OCC: even in rip-roaring economy, bank risks persist

The economy may be speeding along in top form, and the stock market is definitely booming. All that good news, however, doesn’t mean that the specter of risk is off the table for financial institutions.

This week, the Office of the Comptroller of the Currency (OCC) today reported credit, operational, and compliance risks are key concerns for the federal banking system in its Semiannual Risk Perspective for Fall 2017.

“The credit environment continues to be influenced by aggressive competition, tighter spreads, and slowing loan growth. These factors are driving incremental easing in underwriting practices and increasing concentrations in select loan portfolios—leading to heightened risk if the economy weakens or markets tighten quickly,” the agency says.

Operational risk, it adds, continues to challenge banks because of increasing complexity of cyber-security threats, use of third-party service providers, and increasing concentrations in third-party service providers for some critical operations. Compliance risk also remains elevated as banks continue to manage money laundering risks, as well as consumer compliance risks, particularly due to the increasing complexity in consumer compliance regulations.

Banks continue to face competitive pressure to increase lending, enhance efficiencies, innovate products and services, embrace new technologies, or merge with another institution. Key risks raise concerns about credit, operational, and compliance risks:  include:

 • incremental easing in commercial credit underwriting practices;

• increasing complexity of cybersecurity threats;

• increasing concentrations in third-party service providers for some critical operations;

• ongoing challenges in complying with Bank Secrecy Act (BSA) requirements; and

 • challenges in consumer compliance risk management for banks due to the increasing complexity in consumer compliance regulations.

Key risk themes

Asset quality remains strong, and overall underwriting is acceptable, the CC report says. Nonetheless, the credit environment continues to be influenced by strong competition, tighter spreads, and slowing loan growth. The credit market continues to be influenced by competition, particularly from non-bank lenders, and heightened asset valuations. “In this environment, lenders need to focus on maintaining sound credit standards within risk tolerances and understanding the potential credit risks that may be exposed under less benign economic conditions,” the report says.

Operational risk remains elevated as banks adapt business models, transform technology and operating processes, and respond to increasing cybersecurity threats.

“The speed and sophistication of cybersecurity threats are increasing,” the report says. “Banks continually face threats seeking to exploit bank personnel, processes, and technology. These threats target large quantities of personally identifiable information and proprietary intellectual property and facilitate fraud and misappropriation of funds at the retail and wholesale levels.”

Phishing, the OCC says, is a primary method for breaching data systems and often leads to other malicious activity, such as installing ransomware, compromising internal systems to effect payments, or conducting espionage. “Effective user awareness campaigns and training help prevent phishing attacks,” is the advice given. “Timely and thorough software patch and system update management, strong risk-based authentication, employee training, and effective network segmentation can prevent further damage if intrusions succeed.”

Also noted: the number, nature, and complexity of third-party relationships continue to expand, increasing risk management challenges for banks.

“Financial technology companies providing innovative financial products and services introduce opportunities, as well as potential risk, for banks,” the OCC says. “Consolidation among larger service providers has increased third-party concentration risk, in which a limited number of providers service large segments of the banking industry for certain products and services. Operational events at these larger service providers can potentially affect wide segments of the financial industry.”

Insufficient monitoring and limited internal testing, it says, have failed to detect product and service delivery disruptions, resulting in slowed responses by banks and prolonged impact to customers. This condition is especially true of banks with legacy or disparate management information systems and risk management programs that may be ineffective.  

Also, compliance risk remains elevated as banks continue to manage money laundering risks in an increasingly complex risk environment. Implementing changes to policies and procedures to comply with amended consumer protection requirements tests bank compliance risk and change management processes.

“The challenge for banks to comply with BSA requirements persists due to dynamism of money laundering and terrorism-financing methods. Also, bank offerings using new or evolving delivery channels may increase customer convenience and access to financial products and services, but banks need to maintain a focus on refining or updating BSA compliance programs to address any vulnerabilities created by these new offerings, which criminals can exploit,” the report says.“ In addition, BSA and anti-money laundering compliance risk management systems may not keep pace with evolving risks, constraints on resources, changes in business models, and an increasingly complex risk environment.”

Also, new and amended regulations strain bank change management processes and compliance management systems, which increases operational, compliance, and reputation risks. These changes include the integrated mortgage disclosures under the Truth in Lending Act and the Real Estate Settlement Procedures Act, as well as the new requirements under the amended regulations implementing the HMDA and the MLA.