Does your bank take a reactive approach to operational risk and compliance risk? If so, this approach might address issues as they arise, but the Office of the Comptroller of the Currency is concerned it could leave gaps in your ability to anticipate and mitigate future risks effectively.
That’s a key takeaway from OCC’s 2025 Bank Supervision Operating Plan, which highlights the areas where the agency’s examiners will be focusing their attention over the next year. This year’s document is loaded with new references to risk management. How should the OCC’s priorities inform your bank’s operational risk and compliance management strategies going forward?
Read on to find out.
The OCC’s supervisory priorities are now organized into three main categories: financial risk, operational risk, and compliance risk. This approach offers a clearer, more focused framework for both examiners and banks. It also represents the evolution of the risk environment. With increased complexity in the depth and breadth of risks facing banks, the OCC has decided that more detail is needed.
Here’s a quick overview of what each area includes:
Financial risk: Here the OCC focuses on areas like credit risk, asset-liability management, and capital adequacy, assessing how banks manage market volatility, interest rates, and liquidity risks.
Operational risk: The OCC emphasizes banks’ resilience to cyber threats, third-party risk, and enterprise change management, emphasizing robust controls and response strategies.
Compliance risk: Priorities include BSA/AML programs, fair lending, and consumer compliance, with a focus on regulatory adherence and preventing fraud, discrimination, and misconduct.
From here, we will focus on the OCC’s operational risk and compliance supervisory priorities. While the OCC doesn’t oversee all banks and financial institutions, there’s value in viewing their actions as best practices, particularly the need for dynamic risk management strategies.
Cybersecurity is once again the top-ranked operational risk priority for OCC examiners. Preventative controls are specifically called out for the first time with examiners instructed to focus on them along with incident response, data recovery/backup, and operational resilience. It’s all about reducing software cyber risk, including managing third-party and others’ access to data. IT life cycle management is highlighted, with call outs for patch management and end-of-life processes.
Internal controls, including assessments of new and changed internal controls and processes, are also subject to scrutiny.
Related: 5 Tips for Enhancing Your Financial Institution’s Cyber Resiliency
Takeaway: This focus on controls reminds us of the importance of the risk management life cycle where a bank must identify, analyze, treat, monitor, and communicate risk. Risk must be identified and analyzed before a bank can decide what controls are needed to mitigate the risk. And the only way to know if those controls need to be adjusted or changed is to measure their ongoing impact and communicate the results. It also requires the bank to continually assess risk to see if a change in risk exposure requires a change in controls.
Managing cybersecurity risk effectively requires a proactive risk management program that embraces all phases of the risk management life cycle.
Unlike years past when third-party risk was often grouped together under “operations,” this year’s priorities specifically call out third-party risk. In particular, the OCC highlights fintech relationships and the risks of working with third parties that provide consumer and business access to banking products and services. This doesn’t come as a surprise considering how many financial institutions have had regulatory issues stemming from third-party fintech and banking-as-a-service (BaaS) relationships over the past two years.
Free Download: 2024 Compliance Exam Findings: Top Third-Party Risk Management Violations
In another first, this year’s supervisory priorities specifically calls out "risk management throughout all stages of the third-party risk management life cycle,” especially for critical vendors. The OCC encourages examiners to "consider structuring reviews to provide an enterprise-wide view of third-party risk management.”
What does this mean for banks? The OCC wants them to assess third-party risks from a comprehensive, organization-wide perspective rather than just focusing on individual departments or specific third-party relationships.
In practice, this means embracing the third-party risk management lifecycle, including planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination.
Related: Vendor Management: What Banks Need to Know About New Guidance
This approach helps banks understand the cumulative impact of third-party relationships and ensures that risk management practices are cohesive, effective, and aligned with regulatory expectations.
Takeaway: Evaluate your institution’s relationships with third-party vendors, specifically fintechs, and determine current or emerging operational, compliance, and reputational risks. Make sure that your vendor management program ties into your overall risk management strategy. Integrated risk management is a must.
Related: How to Avoid Common Third-Party Risk Management Mistakes
Payments rose up a slot and is the third operational risk featured in the OCC’s 2025 supervisory priorities. Both checks and fraud were mentioned prominently. The OCC says examiners should think about how the risks of payments (operational, compliance, financial, strategic, and reputation) are integrated into bank-wide risk assessments.
Takeaway: There’s the risk management life cycle mentioned again in the form of risk assessments. Make sure your payments strategy is a part of your integrated risk management (IRM) program.
Change management, featured in previous years’ supervisory priorities is now enterprise change management. With that change comes a new focus on internal controls – a common theme in this year’s supervisory priorities.
Enterprise change management refers to significant changes to an FI’s leadership, operations, risk management, and business activities, including use of critical third-party vendors. Examples of changes include mergers and acquisitions (M&As), system conversions, regulatory-related updates, cost control measures, new products and services, and product and service delivery changes.
Examiners are instructed to "assess the suitability of governance processes, internal control considerations for the design or redesign and implementation of effective controls, and the... maintenance of effective organizational structures when banks undertake significant changes.”
Takeaway: It’s the risk management life cycle again. As your FI undergoes significant changes in structure and operation, consider the risks of the change and review the governance and controls in place and determine if they need updates.
Related: Navigating Financial Institution Change Management
This year the sections on operations is all about how banks manage “the speed and volatility of change” – essentially dynamic risk management. It’s all about how changes to the operating environment – from innovation, regulatory requirements, products and services and the impact of using old or new technologies – can impact risk exposure.
Takeaway: Governance and risk management are clutch. Make sure they align with the size and complexity of your institution.
The OCC continues to emphasize its commitment to combatting financial crimes by evaluating banks’ Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) compliance programs and Office of Foreign Assets Control (OFAC) compliance processes.
The wording remained mostly the same year over the year, though this year’s priorities also focus on “evaluating banks’ fraud identification, investigations, and suspicious activity report filing processes.”
Takeaway: Review your current risk management systems and ensure your compliance frameworks are robust and responsive to BSA updates and evolving risks. Dynamic risk management is on the horizon for BSA.
Related: 6 Findings Management Practices Examiners are Looking for at Financial Institutions
In another compliance-related update, the OCC once again address consumer compliance, this year emphasizing the systems and controls that ensure information about products and services is clearly and accurately communicated with consumers, including those offered through third parties. It also wants to see how third-party compliance risk is managed.
Takeaway: Once again, the OCC is focusing on internal controls and risk management processes. Make sure your consumer compliance program is aligned with your risk management program.
Related: What Is Compliance Risk Management?
The OCC continues to emphasize its commitment to addressing potential discriminatory practices and ensuring that FIs serve their communities effectively.
Takeaway: While there have been no rule changes since the 2024 update, FIs should ensure their compliance risk management is effectively working to address redlining and other risks.
Related: Regulatory Update for September 2024
Fair lending continues to be a key compliance risk area. One new point of emphasis: The OCC explicitly says it will consistently enforce fair lending laws and will make referrals to the Department of Justice and Department of Housing when necessary. It adds that banks are responsible for ensuring adequate risk management of products and services and emphasizes a “data-driven approach.”
Takeaway: Your financial institution needs to conduct fair lending risk assessments. A risk assessment can help your FI manage fair lending risks better by identifying gaps in your controls, highlighting areas of highest risk, and providing guidelines for mitigating risk.
Want to better understand how your FI can mitigate risk? Learn how to create reliable risk assessments and avoid common pitfalls.