OCC Spring 2022 Risk Report Highlights Risks Facing BFS Companies

Introduction

The Office of the Comptroller of the Currency (OCC) has published the OCC Spring 2022 Risk Report that highlights risks faced by banks and financial services organizations. The National Risk Committee (NRC) of the OCC plays a key role in monitoring the U.S. federal banking system, identifying key risks facing banks, and highlighting those risks in its semiannual publications. The latest edition of its guidance has observed that the financial condition of banks remains strong and well-positioned to “deal with the economic headwinds arising from geopolitical events, higher interest rates, and increased inflation” and has warned banks and financial organizations to prepare for elevated operational risks and heightened compliance risk.

In the report, the risks have been due to the current geopolitical tensions, a heightened compliance risk environment attributed to regulatory changes, policy initiatives, and challenges in hiring qualified compliance professionals, and an observed increase of cyberattacks on the financial services industry.

Here is more into the key risk themes highlighted in the report.
 

Elevated Operational Risk Due to an Increasingly Complex Operating Environment

The OCC report attributes the elevated operational risk to cyber threats which “continue to evolve, with an observed increase in attacks on the financial services industry.” This has been further accelerated by the ongoing geopolitical situation. Additionally, “banks’ increasing reliance on third-party relationships, along with the development and adoption of innovative products, services, and technologies, and ongoing changes to banks’ staffing and the operating environment” have all led to an increase in operational risk.

Also, the OCC has observed that banks are finding it challenging “to maintain comprehensive operational resilience frameworks commensurate with the complexity of products, services, and operations being supported in this environment.” It has further advised that some of the risk exposure may manifest in the coming quarter, making it vital for “the industry to remain vigilant and fully assess its risk exposure.”

Given the increased operational risks, the OCC’s recommendations include:

• Lowering reporting thresholds on information sharing activities, testing of organizational response plans, and continuing the focus on business continuity and resilience (as recommended by Cybersecurity and Infrastructure Security Agency (CISA))
• Maintaining robust threat and vulnerability monitoring processes and implementing more stringent cybersecurity measures
• Applying sound fraud risk management practices to help prevent losses when implementing new technology and innovative products and services
• Following appropriate due diligence, change management, and risk management processes in accordance with the bank’s size, complexity, and risk profile, while accounting for and keeping pace with any new, modified, or expanded activity and the complexity that comes with it
• Developing robust planning and risk management processes to manage, partner, or compete with new fintech entrants as needed

Heightened Compliance Risk, Driven by Regulatory Changes and Policy Initiatives

The OCC has highlighted that compliance risk remains heightened. This is primarily because banks are now required to navigate the complexity of sanctions imposed in response to the Russian invasion of Ukraine. At the same time, banks have also been required to “continue to manage the impact of forbearance programs and the elevated volume of customers on deferred payment and loss mitigation programs.”

The OCC has further observed challenges in the industry in retaining and replacing staff in compliance functions. The lack of access to subject matter expertise or the using of third-party relationships to support or fill such critical roles may increase compliance and operational risks.

The OCC offers the following recommendations for banks and financial institutions.

• Navigate the “complex and evolving” sanctions by accurately assessing “the applicability and impact of sanctions on their institutions and customers, including the impact of sanctions imposed by both the U.S. and other countries on foreign branches, overseas offices, and subsidiaries.”
• Institute effective change management and compliance risk management processes “to identify, measure, monitor, and control the evolving and emerging risks related to consumer products and services.”

Thrive on Risk with a Connected GRC Approach

Interested to know how MetricStream can help you take a connected approach to risk management? Write to me at sumith.sagar@metricstream.com to learn more. You can also request a personalized demo to learn more about our products.