OCC Bulletin 2017-43: Guidance for Risk Management of New Activities
New activities and business lines are more than just potential profit centers. They are also potential sources of risk that need to be carefully identified, measured, monitored, reported and controlled. They also need to align with a bank’s overall strategy and business plan and give consumers fair access and treatment when it comes to financial services. That’s the reminder the OCC is sending with OCC Bulletin 2017-43, New, Modified or Expanded Bank Products and Services.
The world of banking has evolved considerably since OCC’s last guidance on the topic in 2004, OCC 2004-20, which was replaced by this issuance. Artificial intelligence and cloud data storing are growing while consumers expect increasingly mobile and real-time products. This creates opportunities but also contributes to strategic, reputation, credit, operational, compliance and liquidity risk, the OCC says. It can impact everything from financial performance and the strategic planning process to risk profiles, banking models and competitiveness.
The best way to ensure sound risk management when adding new activities or altering ones already in place, the OCC says, is to develop an effective risk management system with four key elements:
- Due diligence and approvals. The board should ask why the bank is engaging in this activity and what are the risks and benefits.
- Policies and procedures. These should specifically outline how risks will be managed.
- Change management. Plans for testing, implementing and exiting the activity.
- Ongoing monitoring and review. Have a system in place to monitor risk exposure and whether it remains within the bank’s risk tolerance.
These principles are especially important to remember when dealing with third-party vendors, which often facilitate new activities. The guidance mentions third-party vendors no less than 32 times and the original guidance, now replaced with this new update, is referenced in OCC Bulletin 2013-29, Third-Party Relationships.
Banks that don’t embrace risk management systems and install proper controls face issues like errors, losses, failed business objectives, issues with systems and controls, compliance violations, and lawsuits, the OCC warns.