US banks are facing ever-greater operational, compliance, and strategic risk – thanks to an increasingly complex and changeable environment – despite demonstrating resiliency with satisfactory credit quality and strong earnings.
As a result, regulators are encouraging them to avoid becoming complacent so they can remain resilient without compromizing the risk management systems that support their business models and strategic and operating plans.
In the latest Semiannual Risk Perspective report from its National Risk Committee, the Office of the Comptroller of the Currency (OCC) urges banks to “remain vigilant” when considering opportunities for growth in order to avoid excessive risk taking, and to maintain “adequate controls” when managing investment and lending programs.
The OCC charters, regulates, and supervises US national banks and federal savings associations, and licenses, regulates, and supervises foreign banks’ federal branches and agencies. It supervises them to ensure they operate safely and soundly, provide fair access to financial services, treat customers fairly, and comply with laws and regulations.
Its National Risk Committee monitors the condition of the federal banking system, identifying key risks and monitoring emerging threats. It issues guidance to examiners that provides perspective on industry trends and highlights issues requiring attention.
Threats to banks
Its Semiannual Risk Perspective addresses the key issues facing banks, focusing on those that pose threats to banks’ safety, soundness, and ability to meet their compliance obligations. The latest report also examines the operating environment, bank performance, and supervisory actions.
It concludes that banks are dealing with:
- elevated operational risk as they respond to an evolving and increasingly complex operating environment and evolving cyber risks;
- heightened compliance risk, driven by regulatory changes and policy initiatives that continue to challenge their risk management capabilities;
- continuing strategic risk caused by their actions to offset the effects of low yields and net interest margins (NIM) compression on earnings.
The OCC attributes the elevated state of operational risk to evolving cyberattacks, which are becoming more and more sophisticated and targeting a wider range of companies, and says it has seen more ransomware attacks on financial services firms. “These attacks continue to leverage phishing emails targeting employees and compromised credentials to gain access to networks through remote access channels. Once access is gained, the attackers conduct ransomware and other extortion campaigns,” it says in its report.
It says that, as Covid-19 assistance programs come to an end, banks’ efforts to serve their customers create challenges for change, product, and service risk management practices and heighten compliance risk. “The conclusion of these programs creates increased compliance responsibilities, high transaction volumes, and new types of fraud, as banks continue to respond to a changing operating environment,” it says.
“Banks may attempt to further improve earnings through measures including increasing credit risk (in both loans and investments), extending loan duration, and cost cutting.”
National Risk Committee, US Office of the Comptroller of the Currency
And it adds that banks are also facing more strategic risk from their management of NIM compression and efforts to improve earnings. Stimulus measures, low-yield investment options, and reduced lending opportunities have fueled deposit inflows that have resulted in additional highly-liquid assets and lower margins as banks have struggled to find yield.
“Banks may attempt to further improve earnings through measures including increasing credit risk (in both loans and investments), extending loan duration, and cost cutting,” the OCC predicts.
The OCC’s National Risk Committee pinpoints cybercrime as a source of significant – and growing – operational risk for banks, with criminals exploiting the “publicly known and unaddressed” software vulnerabilities of public and private organizations around the world.
For banks, the threat is exacerbated by customers’ ability to use financial services remotely via their computers and mobile devices, employees’ need to work remotely during and since the pandemic and to use tools such as virtual private networks to do so, and banks’ use of cloud technology. This makes it even more important for them to have effective cyber controls.
Analyzing risks from third parties
To protect themselves against cybercrime, says the Committee in the Semiannual Risk Perspective report, banks should “adopt robust threat and vulnerability monitoring processes and implement stringent and adaptive security measures such as multi-factor authentication or equivalent controls to authenticate access to sensitive systems. Network systems should be properly configured and have effective patch management processes in place. Banks should also ensure that critical systems and records are backed up and stored in immutable formats that are isolated from ransomware or other destructive malware attacks.”
