What Banking Compliance Officers Should Look For in a Compliance Training Platform Before the Next Regulatory Exam

Most banks evaluate their compliance training platform on features, and a regulatory examiner tests something entirely different. The vendor demo shows AI-powered content libraries, mobile-first UX, gamification, and reporting dashboards. The OCC, FDIC, or Federal Reserve IT examiner arrives with a checklist that asks five different questions, and most platforms have never been stress-tested against any of them. The five layers below are each anchored in a specific regulatory expectation that an examiner can and will test, and each gives the compliance officer a defensible procurement question to put to a vendor before signing.

A Mini Case: When a Bank’s Compliance Training Platform Failed During an OCC Exam

A mid-size regional national bank (this scenario is illustrative, built from failure patterns in interagency third-party risk guidance and common OCC exam findings) ran annual compliance training on a third-party SaaS LMS. During a recent OCC IT examination, the vendor’s authentication system failed for several hours and the bank could not produce training-completion evidence for its workforce inside the exam window. The OCC finding cited inadequate controls over third-party training records under OCC Bulletin 2023-17 (the June 6, 2023 interagency guidance). The bank’s vendor contract had no SLA on authentication uptime, no contractual right to obtain training records during an exam window, and no incident-disclosure timeline. Remediation cost a Matters Requiring Attention finding, a vendor change, and a multi-month rebuild of the bank’s compliance training stack.

The outcome traces to three specific gaps in the bank’s vendor relationship. Authentication uptime was below what an exam window can tolerate, audit-trail extraction required vendor cooperation that the contract did not obligate the vendor to provide, and third-party risk controls under OCC Bulletin 2023-17 were inadequate because the bank had not treated the LMS vendor as a critical third party with the inventory and monitoring that designation requires.

A vendor demo would not have surfaced any of the three failure modes, because vendor demos are not designed to ask the questions an examiner will.

What Examiners Test in Practice, Not What Vendors Pitch

A vendor demo and an OCC IT examination are designed to answer different questions. The vendor’s goal is to establish that the platform is the best in its category, while the examiner’s goal is to confirm the platform is consistent with the regulatory framework the bank’s board owns. Those two goals rarely produce the same evaluation criteria, which is why a bank that selects a platform based on vendor demos alone is optimizing for the wrong test.

A typical vendor demo emphasizes four things.

• An AI-powered content library the salesperson can scroll through.
• A mobile-first UX that looks good on a phone.
• Gamification and badges that show learner engagement.
• Slick reporting dashboards that look ready for a board meeting.

All four are legitimate platform capabilities, and none of them is what the examiner tests.

The examiner’s question set covers OCC Appendix D governance fit (does the board own the framework the platform supports), third-party risk under OCC Bulletin 2023-17 (is the vendor on the bank’s third-party inventory with the right tier and monitoring), FFIEC and SR 21-14 authentication and access (can the bank withstand a vendor authentication outage), and audit-trail under SOX 404 and the FFIEC IT Handbook (can the bank produce role-tiered training-completion evidence at exam-window speed). KnowledgeCity’s compliance training best practices guide covers the program-design discipline that connects the two sides.

A compliance officer who walks into procurement with the examiner’s question set instead of the vendor’s feature checklist asks different questions and ends with a different shortlist. Regulatory compliance training in 2026 is a risk-governance question, and the framework below is what the examiner’s version of that question looks like.

The Five-Layer Framework for Evaluating a Bank Compliance Training Platform

Five layers, each anchored to a specific regulatory expectation, define what a banking compliance training platform has to meet in 2026 and beyond.

Layer 1: Governance Fit (OCC Appendix D and Federal Reserve SR 21-3/CA 21-1)

Governance fit is the threshold question for any platform procurement. OCC Heightened Standards in 12 CFR Part 30 Appendix D require covered national banks (currently those with average total consolidated assets of $50 billion or more) to maintain a written risk governance framework with a code of conduct overseen by the board of directors. On December 23, 2025, the OCC proposed raising that threshold to $700 billion; until that rulemaking is finalized, the $50 billion threshold remains in effect. Federal Reserve SR 21-3 / CA 21-1, issued February 26, 2021, sets analogous expectations for board effectiveness at bank holding companies and savings-and-loan holding companies with $100 billion or more in total consolidated assets. The compliance officer’s question to the vendor is whether the platform supports a code-of-conduct curriculum mapped to role-risk, audited by the board’s risk committee, and reportable on a quarterly cycle.

Layer 2: Third-Party Risk (Interagency Guidance June 6, 2023)

Every SaaS LMS vendor in a bank’s compliance program is a third party under the June 6, 2023 interagency guidance, and the bank owns the risk that vendor relationship carries. The Interagency Guidance on Third-Party Relationships and Risk Management (codified for the OCC as Bulletin 2023-17) replaced prior agency guidance and raised the bar on SaaS vendor due diligence. The procurement evaluation needs to confirm that the bank’s third-party inventory tier matches the vendor’s actual criticality, that the contract covers incident disclosure within a defined window, and that the bank holds the contractual right to obtain training records during an exam.

