Most lenders immediately think of financial and credit risk—but that’s just one area. Poor risk management can also be an unsafe and unsound banking practice as the Office of the Comptroller of the Currency (OCC) has reminded us in its consent order against Cenlar FSB.
Cenlar, located in Ewing, N.J., is a $1.1 billion wholesale bank that services more than $3 million mortgage loans from more than 150 banks, credit unions, and mortgage bankers. It’s the largest mortgage sub-servicer in the country and the second largest mortgage servicer.
In a consent order, the OCC says Cenlar came up short when it came to internal controls and exam findings.
Related: What Are Examiners Looking for in 2023? A Look at the OCC and Operational Risk and Compliance
What went wrong?
Underwhelming internal controls and risk management practices. Every guidance on risk management says that it should be commensurate with a bank’s size and complexity. In the case of Cenlar, the OCC said the bank’s internal controls and risk management practices were inappropriate for the bank’s current risk profile and size of its mortgage sub-servicing portfolio—an unsafe or unsound practice.
The shortfalls appeared in every part of the risk management lifecycle and included:
Ignoring exam findings. The OCC had identified and communicated these shortcomings in previous exams, but the bank failed to take timely corrective actions to remediate its deficiencies and unsafe or unsound practices, the OCC says.
The regulatory agencies are never happy when they identify deficiencies, and they are even more frustrated when they identify deficiencies and an institution fails to take corrective action. Perhaps that’s why their consent order requires so many detailed steps and a surprisingly short timeline of 30-60 days.
Here are the corrective action steps the OCC included:
Appointing a compliance committee responsible for monitoring the implementation and completion of all issues addressed in the consent order.
Developing an action plan detailing how the problems will be fixed, a remediation timeline, and who will be responsible for ensuring its completed. The OCC must approve this plan.
Developing and implementing a system of internal controls program commensurate with the types and complexity of risks associated with all transactions the bank executes.
Developing and implementing a default operations program with respect to loss mitigation, foreclosure, and claims activities. (This is something I’ve never seen in a consent order before.)
Developing, implementing, and maintaining an IT risk management program that addresses all deficient IT-related practices identified in any supervisory or regulatory communication, internal audit report, second line quality testing, and client audit notification. It also reminds the bank that it’s also responsible for any IT functions it outsources.
Board oversight of remediation. The must “verify that the Bank adheres to the corrective actions and they are effective in addressing the Bank’s deficiencies that resulted in this Order.”
This consent order is an important reminder that poor risk management can get banks of all sizes in trouble. Often banks, credit unions, or mortgage companies see a consent order or enforcement action for a large financial institution and think that FI got in trouble because of its huge size. “Of course they need a risk management program,” they think. “A big FI faces large risks.”
But the size of a risk is relative—which is why risk management guidance allows FIs to tailor their risk management programs to their size and complexity. An activity that threatens the safety and soundness of a $1 billion bank, may not register an impact on a $1 trillion bank—but that doesn’t make it any less of a threat to the smaller bank.
Every FI faces risks, and every FI needs an appropriate risk management program to identify, assess, monitor, mitigate, and report on those risks. Failing to do so can take down an entire FI, whether due to regulatory intervention or other pitfalls.
Don’t think that your financial institution doesn’t need an organized risk management program. Take it from me, a former examiner: It does.