The OCC’s Top 5 Supervisory Priorities in 2018

The OCC’s 2018 supervision plan suggests institutional deficiencies remain a priority.

Another fiscal year, another update to the Office of the Comptroller of the Currency’s (OCC) bank supervision operating plan, which outlines the agency’s supervisory priorities and objectives for the year. And it’s not just OCC-regulated banks that should take notice.

This year’s Fiscal Year 2018 Bank Supervision Operating Plan Office of the Comptroller of the Currency Committee on Bank Supervision yields no surprises, carrying on the priorities of last year with just minor tweaks. The OCC’s Committee on Bank Supervision (CBS) is planning to develop supervisory strategies for five key areas:

  • Cybersecurity and operational resiliency
  • Commercial and retail credit loan underwriting, concentration risk management, and the allowance for loan and lease losses
  • Business model sustainability and viability and strategy changes
  • Bank Secrecy Act/anti-money laundering (BSA/AML) compliance management
  • Change management to address new regulatory requirements

The biggest addition to the list is cybersecurity, which now holds the top spot along with operational security. Last year operational security was listed third and cybersecurity didn’t merit a mention in the listing. “Examiners will review banks’ programs to determine to what extent they assess the evolving cyber threat environment and banks’ cyber resilience. Examiners will continue to use the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool and follow up on any gaps identified at banks in FY 2017,” the plan says.

The other notable change is that last year’s listing of commercial and retail loan underwriting has now been expanded to include concentration risk management and allowance for loan and lease losses.

  • What does this consistency from year to year mean? It may, in part, be based on financial institutions failing to address requirements. As we learned from the FDIC’s Office of Inspector General report on technology service provider contracts with supervised institutions, there are widespread deficiencies across many areas, including the aforementioned OCC priorities. (See our whitepaper VENDOR MANAGEMENT STATE OF DISREPAIR: REVELATIONS FROM THE FDIC’S OIG REPORT.) If financial institutions aren’t sufficiently addressing existing issues, those items must remain on the list.

    It’s not just OCC banks who need to pay attention. The agencies don’t work in a vacuum. The challenges faced by the institutions regulated by one agency are usually shared by other financial institutions outside the agency’s purview. The agencies also share a common examination supervision standard in their adoption, observance and leverage of publications from the Federal Financial Institution Examination Council (FFIEC). That means when the OCC releases a list of priorities, it’s worthwhile for entities regulated by the FDIC, Fed, NCUA and state regulators to pay attention, too.

    Understanding Risk

    One of the biggest themes to take note of is risk. For small and midsize community banks, MCBS plans to focus on: credit underwriting, strategic risk, operational risk, market risk, allowance for loan and lease losses, horizontal risk analysis, and asset management. Large banks will see OCC examiners focus on matters requiring attention and enforcement actions, horizontal risk analysis, governance and operational risk, credit, allowance for loan and lease losses, and market risk.

    The takeaway here is that for each supervision strategy, financial institutions need to be sure they have effective programs in place, especially when it comes to risk management. It has to be about more than checking boxes. They need strong management oversight, including transparency in risk levels, approval of risk and formal support approving risk levels, and ongoing monitoring of risk. Programs must be purposeful, compliant and protective of customers and their data.

    Make sure your institution understands risk, has strong internal controls and that you have the tools to remain compliant in these critical areas.