Slow economic growth, a low interest rate environment, and the threat of cyber-attacks increases the risk profile for banks of all sizes, according to a new report by the Office of the Comptroller of the Currency. Its latest Semiannual Risk Perspective details many of those risks and the responses its supervisory staff expects to see.

Rates of Return

Banks continue to reevaluate their business models and risk appetites given the challenging operating environment, the report says. Some are lowering overhead expenses, often by reductions in control functions, by exiting less profitable businesses and outsourcing critical control functions to third parties without appropriate due diligence. Banks also take on additional risks by expanding into new, less familiar, and higher risk products.

In the coming year, OCC examiners will continue to evaluate the adequacy of strategic planning and new product approval processes. Examiners will also focus on entities with significant concentrations in longer-term assets or liability structures that make them vulnerable to quickly increasing rates.

Cyber-Threats

Cyber-threats, increasing in sophistication and frequency, require heightened awareness and appropriate resources to identify, mitigate, and respond to the associated risks," the report says.The costs and resources needed to manage those risks continue to increase.

Early adoption of new technology and banks' growing reliance on third-party providers increase vulnerabilities to these attacks. Attackers also increasingly target smaller institutions they perceive to lack the resources necessary to identify and prevent attacks. Reliance on a third party to perform multiple activities, often to such an extent that it becomes an integral component of the bank's operations, also elevate operational risk and requires commensurate monitoring and management.

Bank Secrecy Act and anti–money laundering risks increase if programs fail to evolve or incorporate appropriate controls into new products and services, the OCC warns.The pace of new regulatory requirements may lead to increased operational and compliance risks for banks that don't adequately invest in control processes, systems, or staff.

Examination Priorities

Issues faced by community and mid-sized banks include: planning for management succession and retention of key staff; erosion of underwriting standards because of competitive pressures; expansion into loan products that require specialized risk management processes and skills; and the increasing use of third parties to perform operational and business functions.

OCC supervisory staff will focus on all phases of the risk management life cycle, including planning, due diligence, internal controls, reporting, contract negotiations, and ongoing monitoring. Preparation and contingency planning for operational or technology disruptions, as well as natural disasters, will remain a priority. Examiners will also consider the adequacy of BSA/AML programs to keep pace with evolving money-laundering schemes.

Risk concerns for large banks cited in the report include: BSA/AML compliance; erosion of underwriting standards; third-party arrangements; and cyber-threats.

For that tier of banks, OCC's supervisory staff will continue to focus on their progress with heightened corporate governance expectations in 2014. These  relate to the board's willingness to provide credible challenge; manage talent and compensation; and maintain strong audit and independent risk management functions.

OCC staff will continue to coordinate with the Consumer Financial Protection Bureau to assess compliance with consumer protection laws, regulations, and guidance. The adequacy of enterprise-wide compliance risk management, including BSA/AML programs, will be a priority.

The OCC risk assessment report, issued twice a year, reflects data as of June 30, 2013. Feedback can be submitted by e-mail to NRCReport@occ.treas.gov.

Topics