They should also assess the risks posed by their suppliers and other third parties. This is because cybercriminals are exploiting vulnerabilities in both the hardware and software used by banks and their supply chains. The Committee warns: “These attacks demonstrate the importance of banks assessing the risks from their third parties, inclusive of the supply chain, and developing a comprehensive approach to operational resilience.”
Innovating and adopting new products, services, and delivery channels is also a source of risk for banks, according to the Semiannual Risk Perspective. Innovation is key to their ability to respond to customers’ changing needs, preferences, and expectations but, at the same time, it makes their operating environment more complex.
Such financial services innovation includes faster and real-time payment products, increased use of mobile and digital technologies to deliver financial services, application programming interfaces, data aggregation services, contactless payment devices, and distributed ledger technology and digital assets – which the Committee urges banks to approach with “a high degree of caution”.
“Risk management inclusive of due diligence and change management is important for fulfilling responsible innovation strategies and successfully adopting technology.”
National Risk Committee, US Office of the Comptroller of the Currency
The Committee adds: “The adoption of innovative technologies to facilitate financial services can offer many benefits to both banks and their customers. However, innovation may present risks. As such, risk management inclusive of due diligence and change management is important for fulfilling responsible innovation strategies and successfully adopting technology.
“Risk management and control environments should keep pace with innovation and emerging trends and a comprehensive understanding of risk should be achieved to preserve effective controls.”
According to the Committee, the OCC is continuing to focus on banks’ management of third-party risk. It says that banks may lack the expertise or technology needed to develop and offer innovative products, services, and delivery channels, and may rely on third parties to do it for them – opening them up to more risk.
To mitigate this risk, the Committee advises, banks should conduct thorough risk-based due diligence on potential partners that’s “commensurate with the criticality of the activity provided by the third party”. They must also gain a sound understanding of how third parties manage the risk of cyberattacks, which is just as great as the one faced by the banks themselves.
Banks’ significantly growing interest in digital assets is another source of risk for them. It has led some to explore the development of crypto-custody services, crypto-asset derivative products, or the provision of access to third-party crypto-related products.
Compliance risk for banks
But the Committee cautions that, while such innovations may offer benefits for banks and their customers, they also carry “significant” risk. Banks should carry out due diligence and risk management just as they would with any other new, modified, or expanded service.
“This includes ensuring sufficient knowledge and expertise in the underlying products and services and processes to identify and address strategic, operational, compliance, and reputational risks. Sound risk management of crypto-related product offerings includes alignment with a bank’s strategic goals, risk appetite, resources, and expertise,” it says.
Throughout 2022, in partnership with the Federal Reserve and the Federal Deposit Insurance Corporation, the OCC aims to provide greater clarity on whether banks’ crypto activities are legal and to provide expectations for safety and soundness, consumer protection, and compliance with existing laws and regulations. The agencies will focus on crypto-asset custody services, facilitation of customer purchases and sales of crypto assets, loans collateralized by crypto assets, issuance and distribution of stablecoins, and holding crypto assets on balance sheet.
As the measures put in place to protect jobs and businesses at the start of the Covid-19 pandemic come to an end, banks face extra compliance risk as they adjust to regulatory changes and work to continue serving their customers.
Responding to change
Just as they did when they were first introduced, these programs’ conclusion creates “increased compliance responsibilities, high transaction volumes, and new fraud types at a time when banks continue to respond to a changing operating environment,” says the Committee.
The Committee advises banks to:
- monitor and manage changes and associated risks
- ensure that any new processes that they add to their compliance risk management programs are effective and address changes in laws and regulations
- manage operational challenges
- ensure that they fulfil their compliance obligations while employees are working remotely
And it encourages them to review interagency, OCC, Financial Crimes Enforcement Network, and Consumer Financial Protection Bureau issuances and guidance.
“Banks continue to face challenges to implementing proactive compliance risk management programs and will need to remain agile to quickly adapt,” the Committee says.
It identifies specific areas of challenge as meeting Bank Secrecy Act and Office of Foreign Assets Control compliance obligations, as well as adapting to regulatory and policy actions by the Consumer Financial Protection Bureau.