📄 Template ✨ Updated May 2026

RCSA (Risk & Control Self-Assessment)

141 pre-populated fintech risks with control assessments, questionnaire framework, and testing calendar.

$69
Buy Now →
🔒 Secure Checkout 📬 Emailed Access Link 📝 Fully Editable ✅ 30-Day Money-Back Guarantee

Delivered immediately after checkout — your template and guide links are emailed to you with your receipt.

Used by compliance teams at banks, fintechs, and asset managers

Quick buying summary

What you get and when you can use it

Good fit if
You're building a risk program and need to show your control environment
Format
Editable workbook plus PDF/supporting guide materials where included. Instant download after checkout.
Time to value
Start reviewing, editing, and assigning owners the same day; customize to your organization before sharing outputs externally.
After purchase
After checkout, your templates and guides are available immediately and the download link is sent to your email with your Stripe receipt. No account required.
Download Now — $69 → See Preview

What's included

  • 141 pre-populated risk assessments
  • Control effectiveness scoring
  • Self-assessment questionnaire framework
  • Control testing calendar
  • Guide for teams with no existing controls
  • RCSA cycle implementation in 30 days

Use rights: customize for internal business use and use outputs with your auditors, customers, bank partners, and regulators. Do not resell or redistribute the template files.

Preview

See what the template covers

Download Now — $69 →
RCSA benefits explained — what each one actually means for your risk program

RCSA benefits explained — what each one actually means for your risk program

RCSA approach selection guide — 1LOD, 2LOD, and Joint models by function and risk type

RCSA approach selection guide — 1LOD, 2LOD, and Joint models by function and risk type

How RCSA connects to your Risk Register and KRI Library — the risk program ecosystem

How RCSA connects to your Risk Register and KRI Library — the risk program ecosystem

When control failures make the news

These aren't hypothetical control gaps. They happened at real institutions, were uncovered by regulators, and ended in headline-grabbing penalties. Each one is the kind of finding an honest RCSA — one that scores effectiveness, not just existence — would have surfaced years before the consent order arrived. Your examiner, bank partner, and board read these the same way you should: as evidence that documented controls are not the same as working controls.

October 2024

TD Bank — $3.1B Historic AML Settlement

TD Bank pleaded guilty to conspiracy to commit money laundering — the largest US bank ever to do so. From 2014-2023, executives prioritized the bank's "flat cost paradigm" over an adequate AML program. Transaction monitoring intentionally excluded all domestic ACH and most check activity.

Why it matters: Documented controls are not effective controls. TD's AML monitoring existed on paper but excluded 92% of transactions by design. The RCSA effectiveness scoring rubric — "does it work," not "do we have it" — and the testing calendar by risk tier are built to surface gaps like this.

August 2020

Capital One — $80M OCC Penalty for Failed Risk Assessment

OCC fined Capital One $80M for "failure to establish effective risk assessment processes" before its 2015 cloud migration. Capital One didn't implement effective network controls, DLP, or alerts. In 2019, a former AWS employee exploited a misconfigured firewall and posted ~30GB of card application data on GitHub.

Why it matters: A new operating environment is a control environment reset. The OCC's exact language — "failure to establish effective risk assessment processes" — is RCSA-speak. The template's chapter on running an assessment without existing controls documentation is built for exactly this scenario.

October 2020

Citigroup — $400M OCC Penalty for ERM Failures

OCC fined Citibank $400M for "long-standing failure" in enterprise risk management, compliance, data governance, and internal controls. Risk management policies failed to identify, measure, and control risks across the enterprise. Board and senior management oversight was inadequate.

Why it matters: Inadequate board reporting on control effectiveness is itself a control failure. The OCC explicitly cited that "inadequate reporting hinder[ed] effective oversight." The RCSA Results Dashboard and Board Report tab translate assessment output into the heat map a board can act on.

If you're reading this trying to make sure your control environment doesn't end up as someone else's case study — that's exactly what RCSA is for. Here's what you'd recognize:

Good fit if any of these sound familiar

Your bank partner just asked for your RCSA — and the only documentation you have is a Risk Register that doesn't answer "are your controls actually working?"

A Risk Register lists risks. An RCSA evaluates whether your controls are working against those risks. This kit gives you the 141 pre-populated risk-control mappings, the effectiveness scoring rubric, and the questionnaire framework — what your bank partner actually wants to see.

Your last exam came back with a finding citing "inadequate risk assessment processes" — and you don't know where to start.

