Complacency and risk management don’t mix. The risk environment is constantly changing, and a financial institution’s risk assessments and controls need to change with it. Failing to keep up can expose an institution to risk without it ever knowing—until there are consequences.
Regulatory agencies like the Office of the Comptroller of the Currency (OCC) are in the business of helping financial institutions—and by extension the U.S. financial system—avoid unintended consequences. They have one eye on the risk environment and the other on FIs, making sure there is a strong connection between the two. They know where FIs are strong and where they are struggling.
Are FIs struggling to adjust to an evolving risk environment? It’s a question raised by the OCC’s Supervision Priorities for 2022. The list includes common topics we’ve seen over the past few years, including cybersecurity, operational resilience, BSA, change management, vendor management, fair lending, and other non-financial risks. It also broaches newer topics like cryptocurrency and climate risk that have been gaining traction. But perhaps most interesting is the focus on complacency.
The OCC’s first bullet point notes that examiners will focus on safety and soundness of strategic and operational planning including “guarding against complacency.”
It reads: “Examiners should ensure banks remain vigilant when considering growth and new profit opportunities and will assess management’s and the board’s understanding of the impact of new activities on the bank’s financial performance, strategic planning process, and risk profile.”
What does this mean? One good interpretation is “look before you leap.” At a time where tight interest margins are squeezing FIs and technology is offering innovative, and in some cases untested, opportunities in financial services, examiners want to see FIs actively defending their strategic initiatives and the methods they use to execute them. Yes, financial institutions need to innovate and grow, but they need to do so responsibly within a risk management framework. It’s a basic business concept, but if the OCC is sending out a reminder, it must be a message that some FIs still need to hear.
The OCC also noted they will provide periodic updates about its supervisory priorities throughout the year, including its Spring 2022 Semiannual Risk Perspective.
OCC’s Top Exam Concerns
Cybersecurity. Is your FI able to recover from a malware attack? That question will be top of mind for examiners along with threat vulnerability and detection, authentication and access controls, network management, data management, and managing third-party access. Examiners will also assess internal controls and processes that changed during the pandemic.
Related: Ransomware Emergency Guide
Vendor management. Examiners want to see strong vendor management and oversight of third-party vendors and partners, especially critical vendors. This includes cybersecurity and other risks impacting resiliency and those stemming from concentrations.
Related: The Future of Vendor Management: What the Proposed Federal Third-Party Guidance Means for Your Bank
BSA. How effective is your FI’s BSA/AML risk management system? Is it commensurate with the complexity of your business model and its products, services, customers, and geographic market? Does your FI have change management in place to implement the Anti-Money Laundering Act of 2020?
Consumer compliance. Examiners will be focused on compliance management systems (CMS). They’ll want to know if earnings pressure has resulted in cutbacks in compliance or audits and if you’re adequately managing third-party vendors.
Related: Compliance Managed: Four Ways to Streamline a CMS
Fair lending & CRA. In a surprise to no one, fair lending risk will remain a high priority. This is especially true when it comes to changes to products, services, and the operating environment as well as updates to Community Reinvestment Act (CRA) rules, including the June 2020 update. The HMDA data screening process remains a key tool.
New to the Supervisory Priorities List of 2022
Payments. Thinking of offering a new or novel payment product or service? Make sure you can demonstrate how operational, compliance, strategic, credit, and reputation risk are included in your FI’s institution-wide risk assessments and new product review processes.
Fintech/Cryptocurrency. Is your FI making significant operational changes that include cloud computing, artificial intelligence, and digitalization in the risk management processes? Make sure you can show the work that when into your risk assessments. Also if providing new innovative services, make sure they align with your FI’s strategic objectives.
Climate. The OCC is gathering data on how climate change and its financial risks can impact safety and soundness and the ability of an FI to serve its communities. Examiners will be looking at the development of climate risk management frameworks and governance process at the largest banks. Smaller FIs should be paying attention to this topic because it will ultimately become an issue for them as well.
Are you ready for your next exam? Make sure your FI is proactively managing risk and compliance.
Creating Reliable Risk Assessments
Subscribe to the Nsight Blog
Share this
NCUA Eyes Economic Environment, Change Management & Third-Party Risk With 2019 Supervisory Priorities
Regulatory News You Can Use: COVID-Related Regulations & Why Mortgage Companies Need to Start Worrying About CRA
