We all know that risk management is an important part of financial institution governance. It’s also a source of enforcement actions.
In the last quarter of 2023 alone, the banking agencies issued enough actions nationwide to talk about for hours!
Reviewing the enforcement actions and fines levied against banks, I noticed some trends worth sharing. Here are some common threads from the 11 OCC, Federal Reserve, and FDIC enforcement actions from the third quarter of 2023.
Five of the 11 enforcement actions required new or improved third-party risk management processes, including for affiliate relationships. However, the Interagency Guidance on Third-Party Relationships: Risk Management (issued in June 2023) was not specifically mentioned in any of the actions.
As banks continue to onboard fintech or other relationships to provide new products and services to customers, it is becoming increasingly important and difficult to perform due diligence and monitoring of third parties. The guidance states, “As part of sound risk management, banking organizations engage in more comprehensive and rigorous oversight and management of third-party relationships that support higher-risk activities, including critical activities.”
Seven of the 11 enforcement actions included requirements to implement or enhance the Board’s compliance committee or the compliance management system. It really struck me to see so many institutions with weakened compliance programs, especially considering the regulatory onslaught that the industry has been facing for years. Most of the actions discussed the need for board and management oversight of the compliance program as well.
Seven of the 11 enforcement actions included requirements to create a written liquidity risk management program. Liquidity risk obviously became an even hotter topic in early 2023 due to the large bank failures that had weak liquidity practices. However, many banks have not yet implemented stronger risk management policies and procedures to ensure liquidity and formalize their Contingency Funding Plans.
Five of the eleven actions included recommendations for enhanced interest rate risk management procedures. It is surprising that so many banks did not have stronger plans in place due to the ongoing high-rate environment.
Two of the eleven enforcement actions discussed the need to create a written program to assess and manage the bank’s IT activities effectively and qualified IT program management. Some specific findings included deficiencies in the cybersecurity program. Information security and information technology are top of mind for most banking organizations. It’s what keeps us all up at night!
Related: 2024 Regulatory Expectations and Enforcement Actions Recap
The regulators each appear to be focusing their efforts in similar areas, as demonstrated by enforcement actions and also in their overlapping Supervisory Priorities. Here are some recommendations so you can review your own institution’s policies and procedures to avoid experiencing those same enforcement actions:
Make sure that your institution has:
The goal is to:
Make sure the model risk management program is effective as well, as that can play a large role in your liquidity and interest rate management process.
Although the models do not have to be complicated, depending on the complexity of your organization, all of the data and assumptions have to be documented.
Ensure that your policies, procedures, and risk assessments are current and are in line with FFIEC Handbook frameworks. Third-party reviews and audits, including firewall testing, social engineering testing and patch management programs, will help keep your Information Technology and Information Security ahead of the game.
Related: Six Common IT Exam Issues—and the Controls You Need to Address Them
Compliance management software is available to help your compliance efforts, from identifying new or changed regulations, to managing compliance in your organization. In December 2023, I saw a study showing 57% of institutions were going to make a “high” investment in managing new/changed regulations in 2024, with another 20% planning to make a “moderate” investment.
If your institution is not making the same investment, you may be falling behind.
Automation is also important for vendor/third-party risk management to ensure you are conducting the appropriate initial due diligence and regularly and appropriately managing third parties. Enterprise risk management software is also critical to avoid the silos of departmental risk in your organization.
We can learn lessons from others, so always pay attention to enforcement actions. They are often leading indicators of what you can expect at your next exam, so pay special attention to them.
Take action on your own to make sure that your institution has addressed those issues!
Find out how one bank CRO is building out his enterprise risk management function