OCC report identifies use of third-party service providers and consumer compliance as key risks for federal banking system
Last week, the OCC released its Semiannual Risk Assessment for Fall 2017 highlighting credit, operational, and compliance risks to the federal banking system. In addition to easing in commercial credit underwriting processes, the increasing complexity of cybersecurity threats, and ongoing challenges in complying with Bank Secrecy Act (BSA) requirements, the other key risks identified by the OCC were increasing concentration in third-party service providers for critical operations and challenges in consumer compliance risk management for banks due to the increasing complexity in consumer compliance regulations. Among the report’s important takeaways is that, despite the CFPB’s recent deregulatory initiatives, financial institutions, particularly banks, continue to face enforcement and supervisory risk resulting from insufficient attention to regulatory compliance.
Operational risk resulting from use of third-party service providers. The OCC indicated that banks’ increasing use of third-party service providers and the emergence of new products and services offered through financial technology companies or other industry collaborations warrant heightened supervisory focus. The OCC observed that many banks have become increasingly reliant on third-party service providers to support key operations and, as a result of increased consolidation among significant providers, large numbers of banks, especially community banks, are relying on a smaller group of third parties providing critical applications.
The OCC stated that its examiners have identified instances of concentration of third-party services for specialized services, such as merchant card processing. The OCC acknowledged that banks can achieve greater economies of scale and better manage operations than they could do individually by having access to technical resources provided by third-party service providers. At the same time, the OCC cautioned that increased use of a limited number of such providers “can create concentrated points of failure resulting in systemic risk to the financial sector that banks can address through appropriate due diligence and oversight.”
Compliance risk. The OCC observed that new or amended regulations create challenges to bank change management processes and increase operational, compliance, and reputation risks. As examples of such changes, the OCC identified the integrated mortgage disclosure requirements under the Truth in Lending Act and the Real Estate Settlement Procedures Act, as well as the new requirements under the amended regulations implementing the Home Mortgage Disclosure Act (HMDA) and the Military Lending Act (MLA).
The OCC also noted the continued challenge for banks to comply with BSA requirements persists due to dynamism of money laundering and terrorism-financing methods. The OCC stated that bank offerings using new or evolving delivery channels may increase customer convenience and access to financial products and services, but banks need to maintain a focus on refining or updating BSA compliance programs to address any vulnerabilities created by these new offerings, which criminals can exploit.
The OCC noted that the TILA, RESPA, and MLA requirements apply to the majority of OCC-supervised institutions. It stated that despite the integrated mortgage disclosure requirements’ October 2015 effective date, the OCC continues to identify instances where banks have not fully implemented such requirements. It noted that common supervisory concerns include the accuracy of loan estimates and closing disclosures and inaccurate timing and tolerance violations.
With regard to HMDA, the OCC commented that changes to HMDA require banks to significantly enhance their data collection and reporting systems in 2017 and 2018 to meet their compliance obligations. It also stated that the CFPB’s recent announcement that it intends to engage in a rulemaking to reconsider various aspects of the revised HMDA rules could result in further HMDA-reporting change management by banks.
With regard to the MLA, the OCC observed that the amended MLA regulationexpands the protections provided to servicemembers and their families, covers a wider range of credit products, and is more inclusive than TILA “finance charges” for purposes of the types of charges that must be counted toward the MLA 36 percent rate limit. It noted that the amendments have the potential for significant compliance, credit, and reputation risk exposure, including the voiding of the credit agreement.
The OCC also made the observation that banks have increasing operational and compliance risk exposure due to strains on the resources needed to effectively support the volume and frequency of regulatory changes and manage existing compliance programs. The OCC reminded management of the need to identify and understand the risk exposure associated with these resource challenges and address them appropriately. It warned that failure to do so could have negative impacts on the effectiveness of compliance risk management systems to ensure regulatory compliance and fair treatment of customers and also reminded management of the need to conduct sound due diligence and maintain sufficient oversight when relying on third parties to provide or service bank products.