Supervisory Burden, Reform, and the True Cost of Core Conversions

Community & regional banks exist in a paradox. Regulators want them to modernize, innovate, and remain competitive. But the supervisory framework those same regulators administer can make modernization feel like a risk not worth taking. Core conversions, the single most impactful step a community bank can take to upgrade its technology foundation, are routinely deferred or abandoned not because the business case is weak, but because the regulatory burden, combined with provider-imposed costs, makes the math untenable. In this eighth installment of our series on the OCC’s Request for Information (RFI), I examine how supervisory practices contribute to this inertia, what reform could look like, and the full cost picture that community banks navigate when contemplating a conversion.

When does regulatory guidance become a barrier? The interagency Third-Party Risk Management (TPRM) Guidance and the OCC’s companion Guide for Community Banks are meant to be principles-based tools and flexible frameworks that banks can adapt according to their size, complexity, and risk profile. In practice, the experience on the ground often diverges from that intent. Community banks consistently report that examiners apply the guidance prescriptively, treating it as a checklist rather than a risk-based framework. A bank with a single critical core service provider (CSP) relationship and a handful of lower-risk vendors may face the same documentation expectations as a regional institution with dozens of complex third-party arrangements.

This manifests in several ways. Banks describe being cited for incomplete documentation on low-risk relationships that pose no meaningful threat to safety and soundness. They report examiner insistence on enterprise-level governance structures, dedicated committees, board-level reporting on every vendor that are disproportionate to their scale. And during core conversions, the scrutiny intensifies: detailed transition plans, exhaustive risk assessments, contingency testing, and iterative reviews that can extend project timelines by six to twelve months and inflate costs. The guidance says, “tailor to your risk.” The examination experience often says, “do everything.”

The downstream effect is a culture of caution that borders on paralysis. Banks tell us they defer modernization for two or three years, not because the technology is not ready or the business case is not clear, but because they fear the supervisory consequences of a conversion that encounters problems. This is the regulatory paradox, the framework designed to ensure sound risk management ends up discouraging the very changes that would improve a bank’s risk posture and competitive position.

What is the true cost of staying or switching? Core conversion costs are substantial and multidimensional. According to the Federal Reserve Bank of Kansas City, full core conversions can take several years and cost millions of dollars depending on the size and complexity of the institution with some industry experts likening the process to “open heart surgery.” Even smaller community banks can expect costs in the millions, encompassing deconversion fees, early termination penalties, legacy data extraction charges, implementation consulting, staff training, and operational downtime. Provider-imposed costs of deconversion fees, termination penalties, and data export charges represent the largest share of total expenses and have been rising sharply, with legacy data conversion fees in particular increasing by a large margin in recent years according to industry advisors.

But the cost of not converting is equally real, if less visible. According to the Federal Reserve Bank of Kansas City, many depository institutions still use legacy core systems up to 40 years old, coded in outdated programming languages and ICBA’s Independent Banker notes it is “not uncommon for banks to remain on the same core system for decades.” These banks face steadily rising maintenance fees under contracts whereas banking law firms Godfrey & Kahn and BFKN confirm that annual fee increases are standard and escalation caps must be actively negotiated. As the OCC’s own RFI acknowledges, bundled products raise fees for services banks may not need. The 2021 CSBS National Survey found that many banks want to implement third-party fintech solutions but find the cost to interface with their core system prohibitive without sufficient scale. A 2023 study by IDC and Episode Six estimated that outdated technology cost banks more than $36 billion in 2022 and could exceed $57 billion by 2028. Over a ten-year horizon, the cost of inaction frequently exceeds the cost of conversion, but the conversion cost is concentrated and visible, while the inaction cost is diffuse and easy to defer.

Provider contracting practices compound the problem. Contract terms have lengthened, with some banks locked into seven- to ten-year agreements. Deconversion fees are designed to deter switching. And billing complexity such as statements spanning dozens of pages with cryptic line items means banks may not fully understand what they are paying for, let alone whether they are being overcharged. As the RFI notes, the OCC considers billing for a service an inherent component of performing a bank service, potentially subject to supervision. The prevalence of billing errors reported by many banks underscores how much room exists for improvement.

The OCC has already signaled a commitment to reducing community bank burden, through BSA/AML tailoring, streamlined licensing, and the discontinuation of redundant data collections. The TPRM framework is the next logical frontier. Reform does not mean abandoning safety and soundness. It means making the guidance work the way it was intended, as a scalable, risk-based tool rather than a uniform compliance obligation.

CCG Catalyst recommends the OCC should: