We all know that risk management is an important part of financial institution governance. It’s also a source of enforcement actions.
In the last quarter of 2023 alone, the banking agencies issued enough actions nationwide to talk about for hours!
Reviewing the enforcement actions and fines levied against banks, I noticed some trends worth sharing. Here are some common threads from the 11 OCC, Federal Reserve, and FDIC enforcement actions from the third quarter of 2023.
Third-party risk management enforcement
Five of the 11 enforcement actions required new or improved third-party risk management processes, including for affiliate relationships. However, the Interagency Guidance on Third-Party Relationships: Risk Management (issued in June 2023) was not specifically mentioned in any of the actions.
As banks continue to onboard fintech or other relationships to provide new products and services to customers, it is becoming increasingly important and difficult to perform due diligence and monitoring of third parties. The guidance states, “As part of sound risk management, banking organizations engage in more comprehensive and rigorous oversight and management of third-party relationships that support higher-risk activities, including critical activities.”
Compliance management
Seven of the 11 enforcement actions included requirements to implement or enhance the Board’s compliance committee or the compliance management system. It really struck me to see so many institutions with weakened compliance programs, especially considering the regulatory onslaught that the industry has been facing for years. Most of the actions discussed the need for board and management oversight of the compliance program as well.
Liquidity risk management
Seven of the 11 enforcement actions included requirements to create a written liquidity risk management program. Liquidity risk obviously became an even hotter topic in early 2023 due to the large bank failures that had weak liquidity practices. However, many banks have not yet implemented stronger risk management policies and procedures to ensure liquidity and formalize their Contingency Funding Plans.
Interest rate risk management
Five of the eleven actions included recommendations for enhanced interest rate risk management procedures. It is surprising that so many banks did not have stronger plans in place due to the ongoing high-rate environment.
Information technology (IT) program
Two of the eleven enforcement actions discussed the need to create a written program to assess and manage the bank’s IT activities effectively and qualified IT program management. Some specific findings included deficiencies in the cybersecurity program. Information security and information technology are top of mind for most banking organizations. It’s what keeps us all up at night!
Related: 2024 Regulatory Expectations and Enforcement Actions Recap
Tips for avoiding risk management enforcement actions
The regulators each appear to be focusing their efforts in similar areas, as demonstrated by enforcement actions and also in their overlapping Supervisory Priorities. Here are some recommendations so you can review your own institution’s policies and procedures to avoid experiencing those same enforcement actions:
1. Review your third-party risk management program
Make sure that your institution has:
- A thorough initial due diligence process
- Risk assessments completed on the program and for each third-party
- Complete inventory of all third-party relationships
- Regular, risk-based monitoring of third parties, with increased scrutiny and more frequent reviews for critical or high-risk vendors, especially those with access to consumers’ personal information
- Adequate reporting of the program to the Board
2. Review, or have an independent review, of your compliance management program and/or system
The goal is to:
- Ensure you are identifying all regulatory changes that may impact your institution
- Ensure you have a compliance review process to perform periodic audits or reviews to confirm compliance standards are being maintained
- Identify any weaknesses in your findings management process
- Ensure that your change management procedures are effective
3. Review your liquidity risk management and interest rate risk management processes and risk assessments
Make sure the model risk management program is effective as well, as that can play a large role in your liquidity and interest rate management process.
4. Consider having an independent third party review your Allowance for Credit Losses and/or the CECL governance, analysis and models
Although the models do not have to be complicated, depending on the complexity of your organization, all of the data and assumptions have to be documented.
5. Cybersecurity remains a top risk concern of most financial institutions
Ensure that your policies, procedures, and risk assessments are current and are in line with FFIEC Handbook frameworks. Third-party reviews and audits, including firewall testing, social engineering testing and patch management programs, will help keep your Information Technology and Information Security ahead of the game.
Related: Six Common IT Exam Issues—and the Controls You Need to Address Them
6. Automation can create not only efficiency but also helps to ensure accuracy
Compliance management software is available to help your compliance efforts, from identifying new or changed regulations, to managing compliance in your organization. In December 2023, I saw a study showing 57% of institutions were going to make a “high” investment in managing new/changed regulations in 2024, with another 20% planning to make a “moderate” investment.
If your institution is not making the same investment, you may be falling behind.
Automation is also important for vendor/third-party risk management to ensure you are conducting the appropriate initial due diligence and regularly and appropriately managing third parties. Enterprise risk management software is also critical to avoid the silos of departmental risk in your organization.
We can learn lessons from others, so always pay attention to enforcement actions. They are often leading indicators of what you can expect at your next exam, so pay special attention to them.
Take action on your own to make sure that your institution has addressed those issues!
Find out how one bank CRO is building out his enterprise risk management function
Subscribe to the Nsight Blog
Share this
OCC: Lack of Risk Management Leads to Enforcement Actions
How Third-Party Oversight and Complaint Management Could Have Prevented an $11.5 Million UDAAP Enforcement Action—and What It Means for Your Vendor Management
