When a financial examiner asks to see your gap assessment during a routine examination, they are asking one question: did your compliance team identify this obligation on its own, on time, and before the exam? The document you hand them is your answer. And the date on the document is frequently more important than the content.
A gap assessment that was initiated the week an examination notice arrived signals a reactive compliance program. An examiner who sees a dated assessment prepared months before the exam visit — triggered by a regulatory change, completed by the responsible officer, with remediation actions tracked to closure — is looking at evidence of a functioning compliance process. The same underlying facts, organized differently in time, produce completely different examination outcomes.
What a Gap Assessment Actually Is (and Isn't)
The term "gap assessment" gets used loosely. In the context financial examiners use it, a gap assessment is a structured comparison between a specific regulatory requirement and an institution's current policy, procedure, or control that is supposed to satisfy it — with a documented conclusion about whether a gap exists, and if so, what the remediation path is.
A gap assessment is not a compliance manual review. It is not an annual policy certification. It is not a risk assessment. It is tied to a specific regulatory change or trigger event. When an OCC bulletin changes the minimum standards for third-party risk management, a gap assessment compares your current vendor due diligence procedures against those new minimum standards and identifies whether your procedures are sufficient, deficient, or absent.
That specificity is what makes gap assessments valuable to examiners — and what makes most of the assessments we see in the field inadequate. A three-page document titled "Gap Assessment: Third-Party Risk Management" that concludes "our procedures are generally aligned with OCC guidance, with some areas identified for enhancement" is not a gap assessment. It is a summary opinion that tells an examiner nothing about what was compared, when the comparison was done, or what the identified enhancements actually are.
The Four Components Examiners Look For
When we work through what examination-ready gap assessments consistently contain, four elements stand out:
1. Regulatory citation specificity. The assessment should name the specific regulatory source — the bulletin number, the rule reference, the guidance document title and publication date — that triggered the assessment. "OCC Bulletin 2023-17, Third-Party Relationships: Interagency Guidance, issued June 6, 2023" is a specific citation. "Recent OCC third-party guidance" is not. An examiner should be able to pull up the regulatory source you used and verify that your gap analysis addresses the actual requirements, not a summary of them.
2. Policy-to-requirement mapping. For each requirement in the regulatory source that is relevant to your institution, the assessment should identify the specific internal policy or procedure section that is supposed to address it. If the OCC bulletin requires that third-party contracts include provisions for subcontractor oversight, the assessment should identify your vendor contract template and note whether it currently contains such a provision. If it does, the assessment confirms compliance. If it doesn't, the assessment identifies the gap. Either outcome is documented.
3. Severity classification and remediation plan. Gaps should be classified by risk level — typically high/medium/low based on the severity of the regulatory requirement and the magnitude of the current deficiency. For each gap, the assessment should identify the remediation action, the responsible owner, and the target completion date. If remediation has already occurred, the completion date and evidence of completion should be recorded. An open gap list with no owners and no dates tells an examiner your compliance function identified a problem but didn't manage it to resolution.
4. Date and approval trail. The assessment should show who prepared it, when, and who reviewed and approved it. The CCO's name on the signature line, with a date that precedes the exam notice, is meaningful documentation. An undated assessment — or one that was drafted but never formally reviewed — carries much less weight.
When Gap Assessments Should Be Triggered
The most common framing we encounter is that gap assessments are produced during exam prep. That is backwards. A gap assessment produced during exam prep is evidence that your compliance process operates in examination cycles rather than regulatory cycles, which is exactly what an examiner is paid to identify.
Examiner-ready gap assessments are triggered by regulatory events. The practical triggers are:
- Publication of a final rule, with effective date greater than 30 days out — trigger a gap assessment timed to have remediation complete before the effective date
- Publication of a proposed rule or advanced notice of proposed rulemaking — trigger an impact analysis that documents how the proposed rule would affect your current policies, preserving your reasoning even if the rule changes before finalization
- Issuance of a regulatory bulletin, guidance letter, or supervisory statement — trigger a gap assessment if the guidance touches any area where your current policy language may not address the highlighted expectations
- Examination findings at peer institutions (published OCC Matters Requiring Attention reports, CFPB supervision reports, FINRA disciplinary releases) — if a peer was cited for a deficiency in an area you are also active in, treat that as a voluntary trigger for your own gap review
We're not saying every regulatory publication requires a formal gap assessment. What we are saying is that the determination of whether a gap assessment is warranted should be made when the regulatory source publishes, not when an examination notice arrives.
The Documentation Problem That Undermines Otherwise Good Processes
Compliance teams at growing financial institutions often do this work informally and competently. The CCO reads a new bulletin, identifies two internal policies that need minor revisions, emails the policy owners, gets the updates done within a week, and moves on. No formal gap assessment exists — but the work was done correctly and on time.
The problem surfaces during examination when the examiner asks to see the gap assessment and there isn't one. The policies are current. The work was done. But without documentation of the process, the examiner can't verify it. The institution has to explain retroactively that yes, the relevant bulletin was identified, yes, the policies were updated, and yes, the updates were implemented before the effective date — but the evidence trail for all of that is scattered across email threads.
A light-weight gap assessment template — a one-page form capturing the regulatory source, the affected policies, the responsible reviewers, the findings, and the completion date — converts informal compliance work into examination-ready documentation without meaningfully adding to the workload. The work was already happening; the documentation just wasn't.
Connecting Gap Assessments to Your Compliance Manual Maintenance Cycle
Gap assessments serve a second function beyond examination preparation: they are a historical record of your compliance manual's evolution. When an examiner asks why a particular policy section was revised, a gap assessment that triggered the revision provides the answer with source citations and dated approval. Over time, a gap assessment archive demonstrates that your compliance manual changes in response to regulatory developments — not just in response to audit findings.
At Pensvyne, every gap assessment we generate is tied to a specific regulatory source and a specific policy section in your library. The assessment record shows the date the regulatory source was identified, the date the gap was reviewed, the outcome of the review, and if a policy update was warranted, the date the update was completed. That audit trail — from bulletin publication to policy amendment — is what makes the difference between a compliance program that holds up under examination and one that looks reactive when the examiner asks how you stay current with the regulatory landscape.
Building that trail prospectively, one regulatory event at a time, is significantly easier than reconstructing it under examination pressure. The gap assessment isn't the burden — the absence of one is.