OCC Report: Cybersecurity and Money Laundering Threats are the Key Risks Facing Banks
Last week, the Office of the Comptroller of the Currency (“OCC”) released its semiannual risk report (“Report”) highlighting credit, operational, and compliance risks to the federal banking system. The Report focuses on issues that pose threats to those financial institutions regulated by the OCC and is intended to be used as a resource to by those financial institutions to address the key concerns identified by the OCC. Specifically, the OCC places cybersecurity and Anti-Money Laundering (“AML”) among the top concerns highlighted in the Report. The Report further observes that the total number of enforcement actions by the OCC against banks — instituted for any kind of alleged violations — have declined steadily after peaking in 2009.
The OCC called for banks to remain vigilant against the operational risks that arise from efforts to adapt business models, transform technology and operating processes, and respond to increasing cybersecurity threats. The OCC stated that:
“The speed and sophistication of cybersecurity threats are increasing. Banks continually face threats seeking to exploit bank personnel, processes, and technology. These threats target large quantities of personally identifiable information and proprietary intellectual property and facilitate fraud and misappropriation of funds at the retail and wholesale levels.”
“Phishing is a primary method for breaching data systems and often leads to other malicious activity, such as installing ransomware, compromising internal systems to effect payments, or conducting espionage. Effective user awareness campaigns and training help prevent phishing attacks. Timely and thorough software patch and system update management, strong risk-based authentication, employee training, and effective network segmentation can prevent further damage if intrusions succeed.”
“The number, nature, and complexity of third-party relationships continue to expand, increasing risk management challenges for banks. Financial technology companies providing innovative financial products and services introduce opportunities, as well as potential risk, for banks.”
“Consolidation among larger service providers has increased third-party concentration risk, in which a limited number of providers service large segments of the banking industry for certain products and services. Operational events at these larger service providers can potentially affect wide segments of the financial industry.”
“The volume of products and services and the complexity of end-to-end processes for delivery in larger, complex banks are key drivers influencing the current level of operational risk. Insufficient monitoring and limited internal testing have failed to detect product and service delivery disruptions, resulting in slowed responses by banks and prolonged impact to customers. This condition is especially true of banks with legacy or disparate management information systems and risk management programs that may be ineffective.”
The OCC also called for banks to address the compliance risks related to managing money laundering risks in an increasingly complex risk environment. The OCC stated that:
“The challenge for banks to comply with BSA requirements persists due to dynamism of money laundering and terrorism-financing methods. Also, bank offerings using new or evolving delivery channels may increase customer convenience and access to financial products and services, but banks need to maintain a focus on refining or updating BSA compliance programs to address any vulnerabilities created by these new offerings, which criminals can exploit.”
“In addition, BSA and anti-money laundering (AML) compliance risk management systems may not keep pace with evolving risks, constraints on resources, changes in business models, and an increasingly complex risk environment.”
“New and amended regulations strain bank change management processes and compliance management systems, which increases operational, compliance, and reputation risks. These changes include the integrated mortgage disclosures under the Truth in Lending Act (TILA) and the Real Estate Settlement Procedures Act (RESPA), as well as the new requirements under the amended regulations implementing the HMDA and the MLA.”
“Many banks face difficulties validating processes and systems that rely on software, automated tools, disclosure forms, and third-party relationships to process loan applications, create and distribute disclosures, and underwrite and close loans. Sound risk management practices should include maintaining processes and systems that are sufficient to identify covered borrowers and loan products, producing accurate calculations and required disclosures, and incorporating other required protections.”
“Some banks have difficulty fully and accurately implementing the significant system and operational changes necessary for the integrated mortgage disclosure forms—Loan Estimate and Closing Disclosure—required for most mortgage loans secured by real property since October 3, 2015. Banks need consumer compliance risk management and audit functions sufficient to promote ongoing compliance with the regulation.
The Report further stated that the OCC expects banks to be prepared to implement effectively the new BSA regulation regarding Beneficial Ownership and Customer Due Diligence, which has an effective date of May 11, 2018.
Declining Enforcement Actions
Finally, the Report observes that the number of both formal and informal enforcement actions (“EAs”) by the OCC against banks, instituted to address alleged failures in appropriate governance, oversight, and risk management systems and controls, “has steadily declined since peaking in 2009[.]” According to the Report, this decline “reflect[s] overall improvement in banks’ financial conditions and risk management practices.” The Report provides the following graphic regarding EA patterns since 2006:
Formal EAs include cease-and-desist orders, consent orders, capital directives, prompt corrective action directives, civil money penalties, and formal agreements. Informal enforcement actions include commitment letters, memorandums of understanding, and notices of deficiency.