The OCC’s Risk Outlook

This week the Office of the Comptroller of the Currency (OCC) published its Semiannual Risk Perspective, which gives bank compliance officers and risk managers an important glimpse into the federal banking agency’s current outlook on risk.

Here is a brief summary of the report.

The Basics of the OCC’s Semiannual Risk Perspective

Every six months, the OCC’s National Risk Committee (NRC) issues the agency’s Semiannual Risk Perspective. According to the introduction to the Perspective, the NRC is made up of senior OCC supervisory and policy officials who meet quarterly.

The NRC is responsible for monitoring “the condition of the federal banking system and identifying key risks,” as well as monitoring emerging threats.

This Spring 2018 Semiannual Risk Perspective was published on May 24, 2018, and is based on data as of March 31, 2018, except where otherwise noted.

Overall Report Card

The Perspective’s Executive Summary provides an overall status of the banking system:

  • Condition of Federal Banking System: Strong
  • Comparison of System’s Condition: 2017 and 2018 show improvement over 2016
  • Economic Environment: Supports loan growth and profitability
  • Asset Quality: Sound
  • Capital and Liquidity: Near historical highs
  • Earnings: Improving
  • Overall Risk Management Practices: Incrementally improving

On Operational Risk

The OCC reports that “Operational Risk is elevated as banks adapt business models, transform technology and operating processes, and respond to evolving cyber threats.”

Specific threats to operational risk include the following:

  • Ever increasing threat of cyber attacks
  • Growing bank reliance on third-party vendors to perform critical functions
  • Concentration of third-party risk due to the “consolidation among large technology service providers”
  • Evolving business and operating models that include new delivery channels, products, and services

On Compliance Risk

The OCC warns that Compliance Risk “remains elevated,” with particular concern in the following areas:

  • Bank Secrecy Act (BSA) Compliance Challenges: The combination of the “dynamic nature” of money laundering along with “evolving delivery channels” makes complying with the BSA difficult. The OCC warns banks that are “engaging in such offerings” to refine and update their BSA compliance programs to ensure they are adequately mitigating the associated risks.
  • BSA and Anti-Money Laundering (AML) Compliance Risk Management Systems: The OCC notes that, such BSA/AML risk management systems “often do not keep pace with evolving risks, resource constraints, changes in business models, and regulatory changes.”
  • OFAC Sanctions: The OCC questions whether bank OFAC compliance programs are keeping pace with the increasing number and complexity of sanctions programs.
  • Overall Regulatory Complexity: The number of amended regulations and/or highly complex requirements continue to present challenges for banks.
  • Specific Complexity of TRID: The OCC acknowledges the continued bank struggle to incorporate the Truth-in-Lending RESPA Integrated Disclosure (TRID) forms.

On Interest Rate Risk

The OCC states that, “There is uncertainty in how bank deposits will react to increasing interest rates. Banks may experience unexpected adverse shifts in liability mix or increasing costs that may adversely affect earnings or increase liquidity risk.”

Read the OCC’s complete Semiannual Risk Perspective for Spring 2018 for an even more in-depth analysis of the current state of banking in the United States.



FFIEC Weighs In on Cyber Insurance

Last week, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement regarding cyber insurance from its member agencies: the Board of Governors of the Federal Reserve System (FED), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). The FFIEC indicated that the purpose of the statement was “to provide awareness of the potential role of cyber insurance in financial institutions’ risk management programs.”

Why Now

While the statement specifically states that it does not contain “any new regulatory expectations” and that cyber insurance is not required by any member agencies, it also describes various factors in the existing environment that call for broader awareness, and the possible acquisition, of cyber insurance:

  • The ever-growing threat of cyber attack: Symantec’s Internet Security Threat Report of March 2018 provides additional context for this factor: “With each passing year, not only has the sheer volume of threats increased, but the threat landscape has become more diverse, with attackers working harder to discover new avenues of attack and cover their tracks while doing so.”
  • Possible inadequacy of general insurance policies: The FFIEC notes that, “traditional insurance policies for general liability or basic business interruption coverage may not fully cover cyber risk exposures without special endorsement or by exclusion not cover them at all.” In addition, “coverage may also be limited and not cover incidents caused by or tracked to outside vendors.”
  • Evolution of cyber insurance marketplace: As cyber attacks grow and evolve, so too does this particular segment of the insurance marketplace.
  • And everything is at risk: The FFIEC warns that nearly every aspect of a financial institution can be harmed by cyber attacks: its financial footing, operational status, legal posture, compliance adherence, strategic plan, and reputation.

First-party Coverage Versus Third-party Coverage

The FFIEC notes that cyber insurance can be structure multiple ways, from a stand-alone policy to a specific cybersecurity endorsement added to an existing policy. It also explains the difference between first-party and third-party coverage:

  • First-party coverage: “Insures direct expenses incurred by the insured party and may address costs related to customer notification, event management, business interruption, and cyber extortions” (i.e., ransomware attacks).
  • Third-party coverage: “Protects against the claims made by financial institutions’ customers, partners, or vendors as a result of cyber incidents at financial institutions.”

Analyzing the Need for Cyber Insurance

For institutions trying to determine whether or not they need cyber insurance, the FFIEC recommends the following actions:

  • Ensure all key parties are involved in the decision-making process: This includes representatives–with expertise and authority–from legal, risk management, finance, information technology, and information security.
  • Conduct appropriate due diligence: This covers both internal due diligence (i.e., compare what you currently have with what you need to fill any insurance gaps) and external due diligence (i.e., examine and analyze possible cyber insurance vendors as you would other third-party vendors).
  • Review cyber insurance needs periodically: The FFIEC recommends including cyber insurance in your annual insurance review and budgeting process.

