The OCC published their Spring 2024 SEMIANNUAL RISK
PERSPECTIVE on June 18th 2024
The OCC publishes the report twice a year, drawing on midyear and year-end data. Details here are quoted from the OCC publications
Credit risk is increasing. Commercial real estate sectors, primarily the office sector and some multifamily property types, are experiencing stress due to a higher rate environment and structural changes. Office and multifamily loans, particularly those with interest-only terms, set to refinance over the next three years pose additional risk. Sticky inflation and elevated interest rates may increase consumer financial stress in some households and weigh on overall consumption growth.
From a market risk perspective, net interest margins (NIMs) are under pressure due to strong deposit competition. Trends observed, however, indicate that pressure on funding costs and NIMs may be nearing a peak. The future direction, timing, and extent of rate movements and uncharted depositor behavior present risk management challenges. Wholesale funding usage continued to grow albeit at a slower pace going into 2024. Investment portfolio depreciation improved but unrealized losses remain elevated as banks continue to increase asset liquidity and interest rates remain elevated.
Operational risk is elevated. The financial industry is responding to an evolving and increasingly complex operating environment. Cyber threats continue as malicious actors target the financial services industry and their key service providers with ransomware and other attacks. Increasing digitalization, new and innovative product and service adoption, and third-party use increase bank operating environment complexity creating both opportunities and risks. Continued check and wire transfer fraud and increased payment fraud incidents both underscore the importance of fraud risk management.
The report highlights the necessity of firmwide resilience efforts as risks may be interconnected and events could simultaneously affect multiple risk categories. It is crucial that banks establish an appropriate risk culture that identifies potential risk, particularly before times of stress.
The report highlights the necessity of firmwide resilience efforts as risks may be interconnected and events could simultaneously affect multiple risk categories. It is crucial that banks establish an appropriate risk culture that identifies potential risk, particularly before times of stress.
Each stress event may vary (e.g., operational, liquidity, credit, compliance, and other) and resiliency implications need to be proactively considered.
Prudent planning from a firmwide perspective can enhance a bank’s ability to maintain operations, remain financially sound, and service customers in times of stress.
SPECIAL TOPIC – FIRMWIDE RESILIENCE EFFORTS
- Proactively responding to Credit risk
- Financial Resilience through Contingency Planning : Liquidity risk management and Capital Planning
- Operational Resilience and Business Continuity Planning
Ensuring Compliance during a Disruptive Event
- Compliance risk management programs should consider operational resilience and the bank’s ability to deliver products and services during disruptions, while ensuring compliance with consumer protection laws and regulations.
- The identification and management of compliance risks related to third-party relationships are vital to operational resilience. It is important that banks implement secure and resilient information systems that can enhance their ability to withstand disruptions or failures, including those that can adversely
affect compliance management.
Operational Risk
Operational risk remains elevated as continuing cyberattacks and current geopolitical tensions contribute to a heightened risk environment. Cyberattacks continue to evolve and become more sophisticated and pervasive throughout the financial sector. Cyber risks pose significant financial sector and broader U.S. economy threats. It is essential that OCC banks maintain heightened threat monitoring and effective controls to safeguard against disruptive financial sector attacks.
Threat actors continue to exploit publicly known software vulnerabilities and weak authentication controls at targeted organizations, including banks and financial service providers. To mitigate against cyber risks, it is important for banks to adopt heightened threat and vulnerability monitoring processes and implement effective security measures, including the use of multifactor authentication (MFA), hardening of systems configurations, and timely patch management. Effective backup of critical data that are both physically and logically segmented from production systems is essential for response and recovery from cyber threats.
The OCC continues to see cybersecurity incidents that exploit weak or poorly configured authentication controls and practices. Recent attacks suggest that banks using single-factor authentication or relying on weak security methods may face increased risk of unauthorized access to information systems, potential operational disruption, data compromise, or financial loss. The OCC encourages banks to conduct thorough risk assessments that include authentication practices. When consistently implemented, properly configured, and combined with other layered security controls, MFA can provide an enhanced level of protection and help prevent attacks on bank systems.
Operational Resilience
An effective operational resilience strategy can enhance a bank’s ability to mitigate disruption from hazards, including cyber threats, and other technology and operational outages. Testing and validation of operational resilience plans are critical to enable banks to respond to disruptions in a manner consistent with their risk appetite. To ensure contagion risk from third parties is appropriately mitigated, clear expectations should be in place for testing and certification that a cyber event at a third party has been remediated to establish confidence in reconnecting that third party’s systems. Refer to Part I: “Special Topic – Firmwide Resilience Efforts” for further discussion.
