OCC, FDIC, and state-level financial-services examiners increasingly include digital access in their consumer compliance review. The phrasing varies — "describe your program for ensuring online services are accessible to consumers with disabilities," "what monitoring is in place," "what is your remediation cadence" — but the underlying request is the same: show us the program.
This post is what we typically see examiners ask, what artifacts satisfy the question, and what FIs typically don't have ready.
The questions you should expect
Common phrasings, in approximate order of frequency:
- "Do you have a written digital accessibility policy?" A short policy document stating your standard (typically WCAG 2.1 AA), your monitoring cadence, your remediation timelines, and the responsible parties.
- "How do you monitor your public-facing websites for accessibility?" What tooling, what cadence, who reviews the output, where it's logged.
- "What's your remediation timeline for identified issues?" How quickly issues get fixed once found, by severity. Standard practice: critical issues within 30 days, others within 90.
- "When was your last manual accessibility audit?" Examiners want to see that automated monitoring is paired with periodic manual review.
- "Show us recent audit logs." They want to see the actual artifacts, not just the policy.
The artifact set you want ready
1. Policy document (1–2 pages)
A simple written policy stating:
- The standard (WCAG 2.1 AA)
- Scope (public-facing websites)
- Monitoring cadence (continuous automated + annual or biannual manual)
- Remediation timelines by severity
- Responsible parties (web team, marketing, compliance)
- Review and update cadence (annual)
Most banks don't have this written down. It's a one-day project to produce.
2. Monitoring evidence
This is what most FIs lack. Examiners want to see actual scan reports, ideally over time.
SEO Score API produces timestamped, exportable audit logs that satisfy this directly. Other tools produce similar artifacts. The point isn't which tool — it's having the artifact.
3. Remediation log
A log of issues found, when found, when remediated, by whom. Spreadsheet is fine; ticketing system (Jira, ServiceNow) is better. The format matters less than the discipline of maintaining it.
4. Manual audit records
Copies of any external accessibility audits performed, with dates, scope, findings, and remediation outcomes. If you've never had a manual audit, that itself is an answer (and the program is incomplete).
5. Vendor documentation
If you use third-party widgets (chat, branch locators, calculators, accessibility platforms), documentation of the vendor's accessibility posture. VPATs (Voluntary Product Accessibility Templates) from each vendor.
What examiners typically find missing
Across a few dozen FI examiner-prep conversations we've seen referenced:
- No written policy (or policy that hasn't been updated since 2018).
- No continuous monitoring. Some FIs have a single-snapshot scan from when they thought about accessibility two years ago and nothing since.
- No remediation log. Issues are sometimes found and sometimes fixed but the "when, by whom" isn't documented.
- No manual audit cadence. Either no manual audit ever, or one done years ago.
- Inaccessible disclosure PDFs. Truth in Savings, Truth in Lending, fee schedules — examiners look at these specifically.
- No vendor documentation. Banks use multiple third-party widgets without ever asking for VPATs.
What "good" looks like
A typical satisfactory accessibility program at examination:
- Policy: 1–2 page written document, dated within the last 12 months, approved by compliance and the responsible business owner.
- Monitoring: continuous automated scanning of all public-facing pages, weekly review, dashboard or report shared monthly with compliance.
- Manual audit: external audit within the last 24 months, with documented remediation against findings.
- Remediation log: ticketing-system records of every issue found and resolved over the last 12+ months, with clear severity tagging and timeline.
- Vendor documentation: VPATs on file for each material third-party widget.
- Disclosure PDFs: tagged, accessible, periodically reviewed.
Most FIs have one or two of these. Few have all six.
How automated monitoring helps specifically
A continuous scanner produces three artifacts examiners value:
- The scan reports themselves — dated, repeatable, comparable over time.
- The trend line — accessibility score over time, showing improvement (or regression).
- The audit log — every URL scanned, every score, every issue found.
SEO Score API's financial services vertical produces exactly this artifact set. The audit log is exportable as CSV; the trend data is queryable via API.
The 90-day plan for an FI without a program today
If you're reading this and realizing you don't have most of the above:
Week 1: write the policy document. Get it approved.
Week 2: stand up continuous monitoring. The technical lift is low — a few hours of integration work. Try a free scan to start.
Weeks 3–6: triage the initial scan results. Categorize by severity. Build a remediation backlog.
Weeks 7–12: work the backlog. Remediate the critical findings. Document each fix in your tracking system.
Quarter 2: schedule the first external manual audit. Most accessibility consultants book 6–12 weeks out, so plan ahead.
This isn't a 12-month transformation. The artifact set examiners want can be in place within 90 days for a typical community FI.
What about the small institution where the marketing team doubles as IT?
The pattern still applies. The artifact set scales down: a one-page policy, a free or low-cost scanning tool, a shared spreadsheet for remediation tracking, and an annual external audit (~$5K for a small site). Not glamorous, but defensible.
Will examiners cite us if we don't have a program?
Citation practice varies by examiner and by examination cycle. The risk isn't usually a formal citation — it's an MRA (matter requiring attention) or examiner expectation set for the next cycle. Either compounds into supervisory concern over time.
The more important risk is the parallel one: ADA Title III demand-letter exposure. The artifact set examiners want and the artifact set defense counsel wants are nearly identical.