OCC Kills Recovery Planning Requirements for Large Banks: What Risk Managers Need to Know

TL;DR

• The OCC has rescinded 12 CFR 30, Appendix E — eliminating mandatory recovery planning requirements for banks with $100B+ in assets, effective May 1, 2026
• The rule was only 16 months old; banks in the $100B–$250B range were still building out compliance when it got pulled
• Resolution plans (living wills) filed with the FDIC are unaffected — only OCC recovery planning is gone
• Most risk professionals say: keep the plan anyway. Regulators still expect “appropriate risk management processes” even without a specific framework

The OCC just handed large bank risk teams an unusual problem: a mandate that disappears before most of them even finished building it.

On March 31, 2026, Comptroller Jonathan V. Gould signed the final rule rescinding 12 CFR Part 30, Appendix E — the OCC’s Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks. Published in the Federal Register on April 1, the rule is effective May 1, 2026. Gone are the annual board approval requirements, the trigger frameworks, the eight mandatory plan elements, and the annual testing obligation. The OCC’s stated rationale: recovery plans “have not been useful risk management tools for banks.”

If you run risk or compliance at a $100B+ bank, this creates a specific set of decisions — and they can’t wait until May.

What Got Rescinded and What Didn’t

The OCC’s recovery planning rule (12 CFR 30, Appendix E) required affected banks to develop formal recovery plans that could be activated before failure becomes imminent — think: the bank is under stress, but still a going concern. The plan covered how it would rebuild capital, restore liquidity, and reduce risk without requiring a government bailout or resolution.

What is gone as of May 1:

What is NOT affected:

Resolution plans — the “living wills” banks with $250B+ in assets file with the FDIC under Dodd-Frank Section 165(d) — are entirely separate. The FDIC sets those requirements; the OCC was only responsible for recovery planning. If your institution is in scope for IDI resolution planning, that work continues unchanged.

The OCC’s Bulletin 2026-10 lays out exactly which prior guidance is being pulled. No replacement framework, no transition period, no new expectations beyond a vague requirement to maintain “appropriate risk management processes and contingency funding plans to manage stress events.”

Why Now, and Why This Specific Rule?

The short answer: deregulation and Executive Order 14192.

President Trump’s January 2025 executive order requires federal agencies to rescind ten existing regulations for every new rule proposed. The OCC, under Gould, targeted recovery planning specifically because the agency viewed it as duplicative. The OCC’s argument: banks already have resolution planning obligations (FDIC), supervisory stress testing under Dodd-Frank, and existing safety-and-soundness standards. The recovery planning framework added prescriptive overhead without meaningfully changing how banks manage through stress.

The Comptroller put it directly in the OCC news release:

“Recovery planning guidelines that require large banks to engage in prescriptive planning activities do little to improve their ability to manage through stress and distract from the real work of running a safe and sound institution.”

The OCC also cited a conceptual problem with recovery plans: they’re “scenario dependent or otherwise conjectural and, therefore, is likely to be irrelevant or of limited utility when a covered bank faces stress.” In other words, the plans were written against hypothetical scenarios that might not match actual stress events.

This tracks with a broader critique compliance teams have heard internally for years: the plan gets written, approved by the board, and filed on a SharePoint drive — and then nobody uses it when something actually goes wrong.

The OCC’s estimated annual cost savings: approximately $20 million across covered institutions.

The Timing Problem for $100B–$250B Banks

Here’s the particularly awkward situation for banks in the $100B–$250B range. The 2024 Biden-era final rule — which lowered the threshold from $250B back to $100B after the SVB collapse — gave mid-size banks a staggered compliance window:

• Most provisions: 12 months from January 1, 2025 (i.e., deadline January 1, 2026)
• Testing requirement: 24 months from January 1, 2025 (i.e., deadline January 1, 2027)

Translation: banks in the $100B–$250B bucket were midway through building compliance infrastructure for a requirement they’d never had before. Some were still standing up governance frameworks and hadn’t completed their first plan when the OCC pulled the plug. That’s 12 to 18 months of compliance work that technically never needed to happen — though it was never truly wasted.

Any bank that was building out recovery planning capabilities (triggers, governance, testing protocols) now has an asset: a risk management framework that works, even without a regulatory deadline attached to it.

What Examiners Will Still Expect

The OCC isn’t walking away entirely. The agency is explicit that “appropriate risk management processes and contingency funding plans” remain expected — they’re just no longer mandated in a specific format under Appendix E.

