Risk & Exams: Insights Into Where Examiners Will be Looking in 2021
It’s the fourth quarter, and chances are your financial institution is deep into strategic planning for 2021—if not already done. You are not the only one.
Looking ahead, the Office of the Comptroller of the Currency has released its Fiscal Year 2021 Bank Supervision Operating Plan, which took effect October 1. This document is full of insights for all financial institutions—even those not overseen by the OCC—because it hints at what other financial supervisory agencies are likely to be looking at, too.
Are your strategic priorities aligned with OCC supervisory objectives? Here’s a clue: If your financial institution is actively engaged in risk management, you’ve got a good head start.
Read on to find out more about some of the key non-financial risks of interest to the OCC:
- Cybersecurity and operational resilience
- Change management & operational risk
- Compliance risk management related to COVID-19
- Third-party vendor management
- Fair lending
- Community Reinvestment Act
Cybersecurity and operational resilience. It’s no secret that cyber threats continue to grow, and examiners are focused on making sure financial institutions have the wherewithal to prevent and survive these attacks.
The OCC is particularly focused on threat vulnerability and detection, access controls and data security, managing third-party access, incident response, and remediation processes.
How do you know if your FI is prepared to prevent, detect, and respond to cyber incidents? The FFIEC’s Cybersecurity Assessment Tool (CAT) is a great way to assess your institution’s cyber maturity. Incorporating elements of the FFIEC Information Technology (IT) Examination Handbook, regulatory guidance, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, it allows institutions to evaluate cyber preparedness and know where improvements are needed.
Change management & operational risk. The OCC is also very interested in change management when it comes to significant operational changes. Its examiners are instructed to evaluate the governance of new technology innovation and implementation, including “use of cloud computing, artificial intelligence, digitalization in risk management processes, new products and services, and notable changes in strategic plans.” Change management related to COVID-19 and necessary emergency programs, including the CARES Act and pandemic-related operating conditions, will be examined closely.
Make sure your financial institution is assessing the operational risk of new tech initiatives so it can demonstrate why it made the strategic decision to use that technology and the controls it uses to mitigate those risks. The same holds true for its COVID-19 response.
Compliance risk management related to COVID-19. The passage of the CARES Act introduced new temporary loan forbearance requirements. Meanwhile, FIs were encouraged to provide consumer loan or account accommodations. (The OCC also mentions SCRA risk due to increased foreclosure volume.)
Did your FI adjust its policies and procedures to respond to the crisis? Your compliance management system should help you respond to necessary changes in a systematic way and ensure they work as intended.
Third-party vendor management. Managing vendor risk remains a top concern (including partnerships) with examiners especially on the lookout for:
- Significant concentrations in operations
- Bank resiliency
- Oversight of third party’s own management of cybersecurity and resilience risks
If using a third-party vendor to offer new or novel payment systems products, services, or channels, make sure you pay special attention to operational, compliance, strategic, and reputation risks. (They are also important for those planning to address this in-house.)
Proper vendor management requires deep knowledge of vendors—everything from their financial status and continuity plans to its IT security. This remains especially true as the pandemic upends many businesses. Make sure you have a vendor management program that helps you stay on top of these critical areas.
Fair lending. Fair lending, including examinations and risk assessments, remains a hot topic. The OCC plans to look at pandemic-related loan accommodations and loss mitigation efforts as well as new technology used in underwriting processes. Other agencies, including the Federal Reserve and the Consumer Financial Protection Bureau (CFPB), have also advertised their interest in fair lending.
Community Reinvestment Act. With new rules issued on June 5, the OCC will be paying attention to how its guidance is implemented. CRA is traditionally a common topic across all regulatory agencies and FIs should be ready.
As you head into 2021, make sure your FI is prepared to manage these critical risks. If you would like to learn more about how to prepare for risk and compliance best practices next year, please download this whitepaper "Kumbaya: Bringing Together Risk & Compliance."