Layer 3: Operational Resilience (SR 21-14 and SOC 2)

Operational resilience is the layer most compliance officers assume is the vendor’s problem until an exam window coincides with a vendor outage. Federal Reserve SR 21-14, issued August 11, 2021, sets supervisory expectations for authentication and access risk management at financial institutions. The AICPA SOC 2 Trust Services Criteria and ISO/IEC 27001 give the bank the assurance artifacts to evaluate the vendor’s security and availability controls. Here, ask the vendor for a SOC 2 Type II report rather than a Type I, confirm the report’s availability criterion is in scope, and check that the contract carries an authentication-uptime SLA tied to the exam window.

Layer 4: Training as Pillar (BSA 31 USC 5318(h) and FINRA Rule 3110)

Under 31 USC 5318(h), ongoing employee training carries the same statutory weight as the designated compliance officer and the independent audit function, as one of four required components of every bank’s AML program. A platform that cannot prove the training cycle ran is leaving a statutory requirement unmet. FINRA Rule 3110 requires every member firm to establish a supervisory system with written supervisory procedures, and FINRA Rule 1240 requires firms to maintain an ongoing continuing-education program for covered registered persons. Before signing, the compliance officer needs to verify that the platform supports role-tiered AML training, that completion records are exportable at the AML compliance officer’s request, and that the platform can demonstrate the training cycle ran every quarter without manual reconciliation.

Layer 5: Audit-Trail Evidence (SOX 404 and the FFIEC IT Handbook)

The audit trail is the artifact every other layer collapses into when the examiner shows up. Section 404 of the Sarbanes-Oxley Act of 2002 requires public companies, including most U.S. bank holding companies that are SEC registrants, to maintain and assess internal controls over financial reporting. The FFIEC IT Examination Handbook’s Outsourcing Technology Services booklet sets interagency examiner expectations for the management of technology service provider relationships. The compliance officer needs to confirm that the platform can produce an exam-mode evidence export, time-stamped and role-tagged, that the bank can hand to the examiner inside the exam window.

What OCC Heightened Standards Imply for Platform Choice

The OCC Heightened Standards in 12 CFR Part 30 Appendix D are the single most cited document at the platform-procurement layer because they make board ownership explicit. The Standards currently apply to large national banks with average total consolidated assets of $50 billion or more, and they require a covered bank to maintain a written risk governance framework with a code of conduct that the board oversees. The OCC’s December 23, 2025 proposed rulemaking would raise that threshold to $700 billion, but compliance officers should continue planning to the existing $50 billion threshold until the proposed rule is finalized.

That language has direct implications for platform choice. The board’s framework defense rests on the bank being able to show that employees in covered roles received the training the framework requires. The platform is the artifact that makes that showing possible, and a platform that cannot produce role-tiered completion records, time-stamped and exportable inside the exam window, removes the defense at the moment the examiner asks for it.

There is a second-order implication that compliance officers often miss. The Heightened Standards make the board accountable for the bank’s risk governance, and examiners observe governance through artifacts rather than statements. A board that cannot point to a platform-produced quarterly report on training completion is presenting an examiner with a gap where the evidence should be.

The Procurement Questions Every Compliance Officer Should Ask

The questions below map directly to the five layers and to what an examiner will test. The framework applies equally to platform evaluation and to compliance training software procurement.

1. Does the platform map a code-of-conduct curriculum to role-risk and report to the board’s risk committee quarterly?
2. Is the vendor on the bank’s third-party inventory at the correct tier with documented monitoring?
3. What is the contractual incident-disclosure timeline for a platform outage?
4. Is the SOC 2 Type II report in scope for availability, not just security?
5. What is the authentication-uptime SLA, and how does it map to exam-window expectations?
6. Does the platform support role-tiered AML training under BSA 31 USC 5318(h)?
7. Can the bank export an exam-mode evidence package without vendor intervention?
8. Is the vendor’s roadmap aligned with NIST AI RMF 1.0 for any AI-led content scoring?

Honest answers to all eight are rare, and a vendor that answers six well is a strong shortlist candidate. A vendor that cannot answer any of them is a Matters Requiring Attention finding waiting to be written.

A Common Procurement Error

A common procurement error is asking only for ISO 27001 and SOC 2 reports. The examiner will also ask for the bank’s right to obtain training-completion evidence during an exam, the vendor’s authentication-uptime SLA, the vendor’s incident-disclosure timeline, and the vendor’s role in the bank’s third-party risk inventory under OCC Bulletin 2023-17. ISO and SOC 2 are a necessary baseline, and the examiner will test well beyond them.

The Platform Bar by 2027

The platform bar will be higher by 2027 than it is in 2026, driven by three regulatory and technical shifts that are already underway.

AI-Aware Procurement

The NIST AI Risk Management Framework (AI RMF 1.0), released January 26, 2023, gives a banking compliance officer the framework for evaluating an AI-enabled training platform. Vendors that score, generate, or personalize content with AI without the AI RMF discipline are vendors the next exam will flag.

