In its Fall 2023 Semiannual Risk Perspective, published on December 7, the Office of the Comptroller of the Currency (“OCC”) reported on key issues facing the federal banking system. In evaluating the overall soundness of the federal banking system, the OCC emphasized the need for banks to maintain prudent risk management practices. The key risk themes that the OCC underscored in the report included credit, market, operational, and compliance risks.
Of particular note was the discussion on the Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance risks with respect to fintech relationships. We also will discuss briefly certain other compliance and operational risks highlighted by the OCC.
The OCC cautioned banks that are adopting or considering fintech relationships to scrutinize each third-party relationship. The OCC stressed that banks need to understand the risks associated with each third-party relationship, and enter into effective contracts to address the potential for default and termination. It also emphasized the identification of nested relationships, in which fintech firm may be providing services to other fintech firms without appropriate controls. In such circumstances, banks are considered on the hook for those partners’ practices. Overall, the OCC recognized that the range of payment methods and their accessibility continue to expand and evolve, but cautioned banks to keep pace with the corresponding risks by continuing to evaluate their BSA/AML risks and corresponding controls. In a separate section of its report, the OCC essentially reiterated these BSA/AML compliance risks with third-party arrangements with fintech firms as operational risks as well.
This discussion comes on the heels of recent OCC and FDIC consent orders involving banks concerning their third-party risk management practices. This discussion also tracks concerns noted by the Federal Reserve, FDIC, and OCC in final interagency guidance issued in June 2023 regarding managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements.
The OCC further emphasized the BSA/AML and financial crime risks associated with the expanding use by banks of digital and electronic products and services, as well as with more traditional financial crime risks, such as mail-theft related check fraud, business email compromise schemes, and payroll tax evasion. Overall, Suspicious Activity Report (SAR) filing “data trends reflect significant increases in SAR filings related to fraud.”
Other Compliance and Operational Risks
Another compliance risk highlighted by the OCC is the need to ensure equal access to credit, and the fair and consistent treatment of consumers. “Banks’ compliance risk management frameworks should be commensurate with their existing risk profiles and capable of efficiently and effectively supporting risk profile changes.” These consumer-facing concerns can sometimes be in tension with AML concerns which can lead to banks engaging in de-risking.
Similar to the BSA/AML compliance risks outlined above, the OCC identified the expanding use of new technologies by banks, including the use of faster and real-time payment products, as an operational risk. “Sound risk management practices can help safeguard against fraud, financial crimes, and operational errors[,]” including fraud targeting P2P and related payment platforms. Such products can enhance consumer convenience, but the speed and irreversible nature of these payments also make these products attractive instruments for perpetuating consumer fraud.
Finally, the OCC identified artificial intelligence (“AI”) as a special topic presenting potential compliance, credit, reputation and operational risks. Although AI presents many opportunities and potential benefits, it also can result in third-party risk, privacy concerns, cybersecurity risks, and potential consumer-facing bias and other consumer protection concerns. The OCC states that it is “technology neutral” and will continue to monitor the use of generative AI.
Although the OCC does not specifically discuss the potential use of AI in regards to BSA/AML compliance, there is increasing discussion of this topic in the industry. However, it is likely more accurate to regard machine learning, which is a subset of all AI, as currently having more direct applicability to BSA/AML compliance, including as to transaction monitoring.