Nsight Blog | Ncontracts

Operational Risk and Compliance: What're Examiners Looking for in 2023

Written by Rafael DeLeon | Jan 12, 2023 3:00:00 PM

When it comes to regulatory compliance and exam preparation, the agencies and their examiners don’t secretly guard the formula to success. 

In addition to the tried-and-true expectations that remain constant from year to year, each year the agencies also highlight key areas that will be drawing additional scrutiny.  

On the financial side, we know examiners will be paying close attention to credit modeling, ensuring that financial institutions are prepared for changing economic conditions, including high inflation, rising interest rates, worries over a potential recession, and geopolitical conditions. 

In this blog, we’ll focus on the operational risk and compliance supervisory priorities highlighted by the Office of the Comptroller of the Currency in its Fiscal Year 2023 Bank Supervision Operating Plan and Fall 2022 Semiannual Risk Perspective 

While these non-financial risks are brought up by the OCC, all banks and credit unions can benefit from reflecting on these supervisory priorities since many are share by other agencies and managing them correctly are best practices for financial institutions that value safety, soundness, and resilience.  

HR is a safety and soundness risk. Strong governance includes effectively recruiting, training, and retaining staff while addressing succession planning. The OCC points out that these HR failures could result in noncompliance, consumer harm, and missed audits and reviews.  

Operational resilience & cybersecurity. Operational resilience remains an ongoing concerns, especially incident response and business resumption plans with a focus on data backup. IT and cybersecurity are about identifying, detecting, and preventing threats and vulnerabilities. The name of the game is governance and having processes for technology investment and implementation. 

In its Fall 2022 Semiannual Risk Perspective, the OCC noted an increased number of ransomware attacks targeting banks’ third-party service providers over the past few months.  

Managing third-party vendor and fintech relationships. Are the risks of each third-party vendor relationship worth the rewards? That’s the question examiners want banks to answer when evaluating individual third-party relationships and the aggregate concentrations. Examiners want to see banks identifying the specific risks of each relationship, ask if the third party has sufficient staffing to meet its contractual obligations, and to take a close look at the third party’s cybersecurity and resilience. 

Consumer compliance requires having a compliance management system (CMS). Examiners will focus on compliance management systems, including complaints management and how new products, services and delivery channels are built in a compliant manner – including how they relate to UDAAP. Compliance staffing will also draw examiner scrutiny, including size, expertise, and training of staff and use of outsourcing.  

Hot compliance topics include BSA/AML/OFAC, CRA & fair lending. Examiners want to see adequate risk management in these areas, including commensurate compliance management systems that address regulatory change. Compliance risk remains elevated. 

New products & services require a deep dive into strategy. Examiners will be looking to understand the thought process behind any new product or service offerings, especially in areas like payments and fintech and digital assets. This includes cloud computing, artificial intelligence, digitalization of risk management processes, and engaging in banking-as-a-service arrangements. 

Climate risk data collection continues. The OCC will continue to gather data about climate-related financial risk, especially at larger banks. 

 

Takeaway: Common themes in supervisory priorities  

Taking a closer look at these supervisory priorities, a few themes become clear. 

You’re not the only one worried about staffing. Staffing comes up several times. The OCC recognizes staffing plays a major role in a bank’s ability to remain compliant and adequately manage risk. It’s not enough for a bank to have enough well-trained staff. They are also expected to ensure that third-party service providers also have the staff necessary to deliver on the products and services promised. 

Vendor management is a big deal. From cyberattacks aimed at financial institutions’ service providers to vendors, fintechs and other third-party partners offering innovative solutions, the OCC expects to see detailed evaluations of potential third-party vendors, fintechs and other partners. 

Change management is clutch. From evolving OFAC sanctions lists to tweaks to CRA to adding new products and services that require analysis of applicable laws and regulations, financial institutions need strong change management systems that can keep pace. Without strong change management processes, mistakes leading to non-compliance are more likely.  

 

Want to know about regulatory expectations for banks, credit unions, and mortgage companies in 2023 (including 1071)? Register for our webinar Regulatory Expectations & Enforcements in 2023.