The Office of the Comptroller of the Currency has released its “Semiannual Risk Perspective for Fall 2018,” a look at the operational, compliance, and interest rate risks likely to present themselves as banking concerns.
The OCC’s National Risk Committee monitors the condition of the federal banking system and identifies key risks. It also monitors emerging threats to the system’s safety and soundness and ability to provide fair access to financial services and treat customers fairly.
NRC members include senior agency officials who supervise banks of all sizes, as well as officials from the policy units. The committee meets quarterly and issues guidance to examiners that provides perspective on industry trends and highlights issues requiring attention.
The resulting report covers risks facing national banks and federal savings associations based on data as of June 30, 2018. It focuses on issues that pose threats to those financial institutions regulated by the OCC and is intended as a resource to the industry, examiners, and the public.
A note of optimism: Recent examination findings indicate incremental improvement in banks’ overall risk management practices. Nevertheless, there are plenty of concerns and threats detailed in the Dec. 3 report.
- Credit quality remains strong, but the OCC is monitoring the origination quality of new loans, the potential for increased lender complacency within credit risk identification and management, and the potential embedded risks from successive years of eased underwriting.
- Operational risk is elevated as banks respond to an evolving and increasingly complex operating environment.
- Compliance risk is elevated as banks manage money laundering risks and comply with amended consumer protection requirements.
- Rising interest rates and increased competition for deposits may result in changes in funding mix or costs.
The report also highlights the emerging risk posed by the growth in non-financial corporate debt. Challenges include strong competitive pressures from banks and non-banks, significant growth in non-financial corporate debt, eased loan underwriting standards, particularly in leveraged loans, increasing interest rates, and rapid technological innovation.
The OCC noted that “a substantial and increasing volume of credit is handled by non-banks.” In addition, the implementation of the current expected credit losses (CECL) standard, the likely alternative reference rate reform, and innovation in financial services pose potential operational and strategic risks for banks.
CECL implementation, it added, may pose operational and strategic risk to some banks when measuring and assessing the collectability of financial assets.
“Bank management should understand and manage potential linkages between banks and the broader financial system and the potential implications for the banks’ credit risk,” the report advises.
New tech, new concerns
In terms of technological disruption, it was observed that the financial services sector continues to experience rapid growth in financial technology (FinTech), which provides products and services to customers, and regulatory technology (RegTech).
“While evolving technologies can benefit banks and their customers, they also can disrupt bank business models and pose risks in many of the same areas already discussed,” the risk report says.
Advances in technology, such as online banking, mobile banking, and the acceleration of FinTech, have made it easier to move money, potentially causing depositors to switch financial institutions or switch to non-bank competitors. Banks may experience unexpected shifts in liability mix or increasing costs that could reduce earnings or increase liquidity risk.
Similarly, operational risk is elevated as banks respond to an evolving and increasingly complex operating environment. Cyber-security, for example, continues to be a key operational risk, especially given the continually evolving threat landscape.
Fair lending risk may increase as banks attempt to increase the efficiency and effectiveness of underwriting through the use of artificial intelligence or alternative data. “Banks should understand and monitor underwriting and pricing models to identify any potential disparate impact and other fair lending issues,” the OCC says. “In addition, new technology and systems for evaluating and determining creditworthiness, such as artificial intelligence and machine learning, add complexity while sometimes limiting transparency, and bank management should understand and be able to explain and defend model decisions.”
Additional factors contributing to elevated operational risk are the expected increase in mergers and acquisitions activity as well as rising trends in fraud and attempted fraud. Operational disruptions underscore the need for effective change management when implementing new products, services, and emerging technologies.
Compliance risk also “remains elevated as banks seek to manage money-laundering risks in a complex, dynamic operating, and regulatory environment.”
The report notes that “the adoption of new technologies,” and implementing changes to policies and procedures to comply with amended consumer protection requirements, are challenging banks’ compliance risk management processes.
The report notes, with some alarm, that the “use of third-party service providers is Increasing, and critical operations are increasingly concentrated in a few large service providers.”