"Risk assessment process" is examiner shorthand for "we don't see evidence you've evaluated your controls against your risks." The 30-day RCSA cycle in this kit is built around answering exactly that — including a chapter on running your first cycle when you have no existing controls inventory.

Your business line owners are supposed to self-assess controls every year — but the forms are 80 questions of jargon and nobody fills them out.

The questionnaire framework in this kit is designed for non-risk people. Each question includes context explaining why it matters, examples of strong vs. weak controls, and a plain-English scoring rubric. Business line owners complete their section in under an hour.

📅

Updated for the 2024–2026 enforcement focus on control effectiveness

TD Bank pleaded guilty to AML conspiracy in October 2024 — a $3.1B settlement — because controls existed on paper but excluded 92% of transaction volume. Citigroup's 2020 $400M OCC penalty was extended in July 2024 with another $75M for failure to remediate. The OCC, Fed, and FDIC are no longer accepting "we have a control" as the answer; they want "we tested it, and here's the evidence." Bank partners now require RCSA documentation as a standard precondition for fintech onboarding and renewal. This kit reflects that shift — control effectiveness scoring with evidence requirements, evidence-based questionnaires, and a testing calendar with frequencies mapped to risk tiers.

Where this fits in your risk program

  • If you have a Risk Register but can't answer "are your controls effective?" — this completes the picture. The 141 pre-populated assessments map directly to the same risk taxonomy as our Risk Register, so the two work together seamlessly.
  • If you're building from scratch — start here. The 141 risks across 21 categories give you a defensible inventory; the questionnaire framework gives your business owners a way to fill it out without a risk background.
  • If you're preparing for an exam — bring the Risk and Control Inventory, the effectiveness ratings, the testing calendar, and the board reporting tab. That's the package examiners and bank partners want to see.
  • If you're replacing a broken process — the 1LOD/2LOD/Joint approach selection lets you redesign who owns what, and the questionnaire framework replaces the 80-question jargon form your business owners refuse to fill out.

What this is not

  • Not a replacement for a Chief Risk Officer or 2LOD review function — this is the toolkit they use, not a substitute for the role.
  • Not a software platform — Excel + PDF templates, not a SaaS GRC tool.
  • Not a Risk Register — a Risk Register lists risks; an RCSA evaluates whether controls work against them. They're complementary (and we offer the Risk Register as a free download).
  • Not theoretical — pre-populated with 141 risks, scoring rubrics, and a 30-day implementation plan you can run on a real cycle this quarter.

What this saves you

Building a defensible RCSA program from scratch typically takes:

Task a practitioner would do from scratch Hours
Read COSO Internal Controls + ERM frameworks, FFIEC operational risk handbook, OCC heightened standards 25–35
Build risk-and-control inventory across 21 risk categories with 100+ risk-control mappings 30–45
Develop control effectiveness scoring rubric with evidence requirements 15–25
Design questionnaire framework non-risk owners can actually use 15–20
Build control testing calendar with frequencies by risk tier 10–15
Develop dashboard and board-reporting tab 10–20
Total practitioner time 105–160 hours

At typical loaded compliance/risk rates ($100–150/hr), that's $10,500–24,000 of internal time. The $69 kit replaces the research and template construction phase, so your team can spend their time on what only they can do — applying it to your specific business.

How to roll this out in 30 days

Most RCSA programs fail because they're built by compliance and never owned by the business. The 30-day rollout below puts business line owners at the center.

  1. Week 1

    Setup, scoping, and approach selection

    Choose your 1LOD/2LOD/Joint approach by function and risk type. Scope your business lines, identify owners per risk category, communicate the cycle timeline. Output: signed scoping document with risk categories in play and accountable owners.

  2. Week 2

    Self-assessments with business line owners

    Each business owner completes their section of the questionnaire using the 141 pre-populated risks as the starting point. Each question has plain-English context and scoring rubric so risk background isn't required. Output: completed self-assessments with control effectiveness ratings by area.

  3. Week 3

    2LOD challenge and effectiveness scoring

    Risk function challenges the self-assessments with evidence requests, finalizes control effectiveness ratings, identifies gaps, and prioritizes remediation. Output: residual risk view with prioritized remediation actions and assigned owners.

  4. Week 4

    Dashboard, board reporting, action item tracker

    Populate the RCSA Results Dashboard, format the quarterly Board Report tab, log action items with deadlines and owners. Outcome: a defensible RCSA your examiner, bank partner, and board can review with confidence — and a baseline you can re-run next cycle.

