Operational and strategic risk figure prominently in the Office of the Comptroller of the Currency’s outlook for national banks in the coming year, particularly in areas related to sophisticated technology and fraud/money laundering.
The recently released Semiannual Risk Perspective from OCC’s National Risk Committee provides a detailed narrative about what the regulator has noted, based on banks’ performance through the first half of 2014.
The report also outlines specifically what OCC examiners will focus on in the coming 12 months.
Speaking broadly, the report provides this summary:
“Banks’ operational environments face increasing challenges from the combination of evolving cyber threats and newly identified information technology vulnerabilities. Attackers are demonstrating advanced proficiency in compromising bank employee, third party, and system credentials to gain access, install malicious software, steal sensitive information, and operate inside systems for extended periods without detection. Breaches at nonfinancial firms have resulted in direct and indirect costs to banks. Projects to modernize systems and implement or adapt risk management for new regulatory requirements or evolving risks make expense reduction difficult to achieve without diminishing the quality of control environments.”
Strategic risk priorities
Regarding strategic risk, the report points out:
• Balancing risk and competitive pace. As part of their strategy to deal with competitive pressures and lower overhead expenses, banks are leveraging technology such as cloud computing and mobile banking, which can increase exposure to additional technological risk.
• Challenge of adept money launderers. Bank Secrecy Act and anti-money laundering risks remain prevalent given changing methods of money laundering and growth in the volume and sophistication of electronic banking fraud. BSA/AML risk continues to increase because of higher-risk customers and businesses migrating to other banks.
OCC has noted smaller community banks taking on higher-risk relationships even though they may not have the BSA risk management infrastructure in place to manage such risks. In addition, BSA programs at some banks have failed to develop or incorporate appropriate controls as products and services have evolved over time. A lack of resources and expertise devoted to BSA/AML in some banks often compounds these issues.
Operational risk priorities
Regarding operational risk, the report highlights:
• Business models are under increasing pressure as bankers seek to launch new products, use IT automation, reduce staffing, and re-engineer business processes.
• Lack of tech oversight. Banks may not be incorporating cybersecurity considerations into their overall governance, risk management, or strategic planning.
• BYOD raises OCC eyebrows. Banks are increasingly permitting employees and third parties to access their systems from personal devices, such as mobile phones and tablets (“Bring Your Own Device.”) These arrangements can create opportunities for credentials to be stolen and for bank systems to be infected with malware. In many instances, banks and third parties do not promptly resolve high-risk vulnerabilities that are identified by detective controls.
As for examiner priorities, the OCC report distinguishes between large bank supervision and community/midsize bank supervision.
Large bank regulation
For large bank supervision, operational risk priorities are as follows:
• OCC watching for follow through and compliance. OCC supervisory staff will focus on compliance with the foreclosure consent orders, model risk management, third-party risk management, information and cybersecurity and data protection, and change management initiatives. Lapses in controls, operational processes, and oversight—and the resulting effects across a bank’s activities highlight the interconnectedness of risks and the importance of managing those risks in an integrated fashion throughout the entire bank.
Community bank, midsize bank issues
For community/midsize bank supervision, operational and cyber risk priorities will be as follows:
• Operational risk. OCC supervisory staff will assess the operational risk from banks’ contemplated changes to business models and responses to strategic opportunities, such as the introduction of new or revised business products, processes, or delivery channels. Examiners will focus on all phases of risk management, including planning, due diligence, internal controls, reporting, contract negotiations, and ongoing monitoring. Robust preparation and contingency/resiliency planning for operational or technology disruptions, as well as for natural disasters, remain essential.
• Cyber threats. OCC supervisory staff will review banks’ programs for assessing the evolving threat environment and continuously adjusting controls, as well as for robust vulnerability assessments and timely correction, access management, and incident response programs.