The Final Word

The FFIEC makes it clear that while cyber insurance can help protect financial institutions, it does not relieve them of their information security obligations. “Purchasing cyber insurance does not remove the need for a sound control environment,” which “may be a component of a broader risk management strategy.”

SEC Issues Interpretive Guidance on Cybersecurity Disclosures

By Mary Crotty, freelance writer for banks and third-party service providers

Despite our best efforts, cyber attacks continue to plague U.S. businesses, including those in the financial services industry. Even large and globally sophisticated entities fall prey, as witnessed by the Equifax breach last summer. Just as advancements in science often require new ethical standards, the latest developments in and incidents of cybercrime often result in new or updated regulatory guidance.

Although the Interpretive Guidance on cybersecurity posted in the Federal Register yesterday by the Securities and Exchange Commission (SEC) does not mention the Equifax breach, its focus on disclosure requirements and director/officer/insider ethics suggest that last summer’s extensive and embarrassing incident at one of the three major credit reporting agencies may have influenced the content and timing of this guidance.

Setting the Stage

In explaining its reason for issuing the February 26, 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, the SEC notes that, “In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies regulated by the Commission.”

It goes on to note that, “Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.” While this reliance on data and technology spurs growth and opportunity in our world, it also exposes organizations to the risk of harm to or theft of both. The preventative and mitigation efforts used to fight cybercrime extol a heavy cost.

Therefore, “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber attack.”

Expansion of 2011 Guidance

This latest guidance expands upon original SEC guidance on cybersecurity disclosures issued in October 2011. The guidance published and effective as of February 26, 2018,  discusses two topics not specifically covered in that 2011 guidance:

  1. Disclosure Policies and Procedures: “This release stresses the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. Companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity. Such robust disclosure controls and procedures assist companies in satisfying their disclosure obligations under the federal securities law.”
  2. Director/Officer/Insider Ethics: “We also remind companies and their directors, officers, and other corporate insiders of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws and also of their obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.”

More from the SEC Cybersecurity Disclosure Guidance

In addition, the guidance indicates the following:

  • The SEC understands that not all information may be initially available or that an investigation may still be in process, “However, an ongoing internal or external investigation–which often can be lengthy–would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
  • Companies bound by this guidance are required to correct previous disclosures as needed due to additional or different information coming to light.
  • There is a list of factors that can help a company evaluate its cybersecurity risk for disclosure purposes, including, but not limited to, the severity and frequency of past cyber incidents, the probability and potential magnitude of future occurences, and the adequacy of preventative measures.
  • The financial impact of cybersecurity incidents and defense measures must be “incorporated into financial statements on a timely basis.”

Cybersecurity Should Be a Priority for All Businesses

Public companies regulated by the SEC are not the only ones at material risk from cybercrime. In today’s world, all companies are at risk, including community banks, credit unions, regional banks, and national and multi-national financial institutions. The cost of defending against cybercrime maybe be high, but the cost of not doing so is potentially much higher.

OCC Warns Banks Against Complacency

By Mary Crotty, Freelance Writer for Banks and Third-Party Service Providers

Twice a year the Office of the Comptroller of the Currency (OCC) releases a summary of current and emerging risk trends for the banking system. The OCC’s latest “Semiannual Risk Perspective for Fall 2017” (Perspective) was published last Friday, January 18, and is based on financial data compiled and analyzed through June 30, 2017.

While noting a strong economy and continued improvement in overall bank performance, the Perspective does sound some warning bells. “The current operating environment presents strategic risk for many banks in increasingly diverse ways. Thus, this report emphasizes the need for vigilance by bank management at this point in the economic cycle.”

OCC-Noted Risk Areas

  • Credit Policy and Practices: The OCC warns that banks are slowly loosening their commercial credit underwriting practices due to increased competition. It also noted an increased concentration in Commercial Real Estate (CRE), a trend it noted could hurt the entire financial system if not monitored and checked.
  • Cybersecurity Programs: Cyber criminals continue to evolve their methods and tools faster than bank cybersecurity programs can keep up.
  • Vendor Management Programs: Banks’ increasing reliance on third-party service providers, especially for critical functions, continues to concern the OCC.
  • Bank Secrecy Act (BSA) Compliance: Just like cybercrime, money laundering continues to evolve into an ever more complex crime that creates significant problems for banks. The OCC warns that banks are struggling to comply with the BSA, even before the related Customer Due Diligence (CDD) Final Rule goes into effect on May 11, 2018.
  • Consumer Protection Compliance: According to the Perspective, consumer compliance risk management continues to be an issue for banks “due to the increasing complexity in consumer compliance regulations.”
  • Current Expected Credit Loss (CECL) Model: The OCC also warns that the “current expected credit losses standard for which implementation begins in 2020 may pose operational and strategic risk to some banks when measuring and assessing the collectability of financial assets.”

Avoid Complacency

The Perspective reads like a road map for determining what areas will receive the most attention during upcoming regulatory examinations. There are two things your bank can do right now to improve its performance on such examinations:

  1. Review the following policies and make sure processes and procedures reflect any updates: Credit Policy, Cybersecurity Policy, Vendor Management Policy, Bank Secrecy Act Policy, UDAAP Policy and other consumer protection policies.
  2. Reiterate your bank’s policy stances by communicating them with your employees.