What that means in practice: examiners will evaluate recovery readiness through the lens of existing safety-and-soundness standards. Weak liquidity risk management, poor capital contingency planning, or inadequate stress scenario analysis will still generate examination findings. The difference is that examiners can no longer cite Appendix E violation as the basis for a Matter Requiring Attention (MRA) — they’d have to use the broader safety-and-soundness authority.

For institutions that maintained substantive recovery planning programs, the practical difference may be minimal. For institutions that ran thin programs mainly to satisfy the checkbox, this creates real risk: less formal documentation, less board visibility into recovery scenarios, and less internal pressure to stress-test assumptions.

What Your Program Should Do Before May 1

For $100B+ banks with existing recovery plan programs:

1. Inventory what you have. Map the eight elements from Appendix E to the internal documents and processes that support each. Identify what was built specifically for OCC compliance versus what represents genuine risk management value.

2. Get a board decision. The board was required to approve recovery plans annually under Appendix E. With that requirement gone, the governance process needs a new home. The ERM committee or risk committee should formally decide whether to maintain voluntary recovery planning — and document that decision.

3. Clarify the FDIC interface. If your institution also files living wills with the FDIC, evaluate the overlap. Much of the financial analysis from OCC recovery planning — triggers, capital scenarios, liquidity playbooks — feeds into resolution planning anyway. Don’t discard work that still has regulatory utility.

4. Update your regulatory inventory. Any references to 12 CFR 30, Appendix E in your compliance program need to be removed or marked rescinded effective May 1. This includes your regulatory mapping, issue tracking, and examination prep documentation.

5. Keep the plan, lose the mandate. The most defensible position: treat your recovery plan as a voluntary risk management tool with the same rigor as before. Examiners who see a robust, board-approved recovery plan will not question it. Examiners who see a bank that abandoned its recovery program entirely may view that as a safety-and-soundness concern regardless of the regulatory change.

For $100B–$250B banks that were mid-implementation:

If you weren’t yet fully compliant with Appendix E (which was plausible given the staggered timeline), you’re off the hook on completion. But the compliance infrastructure you built — trigger frameworks, escalation procedures, board governance templates — has real value. Don’t delete it. Repurpose it into your existing ERM framework.

The Broader Deregulatory Context

Recovery planning isn’t the only thing changing in 2026. The OCC under Gould has been active on multiple fronts — rescinding Biden-era guidance, reorganizing supervisory priorities, and signaling a more principles-based approach to bank supervision.

This doesn’t mean examiners are becoming lenient. It means they’re shifting from “did you follow the prescribed format?” to “can you demonstrate you manage risk effectively?” That’s actually harder in some ways — you lose the predictability of a checklist, and you get examined against a standard that’s more subjective and context-dependent.

For risk management programs built around genuine risk identification and mitigation — not box-checking — this shift is favorable. For programs that optimized for regulatory compliance with thin underlying substance, it’s a wake-up call.

The FFIEC’s interagency business continuity management guidance remains in effect. The FFIEC BCM requirements cover a broader set of operational resilience expectations that aren’t going anywhere. And business continuity planning for financial services remains a core supervisory expectation across all agencies.

The practical message for bank risk teams: regulatory requirements are fluid, but sound risk management isn’t. Build for the risk, not for the regulation.

What This Means for Contingency Funding Plans

One explicit expectation that survives the rescission: contingency funding plans (CFPs). The OCC specifically carved out CFPs as a remaining expectation even without Appendix E. If your institution’s CFP lived inside your recovery plan, it now needs a standalone home.

CFPs address how a bank accesses liquidity during stress — alternative funding sources, liquidity buffers, draw-down strategies. They were a key component of recovery plans under Appendix E and were separately required under existing OCC and FFIEC liquidity risk guidance. Regulatory requirements around contingency funding plans remain fully intact — make sure your CFP is documented, tested, and can stand on its own without being embedded in a recovery plan document.

Bottom Line

The OCC’s rescission of 12 CFR 30, Appendix E creates a compliance event and a risk management decision point. The compliance part is mechanical: update your regulatory inventory, revise governance documentation, and make sure your teams know the mandate is gone. The risk management part is harder: decide whether to maintain the capabilities you built, and make that decision deliberately rather than by default.

The examiners aren’t leaving the building. They’re just evaluating you against a different standard.

Rebuilding your enterprise risk management framework after a regulatory change? The Enterprise Risk Management Framework includes board-ready governance templates, scenario planning tools, and a risk taxonomy built for financial services institutions navigating exactly these kinds of transitions.