In its 2020 fiscal year bank supervision operating plan, the Office of the Comptroller of the Currency (OCC) identifies cybersecurity and operational resiliency, Bank Secrecy Act/anti-money laundering compliance management, commercial and retail credit underwriting practices, and commercial and retail credit oversight and control functions among its top supervisory priorities.
In addition to these priorities, the OCC’s supervision plan focuses on four emerging risk areas: the changing interest rate outlook on bank activities and risk exposures, preparedness for the current expected credit loss (CECL) accounting standard, preparation for the potential phaseout of the London Interbank Offering Rate (LIBOR) after 2021, and technology innovation and implementation. The focus on technology includes use of cloud computing, artificial intelligence (AI), digitalization in risk management processes, new products and services, and strategic plans.
The OCC’s supervisory strategies align with many of the strategic and operational priorities identified by financial institutions in recent surveys. For example, in Protiviti’s 2019 Global Finance Trends Survey Report, chief financial officers and finance leaders indicate their growing concerns with data security, privacy and governance, as well as their increased focus on advanced technologies such as robotic process automation (RPA), AI, blockchain, predictive analytics and cloud-based applications.
The OCC’s attention on changing interest rates comes at a time when global banks are jittery about the potential effects of a prolonged low or negative interest rate environment. Since bank activities and risk exposures are particularly vulnerable in such an environment, the agency’s move to examine more closely how interest rates affect deposit costs, funding migration, asset valuations, borrower debt service capacity and housing affordability seems appropriately timed.
The OCC’s prioritization of issues related to CECL accounting and the expected LIBOR phaseout are not a surprise. The December 15, 2019 deadline for implementing the CECL framework, a complex and detailed accounting update, is looming for public filers, with non-public entities and smaller financial institutions required to follow suit by January 2023. As financial institutions scramble to finalize their models and model documentation, including running parallel systems, testing and performing validations and updating processes and procedures, OCC examiners are preparing to scrutinize bank implementation plans and the use of third-party vendors to assist in CECL preparation activities, among other CECL-focused supervisory strategies.
Regarding LIBOR’s planned phaseout as a reference rate after 2021, the OCC plans to conduct impact assessments, correlated risk assessments, vendor management and change management reviews related to the implementation of an alternative index for pricing loans, deposits, other products and services, as well as operational and compliance risks. This regulatory focus creates additional pressures on financial institutions that already have myriad concerns over the transition to a LIBOR replacement, including how legacy contracts that reference LIBOR would be altered to reference the new rate. Anticipating document management challenges, financial institutions are seeking creative solutions to help manage the expected workload and transition risks.
While cybersecurity and operational resilience have been on the OCC’s supervisory radar for several years, the emphasis appears to have expanded. In the 2019 plan, the stated supervisory objective was maintaining information technology systems and remediating identified concerns. In the latest plan, however, the emphasis is on threat vulnerability and detection, access controls and data management, and managing third-party connections. Going forward, examinations into cybersecurity and operational resilience risks will include information technology risk management evaluation and institutions’ information technology systems maintenance.
The change in emphasis reflects a growing concern among regulators over operational disruptions, primarily cyber and technology outages, that are impacting the financial sector with greater frequency and severity. In several major financial centers, regulators are demanding that firms and financial market infrastructures (FMIs) demonstrate greater resilience as they consider regulatory and supervisory approaches that are significantly different from those used to address capital, liquidity and the other financial risks. Operational resilience, which describes the ability of a firm to withstand an adverse event and continue to provide goods and services, is now at the forefront of regulatory scrutiny around the world.
Recent conversations between regulators and the financial services industry on operational resilience are driven in large part by concerns over major cyber disruptions. As noted in Protiviti’s most recent emerging risks newsletter, PreView, the conversation among cybersecurity experts is also shifting toward response and recovery, implying that they view resilience to cyberattacks in terms of surviving them with minimal damage as opposed to preventing them altogether.
In the 2020 plan, the OCC provides more clarity on its supervisory strategies regarding BSA/AML compliance. For the coming year, the agency is prioritizing customer due diligence and beneficial ownership, determining whether BSA/AML risk management systems match the complexity of business models and products offered, evaluating technology solutions to perform or enhance BSA/AML oversight functions, and assessing the adequacy of suspicious activity monitoring and reporting systems and processes.
The latest BSA/AML supervisory strategy suggests financial institutions need to also focus on improving their AML programs to become more efficient in meeting their compliance obligations. In a recent white paper, Protiviti identified seven key areas of AML programs that institutions should focus on to achieve this goal of getting to efficient. The following enhancements should be applied to the seven key areas:
- Accurately identify customer risk
- Eliminate common inefficiencies in the KYC process
- Shift from tactical to sustainable, strategic solutions in AML program governance
- Leverage data for AML efficiency gains
- Decrease reliance on manual processes and increase the application of technology
- Optimize the anti-money laundering/terrorist financing target operating model
- Shift institutional culture
Overall, OCC resources remain focused on significant risks impacting individual national banks, federal savings associations, federal branches and agencies of foreign banking organizations, as well as identified service providers. While its objectives are similar for large bank supervision, midsize and community bank supervision, and specialty supervision departments, the OCC said its managers will differentiate based on bank size, complexity and risk profile when developing individual bank supervisory strategies. Still, financial institutions, regardless of size, should view the OCC’s supervisory plan as an important guide when setting their own risk management strategies and priorities.