Tighter Third-Party Risk

The June 6, 2023 interagency guidance has been operationalized across the federal banking agencies’ exam programs through 2024 and 2025. By 2027, a SaaS LMS vendor that is not on the bank’s third-party inventory at the right tier, with documented monitoring, will be the most exposed gap in the bank’s risk posture.

Audit-Trail Evidence as Default

The Wells Fargo case shows how far the agencies will go. The Federal Reserve’s 2018 consent order froze the bank’s growth at its end-of-2017 size, roughly $1.95 trillion in total assets, and the restriction held for more than seven years. The Fed lifted it in June 2025, but only after the bank demonstrated remediated governance and passed the required third-party assessments. The signal to procurement is that the agencies will cap a bank’s growth over weak governance of risk and conduct, and they lift that cap only when the bank can prove the governance works through documented artifacts. By 2027, an LMS without exam-mode evidence export will be unsellable to the top-50 U.S. bank holding companies.

The compliance officer who lands a platform decision in the next twelve months is making a decision that has to survive three exam cycles, and each of those cycles will test the same five regulatory anchors the framework is built on.

What a Platform Decision Looks Like When the Examiner Is the Buyer

A banking compliance training platform is a risk-governance instrument the bank’s board owns and an examiner tests. Whether it passes that test depends entirely on whether the platform can produce role-tiered, audit-grade evidence at exam-window speed, which is the one output that OCC Appendix D, the June 2023 interagency guidance, Federal Reserve SR 21-14, BSA 31 USC 5318(h), and SOX 404 all converge on. Compliance officers who walk procurement through each of those regulatory anchors before signing end with a platform that holds up when the examiner arrives. Those who rely on the vendor demo alone end with a finding the board has to explain. The regulatory and reputational costs of that outcome are covered in KnowledgeCity’s analysis of the hidden costs of noncompliance.

Frequently Asked Questions

What Does the June 6, 2023 Interagency Third-Party Risk Guidance Require of a Bank’s LMS Vendor?

The Federal Reserve, FDIC, and OCC jointly issued the Interagency Guidance on Third-Party Relationships and Risk Management on June 6, 2023, replacing the agencies’ separate prior guidance (the Board’s 2013 guidance, the FDIC’s 2008 guidance, and the OCC’s 2013 guidance and its 2020 FAQs). The guidance requires banks to identify, assess, and monitor third-party relationships in a risk-based manner. For an LMS vendor, that means the vendor is on the bank’s third-party inventory at a tier matching the vendor’s actual criticality, the contract supports the bank’s due-diligence requirements, and the bank monitors the vendor’s performance against the contract throughout the relationship.

Is SOC 2 Type II Enough for a Banking Compliance Training Platform?

SOC 2 Type II covers part of what the examiner will test. The report should be in scope for both security and availability, which matters when an exam window collides with a vendor outage. The bank also needs the contractual right to obtain training records during an exam window, an authentication-uptime SLA tied to that window, an incident-disclosure timeline, and the vendor’s place in the third-party inventory under OCC Bulletin 2023-17. SOC 2 plus ISO 27001 is a security baseline; the procurement question set above is what the OCC examiner tests.

What Does the Bank Secrecy Act Require of a Compliance Training Program?

Section 5318(h) of the Bank Secrecy Act, codified at 31 USC 5318, requires financial institutions to maintain anti-money-laundering programs that include four required components. The four required components are internal policies, procedures, and controls; a designated compliance officer; an ongoing employee training program; and an independent audit function to test the program. The training requirement is mandatory, and the bank has to prove the cycle ran. A platform that cannot produce role-tiered AML compliance training completion records at the BSA officer’s request is a regulatory exposure, and the same logic applies to BSA compliance training records for retail and operational staff outside the AML team.

How Do OCC Heightened Standards Affect Platform Choice?

The OCC Heightened Standards in 12 CFR Part 30 Appendix D currently apply to large national banks with average total consolidated assets of $50 billion or more. The Standards require a written risk governance framework with a code of conduct overseen by the board of directors. On December 23, 2025, the OCC proposed raising the threshold to $700 billion; until that rulemaking is finalized, the $50 billion threshold remains in effect. The compliance training platform is what demonstrates the bank operationalized the framework, and a platform that cannot produce role-tiered completion records and audit-grade evidence weakens that defense the moment the OCC examiner asks for it.

What Should a Compliance Officer Look For in an AI-Enabled Platform?

The NIST AI Risk Management Framework (AI RMF 1.0), released January 26, 2023, gives the compliance officer the evaluation discipline for any platform that uses AI to score, generate, or personalize content. The evaluation covers whether the vendor has identified the AI risk surface, whether governance, mapping, measurement, and management of that risk are documented, and whether the vendor’s AI roadmap aligns with the AI RMF. A vendor shipping AI features without that discipline is one the next exam will flag.