INNOVATION AND ADOPTION OF NEW PRODUCTS AND SERVICES
Banks continue to leverage new technology and innovative products and services to further their digitalization efforts and to meet evolving customer expectations. These products and services and their underlying technologies can offer many benefits to banks and their customers. They also contribute to a complex operating environment along with increasing compliance, reputational, strategic, and other risks.
Effective adoption of new and modified services includes appropriate due diligence, enterprise change management, and risk management processes when considering changes to products, services, and
operating environments. Where operational changes or increased complexity occur, assurance functions, such as audits, should be considered as part of planning, implementation, and ongoing monitoring.
Many banks and service providers face challenges with maintaining legacy technology architectures while responding to increasing digitalization demands. It is important for banks to maintain an effective technology architecture strategy, commensurate with the size and complexity of products, services, and operations being supported. This should include processes for managing and mitigating risks from technology assets that have reached their end of life.
Banks have generally approached artificial intelligence (AI) adoption cautiously. AI types and uses vary widely, resulting in a wide range of potential benefits and risks.
The use of AI has the potential to reduce costs and increase efficiencies, improve products, services, and performance; strengthen risk management, and expand access to and increase fairness in credit and other banking products and services.
AI can also present challenges, including compliance and operational risks (e.g., fraud). Banks may partner with one or more fintechs to distribute banking products or services to end users, which can lead to increased risks, including increased complexity in the operational environment.
Banks should maintain prudent risk management practices when considering crypto-asset products, services, and activities given the characteristics of the crypto-asset market, including high volatility, high risk lending, excessive leverage, interconnectedness, concentration within major players, and lack of comprehensive regulation.
Banks are reminded to follow the process outlined in OCC Interpretative Letter 1179 before engaging in certain cryptocurrency, distributed ledger, and stablecoin activities.
FRAUD RISK MANAGEMENT
Fraud targeted against banks and their customers continues to grow. Sound risk management practices can help safeguard against fraud, financial crimes, and operational errors. While traditional payment channels, such as checks and wire transfers, continue to be targeted, increasing digitalization of products and services can also heighten risk of fraud and error, including fraud targeting peer-to-peer (P2P) and other faster payment platforms. While P2P payment platforms can provide enhanced capabilities and convenience to consumers and other users for managing payments, the faster and more streamlined payment capabilities and the irreversible and irrevocable nature of these payments have also been used to perpetuate fraud.
Banks can support customers by strengthening controls, educating customers on potential scams, and enhancing internal fraud monitoring capabilities. Additional fraud risk discussion is also noted in the “Consumer Compliance” section herein.
THIRD-PARTY RISK MANAGEMENT AND OTHER OPERATIONAL RISKS
It is important that banks remain vigilant in managing third-party and other operational risks. Digitalization and technological innovation continue to advance the trend of banks and trust companies outsourcing technology operations and entering partnerships or other arrangements with third parties, including fintechs, related to the delivery of financial products and services.
Effective management and oversight are important for third-party relationships. Third-party risk management processes should be commensurate with the size, complexity, and risk profile of the bank and with the nature of the third-party relationship. It is also important for banks to engage in more rigorous oversight of third-party relationships that support higher-risk and critical activities. Implementing an appropriate governance framework and establishing an effective system of controls will help guard against complacency and ensure fundamental risk management practices remain sound. The OCC, along with the Federal Reserve System and the Federal Deposit Insurance Corporation, issued guidance to assist community banks in developing and implementing third-party risk management practices. Although the guide is designed for community banks and discusses community bank relationships, it may be useful for all banks.
COMPLIANCE RISK – BSA/AML AND OFAC COMPLIANCE RISK
In January 2024, FinCEN issued a Financial Trend Analysis on identity-related suspicious activity in BSA reports filed in 2021. The analysis found that 42 percent, or 1.6 million, of the BSA reports filed that year related to identity exploitation including fraud, false records, identity theft, third-party money laundering, and circumvention of identity verification standards. The report noted that the perpetrators of identity related suspicious activity used at least 14 typologies, the most reported of which was general fraud.
Additionally, attackers most frequently use impersonation tactics and compromised credentials during authentication. These findings emphasize the critical importance of effective customer identification and verification processes, at account opening and throughout the banking relationship.
Current Customer Due Diligence Rule and other existing BSA requirements for banks remain unchanged pending the issuance of changes to those regulatory requirements required by the Anti-Money Laundering Act of 2020. The December 2023 Interagency Statement for Banks on the Issuance of the Beneficial Ownership Information Access Rule highlights that banks that access the FinCEN Beneficial Ownership Information (BOI) database are not required to incorporate BOI obtained from the database into their riskbased BSA compliance programs at this time. FinCEN’s recently issued Access Rule does not create new regulatory requirements or supervisory expectations for banks. However, any access to and use of BOI obtained from the BO IT System must comply with the requirements of the Corporate Transparency Act (CTA) and the Access Rule.
