Kate Henry
On June 23, the National Risk Committee of the Office of the Comptroller of the Currency issued its Spring 2022 Semiannual Risk Perspective, which highlights certain economic trends and risks faced by the economic community at large and, in particular, national and community banks. The Risk Perspectives draw on mid-year and end-of-year data, respectively, and focus primarily on issues that have the potential to pose threats to the safety and soundness of banks, and potential areas for concern with respect to compliance with applicable laws and regulations.
Certain operational and compliance risks highlighted by the OCC in this report bear closer examination.
Crypto, Cybersecurity Present Operational Risks
The first area of risk highlighted by the Risk Perspective was operational risk, focusing primarily on the risks posed by increasing cybersecurity threats, third-party vulnerabilities and risks associated with innovative products and services that have been and continue to be embraced by banks to use technology to better service clients.
Michael Krebs
Cybersecurity has long posed an increasing threat to the U.S. economy. In particular, the Risk Perspective indicated that ransomware attacks on financial service industries have increased precipitously, including certain phishing attacks on company employees, distributed denial of service attacks and exploitation of weak or vulnerable authentication systems and software programs.
To mitigate the risk associated with these issues, the Risk Perspective implores banks to continue to monitor and improve upon software security and certain monitoring processes to neutralize cybersecurity threats as early as possible. Further to this end, the Risk Perspective highlights a final rule published by the Federal Reserve and the Federal Deposit Insurance Corp., effective as of May 1, with respect to establishing certain notification requirements for certain computer security incidents.
Tangential with the rising cybersecurity threat, risks inherent in the development and proliferation of new financial technology pose an operational threat to banks and banking organizations, including increased popularity of (and volatility in) the cryptocurrency space. In particular, the Risk Perspective highlights the inherent unknowns associated with new financial technology and cryptocurrency, which the OCC believes presents difficulties in protecting against operational threats.
The Risk Perspective indicates that, as the regulators continue to develop safeguards to ensure the safe and effective development of financial technologies and digital assets to better serve banks’ communities, banks should ensure that they are maintaining equally innovative methods of testing and safeguards to ensure that they are staying apprised of newly-emerging risks and threats associated with new technologies and cryptocurrencies.
The Risk Perspective also highlighted the risks associated with both delegating certain internal functions to third parties and recruiting talent commensurate with the growth of banks, especially with respect to new challenges that have arisen as a result of the COVID-19 pandemic.
In the face of a challenging hiring market, where competition for key talent is fierce, delegating certain “in-house” responsibilities to experienced third-party vendors can offer a helpful temporary or long-term solution for some banks; however, engaging with a third party necessarily increases banks’ vulnerabilities to cyberattacks and other operational risks, since these third parties are also at risk. The Risk Perspective implores banks to remain vigilant with respect to risks inherent in third party engagements.
Compliance Risks Elevated
The Risk Perspective also discusses certain compliance risks that have been elevated in recent months. These compliance risks present unique challenges to banks and require new approaches compared to those traditionally utilized in the banking industry.
One category of compliance risk relates to the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) laws. The Financial Crimes Enforcement Network (FinCEN) recently issued a notice regarding increased incidents of illicit financial activity and environmental crimes. Particularly, the COVID-19 pandemic has given rise to certain fraudulent activity related to government funds and relief programs.
Additionally, geopolitical unrest has produced rapidly evolving sanctions, putting financial institutions at risk of running afoul of such sanctions as their scope continues to change. In response to these sanctions, FinCEN has issued several notices providing guidance to banking institutions as to how to more effectively identify potential BSA/AML pitfalls and stay abreast of the most recent sanction guidance.
The Risk Perspective also indicates that banking institutions should remain vigilant with respect to risks inherent in consumer products in the financial market and should continue to focus efforts on maintaining a strong Community Reinvestment Act program. The OCC cautions banks to ensure that volatility in the markets, especially with respect to current rates of inflation, rising interest rates and continued international tumult does not affect banks’ ability to service clients efficiently and effectively.
Overall, the Risk Perspective implores banks and financial institutions to remain vigilant in their approach to risk mitigation as a general rule, and to continue to evolve and enhance their risk mitigation programs to address increasingly innovative threats to their business model and the safety and soundness of the financial system as a whole.
Kate Henry and Michael Krebs are an associate and partner, respectively, in Nutter’s corporate and transactions department. Both are members of the firm’s banking and financial services group.
