OCC report: Cyberattacks, pandemic among top bank risk areas in 2021

According to the OCC’s “Semiannual Risk Perspective for Fall 2021,” released Monday, the agency has seen cyberattacks become more sophisticated and cause more damage, leading to elevated operational risks.

“The OCC has observed an increase in ransomware attacks in financial services,” the regulator said. “These attacks continue to leverage phishing emails targeting employees and compromised credentials to gain access to networks through remote access channels. Once access is gained, the attackers conduct ransomware and other extortion campaigns.”

The OCC recommended banks “should adopt robust threat and vulnerability monitoring processes and implement stringent and adaptive security measures such as multi-factor authentication or equivalent controls to authenticate access to sensitive systems. Network systems should be properly configured and have effective patch management processes in place. Banks should also ensure that critical systems and records are backed up and stored in immutable formats that are isolated from ransomware or other destructive malware attacks.”

In addition, banks should assess the risks posed by cyberattacks against their third-party vendors and develop “a comprehensive approach to operational resilience.”

“Banks should conduct risk-based due diligence commensurate with the criticality of the activity provided by the third party. This is especially true when introducing new products, services, or delivery channels or when entering into partnerships where the third party provides a critical function,” the OCC stated.

COVID-19 impact

The pandemic continues to present new and emerging risks to banks, particularly as they “adjust to regulatory changes and initiate efforts to serve customers in the final stages of assistance programs and initiatives related to [COVID-19],” according to the OCC.

The winding down of government pandemic relief funding “creates increased compliance responsibilities, high transaction volumes, and new fraud types at a time when banks continue to respond to a changing operating environment,” the report said.

To properly address risks posed by handling government pandemic relief funds for customers, banks should take steps to ”continue to monitor and manage changes and associated risks; ensure that new processes incorporated into their compliance risk management programs are effective and address changes in laws and regulations; manage operational challenges; and ensure compliance obligations are fulfilled while functioning with staff working remotely,” the report said.

One area of compliance that can provide early warning indicators of potential problems is monitoring of customer complaints.

“Monitoring complaints is an important component of an effective compliance risk management program, especially as the pandemic continues to spur multiple changes to bank processes and requirements that may directly or indirectly affect customers,” the OCC said.

Other compliance hurdles

“Specific areas of challenge continue to include responsibilities associated with underwriting and opening new accounts, monitoring customer activity, processing transactions, making loan modifications, servicing loans, communicating with customers, complying with consumer protection laws, and treating customers fairly,” the report said. The OCC noted meeting Bank Secrecy Act (BSA) and Office of Foreign Assets Control (OFAC) compliance obligations, as well as adapting to regulatory and policy actions by the Consumer Financial Protection Bureau (CFPB), as other challenge areas.

Regulated entities would also do well to continually assess the risks climate change presents to the health and safety of their institutions, both physical (hurricanes, wildfires, floods, heatwaves, and sea level rise) and transitional (changes from government policy, technology, and consumer/investor sentiment).

Another compliance risk the OCC highlighted stems from the ever-increasing digitalization of banking and the emergence of digital assets.

“Risk management and control environments should keep pace with innovation and emerging trends, and a comprehensive understanding of risk should be achieved to preserve effective controls,” the report said.