📄 Full playbook in the PDF guide: The complete rollout including workshop agendas, sample messaging to business owners, and the board-meeting brief format is in the 34-page guide that comes with the template.

Aligned with the 2024–2026 control-effectiveness enforcement landscape

Every section cites its regulatory or framework source so examiners and bank partners get traceable answers when they ask "where did this requirement come from?":

  • COSO Internal Controls — Integrated Framework
  • COSO Enterprise Risk Management — Integrating with Strategy and Performance
  • OCC heightened standards (12 CFR 30 Appendix D)
  • FFIEC IT Examination Handbook (Management and Operations booklets)
  • OCC Bulletin 2023-17 (interagency third-party risk management)
  • Basel Committee Principles for Sound Management of Operational Risk
  • ISO 31000 Risk Management
  • NYDFS Part 500 (control effectiveness assessment for cybersecurity)

Used by risk and compliance teams at fintechs, community banks, BaaS sponsors, and credit unions to run defensible RCSA cycles their bank partners and examiners accept.

Last updated: May 2, 2026

🛡️

30-Day Money-Back Guarantee

If this template doesn't meet your expectations, email us within 30 days for a full refund. No questions asked.

Template guide

RCSA Template Guide

A practical guide to building an RCSA template: risk statements, controls, testing evidence, ratings, owners, issues, and reporting outputs.

Read Guide →

Usage, access, and purchase details

Can my team customize it?

Yes. The template is intended to be edited for your internal business use and adapted to your controls, owners, products, vendors, and evidence.

Can I share outputs externally?

Yes. You can use completed outputs with auditors, customers, bank partners, regulators, and internal stakeholders. Do not resell or redistribute the source template files.

How do I receive it?

Checkout is handled through Stripe. After purchase, you receive the template and guide download link immediately on the confirmation page and by email, along with your Stripe receipt. No account is required.

What if it is not a fit?

Email within 30 days for a refund. The guarantee is meant to remove purchase risk while you evaluate whether the template fits your use case.

Frequently Asked Questions

How are the 141 risk assessments organized?

They're grouped by the same 21 risk categories used in our Risk Register — credit, compliance, cyber, vendor, model risk, etc. Each assessment includes a risk description, control mapping, effectiveness rating, and residual risk score. If you're already using the Risk Register, the risk IDs map directly.

Do I need existing controls documentation to use this?

No — the guide includes a dedicated chapter on running your first RCSA when you have no existing controls inventory. It walks you through documenting controls as you discover them during the assessment process, so the RCSA itself becomes your first controls inventory.

What's the difference between this and a Risk Register?

A Risk Register lists your risks. An RCSA evaluates whether your controls are actually working against those risks. Think of the Risk Register as "what could go wrong" and the RCSA as "are we doing enough about it." They're complementary — most mature programs have both.

Can business line owners fill this out without a risk background?

Yes — the questionnaire framework is designed for non-risk people. Each question includes context explaining why it matters, examples of good vs. weak controls, and a plain-English scoring rubric. You send it to a business line owner, they fill it out, you review the results.

How long does the first RCSA cycle take?

The guide includes a 30-day implementation plan. Most teams spend week 1 on setup and scoping, weeks 2-3 on assessments with business line owners, and week 4 on analysis and reporting. After the first cycle, subsequent cycles are faster because you're updating rather than building from scratch.

How does this connect to KRIs and the ERMF?

The RCSA results feed directly into your KRI thresholds (if a control is rated weak, the related KRI threshold should be tighter) and your ERMF reporting (the RCSA provides the control environment view your board needs). All three products use the same risk taxonomy for seamless integration.

🎉 First-Time Buyer?

Want 20% off before you buy? Enter your email and we’ll send the code.

Not ready to buy?

Try our free Risk Register first — no payment required.

Download Free Risk Register →

Related Products

📄 Template
$79

Enterprise Risk Management Framework (ERMF)

Complete ERM documentation: risk appetite, 3 Lines of Defense, committee charter, and board reporting.

Learn More → Buy Now →
📄 Template
$49

KRI Library (132 Key Risk Indicators)

132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.

Learn More → Buy Now →
🎁 Free
Free

Risk Register — Fintech Edition (Free)

141 pre-populated fintech risks across 21 categories. ISO 31000 structure. Ready to use in a week.

Learn More → Download Free →

Ready to Get Started?

Get the RCSA (Risk & Control Self-Assessment) and start building a defensible risk program today.

Buy $69 →
🔒 Secure Checkout 📬 Emailed Access Link 📝 Fully Editable ✅ 30-Day Money-Back Guarantee