OCC: Operational and Compliance Risk Elevated in 2022
Want to make sure your risk management practices are protecting your institution from regulatory issues? Make sure you’re paying enough attention to operational and compliance risk.
That’s the message in the OCC’s Semiannual Risk Perspective for Spring 2022.
The top risk areas catching the OCC’s attention
The OCC uses matters requiring action (MRAs) to communicate concerns about a bank’s deficient practices. These highlight areas that could lead to an enforcement action if they aren’t corrected and include practices that don’t align with sound governance, internal control, or risk management principles.
In the first quarter of 2022, MRAs were most commonly related to operational risk issues (42%) followed by credit risk (24%) and compliance risk (24%), making these essential areas of focus for financial institutions.
Let’s take a closer look at what the OCC has to say about these two key non-financial areas of risk.
Operational risks highlights
Cyber risk. It’s no secret that the financial services industry has been subject to an increasing number of attempted cyberattacks. The OCC says that cyber threat monitoring and effective defensive capabilities are increasingly important along with sharing information about potential threats.
The OCC also reminds financial institutions and their third-party partners to comply with the computer-security incident notification requirements finalized by the OCC, Federal Reserve, and FDIC (Federal Deposit Insurance Corporation) this spring.
What to do: Make sure you’re regularly risk assessing cybersecurity with tools like the FFIEC (Federal Financial Institutions Examination Council) Cybersecurity Assessment Tool (CAT) to ensure you have a robust cybersecurity posture. Best practices are constantly evolving, and your cyber defenses need to keep pace.
Revisit your cyber threat monitoring capabilities. For example, are you actively monitoring your third-party vendor’s cybersecurity? You should be.
Also follow up on your institution’s implementation of the cyber incident notification rule to ensure staff knows what to do (and has done it properly, in the event a cyber incident already occurred).
Third-party vendor due diligence and oversight. Due diligence scoped to the potential risk of an outsourced activity remains as crucial as ever, the OCC says.
Examiners will continue to assess how well banks are managing risks related to new products and services, including those associated with fintechs. Meanwhile ransomware attacks on third parties that allow access to financial institutions’ data and systems continue to be a significant threat, making it essential for financial institutions to assess and address third-party risk.
What to do: It’s all about vendor due diligence—both initially and on an ongoing basis.
Make sure your institution has a way to track when vendor risk assessments were last conducted and when they’ll need to be re-assessed. If there’s been a major increase in the risk of the activity—or your institution has shifted its risk appetite—you may need to update your vendor risk assessments sooner than planned to decide if new or stronger controls are needed.
Compliance risk highlights
Compliance staffing. While the OCC recognized banks are having a tough time hiring and retaining experienced staff, it noted it is especially challenging when hiring in in the compliance field.
“The OCC has observed an increase in the competition for compliance subject matter experts, at both the bank management and staff levels,” the report reads.
Difficulty attracting and retaining specialized staff creates risk for banks, the OCC warns.
What to do: Now is the time to create an environment that will appeal to experienced compliance professionals. I’m not just talking about benefits and compensation.
Make sure your compliance team has tools, like an automated compliance management system (CMS), so they can work efficiently. If they have to spend hours and hours reading through hundreds or thousands of pages of regulations just to figure out what rules apply to a new product or service, they will burn out—or go to an institution that provides software and services that take the busywork out of compliance.
Staying on top of change management
Compliance risk is always high, but sanctions against Russia after its invasion of Ukraine have added to the complexity. Pair that with the agency’s laser focus on fair lending, the change management that accompanied COVID relief programs, new products and services, and the aforementioned staffing challenges and it’s a lot to manage.
What to do: Have a change management playbook within your compliance management system (CMS). This way your institution can follow a set plan every time a new change comes, rather than start at square one.
Operational and compliance risk remain heightened, so make sure your financial institution is up to the challenge.
Learn more about compliance risk:
Compliance Risk: New Ways Your Data Can Be
Used Against You (ncontracts.com)
Topics: Risk & Compliance