Last week, the OCC released its semiannual risk report highlighting credit, operational, and compliance risks to the federal banking system. The report focuses on issues that pose threats to those financial institutions regulated by the OCC and is intended to be used as a resource by those financial institutions to address the key concerns identified by the OCC. Specifically, the OCC placed cybersecurity and anti-money laundering (AML) issues among the three top concerns highlighted in the report.
The OCC called for banks to remain vigilant against the operational risks that arise from efforts to adapt business models, transform technology and operating processes, and respond to increasing cybersecurity threats. The OCC stated that:
- “The speed and sophistication of cybersecurity threats are increasing. Banks continually face threats seeking to exploit bank personnel, processes, and technology. These threats target large quantities of personally identifiable information and proprietary intellectual property and facilitate fraud and misappropriation of funds at the retail and wholesale levels.”
- “Phishing is a primary method for breaching data systems and often leads to other malicious activity, such as installing ransomware, compromising internal systems to effect payments, or conducting espionage. Effective user awareness campaigns and training help prevent phishing attacks. Timely and thorough software patch and system update management, strong risk-based authentication, employee training, and effective network segmentation can prevent further damage if intrusions succeed.”
- “The number, nature, and complexity of third-party relationships continue to expand, increasing risk management challenges for banks. Financial technology companies providing innovative financial products and services introduce opportunities, as well as potential risk, for banks.”
- “Consolidation among larger service providers has increased third-party concentration risk, in which a limited number of providers service large segments of the banking industry for certain products and services. Operational events at these larger service providers can potentially affect wide segments of the financial industry.”
- “The volume of products and services and the complexity of end-to-end processes for delivery in larger, complex banks are key drivers influencing the current level of operational risk. Insufficient monitoring and limited internal testing have failed to detect product and service delivery disruptions, resulting in slowed responses by banks and prolonged impact to customers. This condition is especially true of banks with legacy or disparate management information systems and risk management programs that may be ineffective.
The OCC also called for banks to address the compliance risks related to managing money laundering risks in an increasingly complex risk environment. The OCC stated that:
- “The challenge for banks to comply with Bank Secrecy Act (BSA) requirements persists due to dynamism of money laundering and terrorism-financing methods. Also, bank offerings using new or evolving delivery channels may increase customer convenience and access to financial products and services, but banks need to maintain a focus on refining or updating BSA compliance programs to address any vulnerabilities created by these new offerings, which criminals can exploit.”
- “In addition, BSA and anti-money laundering AML compliance risk management systems may not keep pace with evolving risks, constraints on resources, changes in business models, and an increasingly complex risk environment.”
- “New and amended regulations strain bank change management processes and compliance management systems, which increases operational, compliance, and reputation risks. These changes include the integrated mortgage disclosures under the Truth in Lending Act (TILA) and the Real Estate Settlement Procedures Act (RESPA), as well as the new requirements under the amended regulations implementing the HMDA and the MLA.”
- “Many banks face difficulties validating processes and systems that rely on software, automated tools, disclosure forms, and third-party relationships to process loan applications, create and distribute disclosures, and underwrite and close loans. Sound risk management practices should include maintaining processes and systems that are sufficient to identify covered borrowers and loan products, producing accurate calculations and required disclosures, and incorporating other required protections.”
- “Some banks have difficulty fully and accurately implementing the significant system and operational changes necessary for the integrated mortgage disclosure forms—Loan Estimate and Closing Disclosure—required for most mortgage loans secured by real property… Banks need consumer compliance risk management and audit functions sufficient to promote ongoing compliance with the regulation.”