time answer environment: any CDE, policy, or certification record can be retrieved instantly from the platform. Assign a CoComply-fluent team member as the dedicated examiner liaison. Use CoComply's role-based access controls to give examiners read-only access to the platform if your institution's security policies permit — this is increasingly common and accelerates the examination timeline significantly.

• Stage a CoComply demo environment pre-loaded with your governance data to walk examiners through the platform during the opening meeting.
• Prepare a one-page CoComply Platform Summary showing what is deployed, what data is governed, and how certification cadences align to filing schedules.
• Log any examiner requests for additional documentation as Findings in CoComply immediately — this creates an audit trail of examination activity.