Cybersecurity Among Focus for OCC Supervision in 2018

Financial Services Law

What will the Office of the Comptroller of the Currency (OCC) focus on in 2018? Cybersecurity, for starters, the agency said in the release of its Bank Supervision Operating Plan for the next fiscal year.

What happened

For Fiscal Year 2018, which began Oct. 1, 2017, and ends Sept. 30, 2018, the OCC’s Committee on Bank Supervision (CBS) developed an operating plan to establish the agency’s supervisory priorities and objectives.

The plan identifies the issues that will be applied across each of the CBS operating units and are used to develop individual operating unit plans and supervisory strategies that are institution-specific, with differentiations by bank size, complexity and risk profile.

For FY 2018, the OCC identified five areas it will focus on: cybersecurity and operational resiliency; commercial and retail credit loan underwriting, concentration risk management, and the allowance for loan and lease losses; business model sustainability and viability and strategy changes; Bank Secrecy Act/anti-money laundering (BSA/AML) compliance management; and “change” management to address new regulatory requirements.

Each operating unit of the agency also shared its areas of focus. The National Risk Committee (NRC) intends to keep an eye on supervisory analytics (gathering quantitative information across the OCC and the industry to support the identification and prioritization of risk facing the federal banking system) and standardized processes (using and refining established documentation standards for consistent assessment of supervision risk by NRC and the agency), among other issues.

In the area of large bank supervision, each strategy of supervision will cover activities such as horizontal risk analysis, market risk, and governance and operational risk, while the Midsize and Community Bank Supervision Department wants to pay more attention to credit underwriting, asset management and operational risk.

Within the area of operational risk, examiners “will review banks’ programs to determine to what extent they assess the evolving cyber threat environment and banks’ cyber resilience,” the OCC detailed, continuing to use the Financial Institutions Examination Council’s Cybersecurity Assessment Tool.

The agenda for the chief national bank examiner includes policy guidance, technical assistance, industry outreach and an effort to enhance supervisory analytics to measure and monitor bank performance, from trends and performance dashboards to improved reporting of matters requiring attention and enforcement actions.

Examinations of service providers will also key in on cybersecurity and resilience, the OCC said. “Where appropriate, examiners will incorporate reviews of increased use of cloud computing for critical services, advances in skimming technology, delays in the implementation of chip technology, implementation of new technologies without comprehensive due diligence and threats from other systems connected by the Internet to the banks’ systems,” the plan explained.

For the Compliance and Community Affairs Department, the focus will be on BSA/AML programs and controls, with examiners “alert for any aspect of bank BSA/AML strategies that may inadvertently impair financial inclusion.” Banks will also be monitored for compliance with new regulations and changes to existing regulations, with an emphasis on the Military Lending Act, Servicemembers Civil Relief Act, and Prepaid Card Rule.

To read the OCC’s plan, click here.

Why it matters

Banks would be well-served to review the OCC’s Bank Supervision Operating Plan for FY 2018 to prepare not only for the five overarching areas of focus of the agency, but the department-specific priorities that apply as well. The OCC will also provide updates about these supervisory priorities in its Semiannual Risk Perspective, published in the spring and fall.

back to top



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved