Risk and cybersecurity remain top supervisory priorities at the Office of the Comptroller of the Currency (OCC) for a second year in a row, the agency reports in its latest supervision operating plan.
The Fiscal Year 2019 Bank Supervision Operating Plan Office of the Comptroller of the Currency Committee on Bank Supervision lists five top concerns. They include:
Cybersecurity and operational resiliency. This year the OCC is emphasizing maintaining information technology systems and remediating identified concerns. Last year the topic was listed without such details.
Commercial and retail credit. In addition to last year’s concerns of underwriting, concentration risk management, and the allowance for loan and lease losses, the OCC specifically mentions preparations for the current expected credit losses accounting rule. It also calls out credit risk management.
Bank Secrecy Act/anti-money laundering (BSA/AML) compliance. Climbing the ranks from number four last year to number three this year, the OCC will emphasize determining whether AML compliance programs keep pace with changing risk environments and regulatory developments. Last year the OCC simply mentioned “compliance management.”
Consumer-compliance related change management process. Up from number four, this year change management emphasizes consumer compliance instead of broad change management. The OCC will emphasize implementation of regulatory requirements, including the Home Mortgage Disclosure Act, the integrated mortgage disclosure requirements under the Truth in Lending Act and Real Estate Settlement Procedures Act, and the Military Lending Act.
Internal controls and end-to-end processes necessary for product and service delivery. New to the list this year, the OCC says this may include emphasis on implementation of new or revised products or strategic partnerships. This item replaces business model sustainability and viability and strategy changes, which was number three on the list last year.
The Role of Risk Assessments & Controls
The OCC says that regulated institutions should focus their resources on “significant risks” while “considering reasonable cover of other areas.” In order for this to happen, an institution needs to conduct thorough risk assessments so it can identify its most substantial risks and determine where to use its risk management resources.
Those resources include controls, the OCC says. Control functions should leverage audit, loan review, and risk management processes when possible.
The agency will once again be engaging in horizontal risk assessments at times to get a more complete view of the industry. The agency defines a horizontal risk analysis as “Recommending, facilitating, informing, and reporting on horizontal initiatives, ensuring review findings are disseminated and incorporated, as appropriate, for consideration in future bank supervision strategies and agency policies.”
The takeaway here is that for each supervision strategy, financial institutions need to be sure they have effective programs in place, especially when it comes to risk management. It has to be about more than checking boxes.
Make sure your institution understands risk, has strong internal controls and that you have the tools to remain compliant in these critical areas.