OCC: Lack of Risk Management Leads to Enforcement Actions
Lack of appropriate governance, oversight, and risk management systems and controls are the leading cause of enforcement actions.
That’s not just our opinion. It’s the findings of the Office of the Comptroller of the Currency in the OCC Semiannual Risk Perspective Fall 2019. The risk-focused periodical focused on the most pressing areas of risks at banks and steps that can be taken to mitigate them:
- What Risk Areas Result in the Most Enforcement Actions?
- Operational Risk Remains Elevated
- Resilience and Vendor Management Risk
- Cybersecurity Risk Update
- Strategic Risk
- Credit Risk
- Making Sense of Risk
What Risk Areas Result in the Most Enforcement Actions?
The most commonly-cited areas for enforcement actions include compliance or operational failures. When it comes to matters requiring attention (MRA), the top two concerns are operational (40 percent) and compliance (24 percent) followed by credit (23 percent).
Operational Risk Remains Elevated
Once again, the OCC noted that operational risk is elevated. The reasons include:
- Cybersecurity threats
- Technology advances and innovation in core banking systems requiring careful risk management
- Increasing use of third-party service providers, which requires strong vendor management
- Continued threat of fraud
- Threat of operational disruptions
In each case the OCC emphasizes that these risks must not just be understood, but they must be mitigated with effective controls and a focus on operational resilience. This list differs only slightly from the Spring 2019 issue, with threat of operational disruptions taking the place of poorly planned M&A.
Resilience and Vendor Management Risk
The OCC also emphasizes resilience, much like the FFIEC’s updated focus on business continuity management (BCM).
It wants FIs to determine that critical vendors have appropriate cybersecurity as part of their overall resilience framework. This includes assessing end-to-end processes and having continuity plans for outages impacting critical businesses processes.
“As always, banks should manage the risks that arise from reliance on third-party service providers for payments, transaction processing, maintaining sensitive information, and other critical functions,” the agency notes.
The OCC is also concerned about the potential impact of vendor consolidation. Fewer companies are providing critical services, meaning an outage at one vendor can have a far-reaching impact. It’s working with the other agencies to examine these services.
Cybersecurity Risk Update
The OCC Semiannual Risk update offered up a list of the most common cyber control deficiencies as well as suggestions for bolstering cybersecurity awareness.
The OCC says the most common control deficiencies it encounters include:
- Patch management. Less complex institutions sometimes lack the resources to identify and implement patches while more complex institutions struggle with implementing a large volume of patches on a timely basis.
- Network configuration. Misconfigured security settings on firewalls and network controls can give bad actors access to systems and data.
- Access management. Excessive or inappropriate access rights can allow the wrong people to access data.
The most common attacks include phishing incidents to install malware, stolen login credentials, and card-skimming and cash-out ATM attacks when ATMs aren’t updated or patched.
The OCC says a strong, tested incident response plan is essential for mitigating the financial and reputation risks of a cyberattack. It’s also important to keep informed and share cybersecurity insights with others.
The OCC recommends FIs:
- Share info with the Financial Services Information Sharing and Analysis Center
- Subscribe to technical alerts from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency
- Self-report incidents through the FBI’s Internet Crime Complaint Center
- Remember to include cyber-related info when filing SARs
Banks face strategic risk, or the possibility that the FI will make decisions that don’t support its long-term goals, in these key areas:
- Non-bank competitors
- Use of innovative and evolving technology
- Expanding data analysis capabilities
- An increasing number of banks investing in and developing AI and machine learning for BSA/AML
The OCC notes that the U.S. economy has been on a 10-year hot streak with strong credit performance. It urges FIs to make plans now to deal with potential challenges to profitability, including strategizing where budget cuts will make the most sense.
“Key control functions and processes, such as risk management, audit, compliance, and staff development, should be evaluated to ensure sound risk management oversight during economic stress. Cost-cutting strategies aimed at enhancing near-term returns should balance profitability with the maintenance of proper controls,” it notes.
As part of the efforts to limit costs, some FIs have turned to mergers and acquisitions. M&A can introduce risk due to the need to build a unified culture with appropriate governance, risk management and controls. Any FI considering M&A needs to ensure change management addresses people, processes, systems, and strategic initiatives.
Making Sense of Risk
While the OCC breaks down risk by category, the overlap between these areas is obvious. There is no way to address these risks in silos. From cybersecurity and vendor management to credit risk and M&A, enterprise risk management (ERM) is needed to pull these all together.
Strong risk and change management comes from the top. Governance, oversight, risk management and controls are key to understanding risk—and avoiding enforcement actions.
Risk cannot be effectively identified, assessed and mitigated on an ad hoc basis.