Fraud continues to be a significant risk for banks. Effective processes to prevent, identify, and file SARs on fraudulent activity in a timely manner remain important to protect both banks and consumers, especially since fraud is one of FinCEN’s national priorities. Banks are reminded to monitor staffing and expertise levels in response to potentially elevated fraud risk while maintaining effective BSA/AML risk management controls (e.g., customer due diligence updates, timely investigations, and SAR filings).
Banks are implementing innovative technology, often through fintech partnerships, in order to remotely deliver banking services, develop new products designed to make payments faster and easier, enhance product and service delivery, and improve financial crime detection and reporting. Banks must effectively manage the resulting operational and compliance risks, including third-party risk management.
Banks must continue to monitor world events that could introduce new or updated financial sanctions programs, including new sanctions applicable to customers, sectors, or geographies that might alter a bank’s risk profile. Additionally, banks must remain vigilant of increased attempts to evade sanctions, which may require SAR filings.
CONSUMER COMPLIANCE AND COMMUNITY REINVESTMENT ACT AND FAIR LENDING
Banks are operating in a dynamic banking environment because of changing customer needs and preferences related to products, services, and delivery channels. In response to the changes in customer needs and preferences, banks offer new, modified, or expanded products, services, and operational structures. Risks are compounded if products and services, including changes, are not delivered or implemented in a fair and equitable manner.
It remains important for banks to maintain compliance risk management frameworks that are commensurate with their risk profiles and capable of growing and evolving as their risk profiles change.
Banks should maintain effective internal controls to ensure compliance with the Flood Disaster Protection Act and its implementing regulations. Banks that service federally related mortgage loans should ensure escrow programs and loss mitigation processes remain in compliance with the Real Estate Settlement Procedures Act (Regulation X).
As banks work to process checks and other payments in a safe, fair, and efficient manner, check and wire fraud and P2P transaction scams have become more prevalent. Banks should continue to timely investigate and resolve, in accordance with applicable laws, such as the Electronic Fund Transfer Act/Regulation E and the Expedited Funds Availability Act/Regulation CC as this could assist with mitigating scams.
Banks may face elevated Unfair or Deceptive Acts or Practices (UDAP) risk from multiple areas, including related to bank actions in response to increases in the volume of fraud incidents and to changes in overdraft practices. It is important for banks to appropriately manage UDAP risk in connection with implementation of policy and procedures changes (e.g., fees, customer disclosures and other communications) and to engage in appropriate pre- and/or post-implementation testing.
Banks continue to increase their use of AI and machine learning in customer service, underwriting, and lending operations. While most banks recognize the need to monitor and adjust the models for credit risk, compliance risk increases when banks fail to recognize and appropriately manage the fair lending risk associated with these models. An effective fair lending risk management program includes understanding fair lending laws and regulations and maintaining effective processes, procedures, testing, and monitoring systems to identify, manage, and mitigate potential fair lending risks.
CLIMATE-RELATED FINANCIAL RISK
The United States experienced, on average, a billion-dollar weather and climate-related disaster every three weeks in 2023 versus every four months in the 1980s (adjusting for consumer price index).
Natural disasters can create indirect effects such as infrastructure damages, supply chain disruption, drops in crop yields, and labor productivity loss, which could lead to revenue reduction or increased costs for bank borrowers and inflationary pressure. Intensified natural disasters and chronic weather pattern shifts coupled with insurers withdrawing from higher-risk markets and/or raising insurance costs could pose increased risks to banks.
Local government policies to reduce greenhouse gas emissions from large commercial buildings can lead to higher costs from retrofits or fines for noncompliance, compounding the effects of other rising costs.
As noted in our fall 2023 Semiannual Risk Perspective, the OCC has been conducting discussions with the largest banks (those with more than $100 billion in total assets) to understand the banks’ climate related financial risk management programs. This work continues in 2024.
A current observation from these reviews notes that banks are at an early stage in analyzing the effects of insurance affordability and availability challenges. Some of the bank practices observed include the following:
- Considering impacts of changes in insured limits or deductibles, premium increases, or lack of coverage availability in climate scenario analysis and credit risk assessments for commercial and residential real estate portfolios
- Exploring the use of granular insurance coverage data in climate-related scenario analysis
- Monitoring lender-placed insurance policies as a percentage of overall policies in the mortgage portfolios
- Identifying consumer lending geographies that could experience higher flood insurance premiums