“Banks rely heavily on third-party service providers for technology and other solutions to enable more efficient and effective operations and deliver innovative products. Risks and any resultant operational events, if not properly managed by the service providers and their clients, could have a systemic impact on the financial services industry,” it says.
Potential good news: While the reliance on third-party service providers is increasing, “the control systems at these service providers are generally effective.” Nevertheless, reliance by banks of all sizes on third-party service providers for payments, transaction processing, maintaining customers’ sensitive information, and other critical functions can result in more complex risk.
Amid banks’ increased focus on third-party risk management in recent years, the report notes that “effective due diligence is essential,” especially for risks associated with the use of third-party service providers for critical services and implementation of new products and services offered through emerging firms that leverage innovative technologies and delivery channels.
“Banks depend on a limited number of third-party service providers for specialized products and services,” the report adds. “The use of these service providers has made it easier for community banks to remain competitive. On the other hand, increased reliance on a limited number of entities creates concentrations that increase systemic risk to the financial services sector.”
Attracting and retaining competent staff was identified as “necessary to manage compliance risks remain a challenge at some banks.” As a result, some banks are using third-party service providers to supplement and support existing compliance operations.
“Such practices should be accompanied by initial and ongoing due diligence and appropriate oversight. The absence of or gaps in due diligence, oversight, and controls may result in elevated risk levels and increase the potential for violations,” the report says.
AML and compliance risk
The assessment notes that compliance risk “remains elevated” as banks seek to manage money-laundering risks and comply with amended consumer protection requirements.
“The underlying technology that supports innovation in FinTech and RegTech, and development of product and service solutions, may also be used to facilitate illicit activity, thereby increasing Bank Secrect Act, AML, and Office of Foreign Assets Control risk exposure,” the OCC wrote.
Subsequently, it is important for bank management to assess and, when necessary, adapt BSA/AML and OFAC risk management systems to match the complexity of their business models, products, and services. The OCC, however, identified instances when banks have not adjusted or realigned these risk assessments to reflect changes in risk profiles resulting from multiple factors. These factors include growth (organic and through mergers and acquisitions), the introduction of new products and services, substantial changes in customer volume or types (particularly in high-risk areas), and significant increases in transaction volume.
“Complex and dynamic activity is not only in the form of traditional products and services, but now may also relate to increases in virtual currency and crypto assets, which may create vulnerabilities that criminals can exploit for money laundering, terrorist financing, and other criminal enterprises,” the report says. “The majority of BSA/AML-related deficiencies identified by the OCC stem from issues related to customer due diligence/enhanced due diligence, customer risk identification, and processes related to suspicious activity monitoring and reporting.”
The OCC said it expects banks to be aware of regulatory changes and to have made changes to systems to comply with the new regulatory requirements. One such change is the Financial Crimes Enforcement Network’s Customer Due Diligence/Beneficial Ownership regulation, implemented in May 2018.
Necessary updates to training, quality assurance, independent testing, and controls also are expected to be in place. The recently published “Interagency Statement on Sharing Bank Secrecy Act Resources,” addresses instances in which banks may decide to enter into collaborative arrangements to share resources in order to manage their BSA/AML compliance obligations more efficiently and effectively.
Compliance and operational risk is also elevated by new and evolving U.S. economic and trade sanctions. “The increase in the number and complexity of OFAC-administered trade and financial sanctions programs challenges banks to maintain effective OFAC monitoring systems and elevate compliance risk exposure. Many banks are assessing new technology solutions to manage this risk,” the report says.
Regulatory changes may necessitate modifications to existing operations, policies, procedures, and systems. These changes may result in significant compliance and reputational risk if not implemented correctly and with appropriate change management processes.
The OCC says it has linked many risk assessment concerns to weaknesses in change management processes, such as bank processes that fail to include a compliance function when decisions are being made about changes in products or services.
“These developments may present challenges for compliance management systems,” the advisory says. “Banks should reassess how these changes may affect consumer compliance management programs and whether they increase the risk of noncompliance with applicable laws and regulations, disrupt operations, and potentially increase costs.”