Cyber-Security, AML Deficiencies Flagged in OCC Risk Review

As banks seek to close the profitability gap created by a lingering low-interest rate environment, and offer new products and services to customers, they face heightened operational and compliance risks. Cyber-security, anti-money laundering controls, and comprehensive new mortgage lending requirements are top concerns that examiners will be looking at in the year ahead, according to the Office of the Comptroller of the Currency’ in its latest “Semiannual Risk Perspective.”

Among the risks highlighted in the report:

Evolving cyber-threats and information technology vulnerabilities require heightened awareness and appropriate controls.

Against the backdrop of low interest rates, many banks continue to re-evaluate their business models and risk appetites to generate returns.

Competition for limited lending opportunities is resulting in loosening underwriting standards.

Weaknesses and gaps within governance and enterprise risk management practices that keep them from fully aligning with heightened standards.

The high volumes and frequency of changes to information systems to address regulatory requirements, enhance risk monitoring reporting, and update compliance systems.

Banks are taking on additional risks by expanding into new, less familiar, or higher-risk products without adequate due diligence or appropriate risk management and controls.

Banks are leveraging technology such as cloud computing and mobile banking, which can increase exposure to technological and operational risk.

Management succession planning, attracting appropriate expertise, and retaining key experienced personnel are growing issues, particularly in the areas of credit, Bank Secrecy Act and anti-money laundering, compliance management, enterprise risk management, and internal audit.

The number, nature, and complexity of domestic and foreign third-party relationships continue to expand, increasing complexity, concentration, and risk management challenges.

Compliance risk is cited as a top concern as banks manage Bank Secrecy Act/anti-money laundering risks and implement the significant changes to policies and procedures that are needed to comply with new mortgage lending requirements.

BSA/AML risks will escalate as technological developments that benefit customers through enhanced products and greater access to financial services are vulnerable to criminals who continue to exploit those innovations, the OCC warns. It notes that programs at some banks have failed to develop or incorporate appropriate controls as products and services have evolved, and insufficient resources and expertise have been devoted to BSA/AML in some banks. As risks increase, banks must properly manage them by assessing customers, especially high-risk ones, on a case-by-case basis and instituting commensurate controls.

The use of third parties to conduct consumer credit-related product development, implementation, and fulfillment can substantially increase the risk of unfair or deceptive practices, the report adds. In recent years, a number of banks that failed to exercise adequate risk management and controls when developing and offering various add-on products to customers have been the subject of OCC enforcement actions and triggered violations of the Federal Trade Commission Act.

In lockstep with these heightened risks and compliance concerns, the OCC report details what banks can expect regarding examination priorities for the next 12 months. Supervisory staff will review business model and strategy changes, bank governance, and risk management practices, with a focus on identifying substantive gaps in relation to the guidelines for heightened standards. Examiners will also focus on commercial and retail credit underwriting practices, especially for leveraged loans and indirect auto loans.

OCC supervisory staff will coordinate with the Consumer Financial Protection Bureau to determine compliance with consumer laws, regulations, and guidance. Also expect reviews of banks’ programs for assessing, mitigating, and recovering from cyber-attacks and related threats. These reviews will include assessments of data and network protection practices, business continuity practices, risks from vendors, and compliance with any new guidance.