Key Risk Trends for Banks and Financial Institutions. OCC’s Fall 2021 Semiannual Risk Perspective Highlights Elevated Operational Risk and Heightened Compliance Risk

Semiannual report
5 min read


The National Risk Committee (NRC) of the Office of the Comptroller of the Currency (OCC) monitors the condition of the U.S. federal banking system, identifies key risks facing banks, and highlights those risks that pose threats to the safety and soundness of banks and their compliance with applicable laws and regulations.

The latest edition of its guidance — the Fall 2021 Semiannual Risk Perspective – highlights four key risk areas including elevated operational risk and heightened compliance risk, and the risks associated with climate change.

Elevated Operational Risk from Increasing Cyberattacks and the Extended Enterprise

The OCC has observed that “operational risk remains elevated as cyber attacks evolve, (and) become more sophisticated.” The OCC categorizes the main reasons for the ‘elevated’ status as the increase in ransomware attacks in the financial industry, known and unknown software vulnerabilities, expansion of remote financial services, and the increasing reliance on third-party providers for services such as cloud-based environments.

With the pandemic, the banking industry has experienced a lot of change. This includes the adoption of new technology to quickly respond to customer and organizational needs. Third parties stepped in to play a vital role in bridging the gap where banks and financial institutions often lacked the expertise or technology needed to introduce new products or services. This has resulted in an increase in onboarding of third-parties to take over or assist in such functions.

Taking this growth of third parties into account, the OCC notes that “Supply chain risk continues to increase and evolve as attacks target vulnerabilities in software systems commonly used by large numbers of OCC supervised banks,” and that “Threat actors are increasingly exploiting vulnerabilities in third-party hardware and software systems to conduct malicious cyber activities.”

To manage and mitigate cyber risks, the OCC recommends the following measures for banks and financial institutions:

  • Adoption of robust threat and vulnerability monitoring processes
  • Implementation of stringent and adaptive security measures such as multi-factor authentication or equivalent controls to authenticate access to sensitive systems
  • Proper configuration of network systems along with effective patch management processes in place
  • Back up and storage of critical systems and records in immutable formats that are isolated from ransomware or other destructive malware attacks
  • Building a comprehensive approach to operational resilience, which stresses on the importance of banks assessing the risks from their third parties, including the supply chain

Heightened Compliance Risk due to Pandemic-Related Regulatory and Policy Changes

Banks continue to face pandemic-related new and emerging compliance risks. The report calls out the heightened compliance risk as banks “adjust to regulatory changes and initiate efforts to serve customers in the final stages of assistance programs and initiatives related to the COVID-19 pandemic.”

With most of the assistance programs concluding, it has resulted in increased compliance responsibilities, high transaction volumes, as well as new types of fraud—all the while as banks continue to respond and operate in a changing operating environment.

The report further identifies other compliance hurdles including, “specific areas of challenge” such as ”responsibilities associated with underwriting and opening new accounts, monitoring customer activity, processing transactions, making loan modifications, servicing loans, communicating with customers, complying with consumer protection laws, and treating customers fairly.”

Other challenge areas noted by the OCC included meeting Bank Secrecy Act (BSA) and Office of Foreign Assets Control (OFAC) compliance obligations, as well as adapting to regulatory and policy actions by the Consumer Financial Protection Bureau (CFPB). The OCC also highlighted compliance risk being heightened by the rapid digitalization of banking processes and the emergence of digital assets.

To address the heightened compliance risk, the OCC proposes that banks take the following steps:

  • Actively continue to monitor and manage changes and associated risks
  • Ensure that new processes incorporated into their compliance risk management programs are effective and address changes in laws and regulations
  • Manage and mitigate operational challenges
  • Ensure compliance obligations are fulfilled while functioning with remote staff
  • Monitoring of customer complaints to ensure effective compliance risk management
  • Ensure effective change management and compliance risk management to identify, measure, monitor, and control the changing and emerging risks related to consumer products and services

Risks Associated with Climate Change

The impact of climate change on households, communities, businesses, and governments presents significant risk to banks and financial institutions. As per the report, “Banks are exposed to physical and transition risks presented by climate change, which may impact the safety and soundness of supervised institutions.”

This makes it important for banks and financial institutions to continually assess both physical risks such as hurricanes, wildfires, floods, heatwaves, sea level rise, etc., and transitional risk changes including those from government policy, technology, consumer/investor sentiment, etc.


Thrive on Risk with MetricStream

MetricStream’s capabilities enable banks and financial institutions to implement the OCC’s recommendations. With real-time risk intelligence, AI-powered recommendations and insights, and years of proven domain expertise, MetricStream enables you to follow a robust operational risk management strategy and strengthen your compliance posture—empowering you make risk-aware decisions to ‘thrive on risk.’

  • Actively manage cyber risk with our CyberGRC product line. Easily align established security standards through an IT and Cyber Risk and Compliance Framework and comply with IT audits more efficiently. Leverage pre-packaged content and industry frameworks such as ISO 27001, NIST CSF, and NIST SP800-53, and map policies to IT controls and policy exceptions. Utilize best practices, insightful reporting, and risk quantification to build cyber resilience.
  • Leverage MetricStream Operational Risk Management’s comprehensive set of capabilities and gain forward-looking risk visibility with predictive risk metrics and indicators. Reduce losses and avoid adverse risk events through proactive control structures and analytics.
  • Stay primed on the complex web of regulatory obligations with MetricStream Regulatory Compliance Management that also simplifies implementing measures, processes, and policies to sustain compliance.
  • Adopt a simplified and streamlined approach towards meeting all organizational requirements relating to environmental, social, and governance (ESG) with MetricStream’s ESGRC which enables the automated capture of data for a broad range of ESG metrics.

See how MetricStream can help you stay current and compliant. Request a demo today.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.