Banker Compliance Insights: Ask Kaia

The 90-day Ask Kaia “Pulse Check” Explained

The “pulse check” uses anonymised metadata from thousands of compliance questions asked by bankers to Kaia over a period of 90 days. The questions cover the full range of community and regional bank compliance work including:

• BSA/AML
• Fair lending
• Deposit regulations
• Lending disclosures
• Complaints handling
• Vendor management
• Cybersecurity reporting

Ken Proctor, our Director of Sales, presents an analysis of this data in a 40-minute webinar designed for community and regional bank compliance officers, risk managers, and executives.

The question stream is treated as evidence of where formal guidance has not closed the gap to operational reality, and where compliance teams should focus training, policy refinement, and technology investment in 2026.

Ask Kaia Compliance Question Topic Overview

The table below captures the highest-volume compliance topics in the 2026 Ask Kaia question stream, the regulatory anchor behind each one, and the action a compliance team should consider in response.

Read on to get a deeper insight into some of these topics and what they mean for bankers in 2026:

BSA/AML and beneficial ownership reporting

The Corporate Transparency Act took effect for most reporting companies on January 1, 2024, and originally required them to file beneficial ownership information (BOI) reports with the Financial Crimes Enforcement Network.

The implementation has since been turbulent. There have been court challenges, scope changes, and the FinCEN interim final rule published on March 26, 2025, which revised the definition of “reporting company” to mean only entities formed under foreign law and registered to do business in a US state or tribal jurisdiction. The effect, per FinCEN, is that entities created in the United States and their beneficial owners are exempt from the requirement to report BOI.

Bankers ask Kaia about the post-March 2025 reporting scope, the interaction between the BOI rule and the existing FinCEN customer due diligence rule for legal-entity customers, and the FinCEN access rule that governs which authorised users can request BOI data. The compliance team action is straightforward:

• Update the BSA/AML policy to reflect the current BOI scope
• Retrain front-line account opening staff
• Rehearse the institution’s response to law-enforcement BOI requests

Fair lending and Section 1071 small business data collection

Section 1071 of the Dodd-Frank Act requires lenders to collect and report data on small business credit applications, and the CFPB’s rule at 12 CFR 1002 subpart B (Regulation B) sets the operational framework.

The CFPB issued a revised final rule on May 1, 2026, that narrows the scope of the 2023 rule, establishes a single compliance date of January 1, 2028 for all covered financial institutions, retains an origination threshold of 1,000 small business credit transactions in 2026 and 2027 to trigger coverage, and preserves a 2028 grace period during which the CFPB has stated it will generally not assess penalties for good-faith data errors. The first Small Business Lending Application Register is due by June 1, 2029.

Question volume on Section 1071 concentrates on the operational mechanics:

• Which transactions are covered under the revised scope?
• How are the data fields defined?
• What is the firewall requirement that separates protected applicant information from underwriting and pricing?
• What is the reporting and disclosure schedule under the new single compliance date?

The compliance team should confirm the institution’s status against the 1,000-origination threshold in 2026 and 2027, complete the data infrastructure, and run an end-to-end test of the data collection and reporting workflow before January 1, 2028.

UDAAP and complaints management

Unfair, deceptive, or abusive acts or practices remain a persistent examiner focus across CFPB and prudential regulator examinations. The 2026 question stream highlights:

• Overdraft fee practices
• Deposit account disclosures
• The boundaries of permissible junk-fee characterisations
• The operational integration of complaint root-cause analysis into the broader compliance monitoring program

Compliance teams using the question stream to prioritise should look at three artifacts:

• The deposit disclosure set as actually delivered to consumers
• The complaint intake and categorisation workflow
• The root-cause analysis cadence that connects complaint themes back to policy or process changes

Cybersecurity incident notification and operational resilience

The Computer-Security Incident Notification Rule, finalised by the OCC, Federal Reserve, and FDIC in November 2021 and codified at 12 CFR Part 53 for the OCC, 12 CFR Part 225 for the Federal Reserve, and 12 CFR Part 304 for the FDIC, requires banking organisations to notify their primary federal regulator no later than 36 hours after determining that a notification incident has occurred. The rule took effect April 1, 2022, with a May 1, 2022 compliance date.

Banker questions on the rule concentrate on the determination:

• What qualifies as a “notification incident” under the rule’s definitions?
• How to handle a vendor-driven incident where the bank service provider triggers the notification clock?
• How does the determination interact with the institution’s broader incident-response playbook?

The 2020 interagency Sound Practices to Strengthen Operational Resilience, while formally describing standards for the largest banking organisations has shaped supervisory expectations for community institutions as well. The compliance team action is to:

• Keep the incident-response playbook current
• Rehearse the 36-hour determination
• Align vendor contracts with the notification path

Third-party and fintech partnership oversight

The June 2023 interagency guidance on third-party relationships, issued jointly by the OCC, Federal Reserve, and FDIC, replaced the prior agency-specific guidance with a single standard and pushed third-party risk management squarely into the operational risk and compliance remit.

Multiple 2024 and 2025 consent orders against banks for fintech-partnership compliance failures kept the topic high on examiner worksheets. The question stream concentrates on banking-as-a-service models:

• How to allocate customer due diligence?
• BSA monitoring
• Consumer protection responsibilities between the bank and the fintech partner

Furthermore, they asked questions on sub-outsourcing, such as where the bank’s vendor in turn relies on its own vendors.

The compliance team action is to:

• Confirm the tiered vendor inventory
• Run fintech-partnership compliance reviews against the 2023 interagency expectations
• Map customer-data flows through every partnership

AI and model governance for compliance

Supervisory Letter SR 11-7 on model risk management, issued by the Federal Reserve and the OCC in April 2011 and adopted by the FDIC in 2017, remains the primary US anchor for how models are validated and governed. Examiners apply its principles to AI systems even where the model is purchased rather than built, and the 2026 AI-in-banking landscape has made this a high-volume topic in the Ask Kaia stream.

The questions surface a particular meta-pattern: bankers using an AI compliance assistant to ask about how to govern AI in compliance.

The content covers:

• Explainability of AI-influenced decisions
• Drift monitoring for production models
• Vendor model dependency when the model is owned by a fintech or core provider
• Documentation expected during examinations

The compliance team action is to:

• Build or refresh a model inventory that includes AI systems and vendor models
• Set a validation calendar scaled to model materiality
• Document the human-in-the-loop controls that sit around AI decisions

Regulatory change management

The pace of 2026 rulemaking activity across CFPB, OCC, FDIC, Federal Reserve, FinCEN, and NCUA creates a regulatory change management problem that few community-bank compliance teams can handle manually.

Bankers ask Kaia about:

• The priority of specific rules
• The mapping of rule text to existing policies
• The operational steps required to comply by the rule’s compliance date

The compliance team action is structural. A regulatory change workflow that captures rule alerts, assigns them to a policy and a procedure, tracks implementation tasks, and produces an audit trail of attestations is an examiner expectation for any institution facing the 2026 rulemaking volume.

The pulse check makes the case that the question stream itself is a regulatory change signal: a sudden cluster of questions on a topic usually means a new rule is in implementation and the policy has not yet caught up.

Frequently Asked Questions