A recently released report from the Office of the Comptroller of the Currency (OCC) identified key areas of risk that pose a threat to the safety and soundness of the federal banking system.
The agency highlighted risk in four areas (credit, operational, compliance and interest rate), noting that it is keeping a close eye on the “rapid growth” of fintech and regulatory technology, which impacts each of the four areas.
What happened
The OCC’s National Risk Committee issued its Semiannual Risk Perspective for Spring 2019 report. In the report, it concluded that the federal banking system’s overall health remains strong; however, it identified four areas of potential risk to national banks—credit risk, operational risk, compliance risk, and interest rate and liquidity risk.
In the area of credit risk, the agency noted that successive years of growth and incremental easing in underwriting, risk layering and building credit concentrations have resulted in “accumulated risk” in loan portfolios. National banks should ensure they have in place appropriate risk management practices and methods—in preparation for a potential cyclical downturn, the report recommended.
Turning to operational risk, the OCC discussed as areas of concern “persistent” cybersecurity threats, innovation in financial products and services, and the increasing use of third parties to provide and support operations. Often, the use of third parties is “not effectively understood, implemented and controlled” by financial institutions, the report cautioned.
“The potential for operational disruptions underscores the need for effective change management and operational resilience when implementing new products, services and technologies, and when maintaining existing operations,” the OCC wrote.
Compliance risk related to Bank Secrecy Act/anti-money laundering (BSA/AML) remains high, with banks facing a challenge to “effectively manage money-laundering risks in a complex, dynamic global operating and regulatory environment.” BSA/AML compliance risk management systems “should be commensurate with the risk associated with a bank’s products, services, customers and geographic footprint,” the agency reminded national banks. Despite positive overall trends, deficiencies identified by the OCC include insufficient customer risk identification and inadequate customer due diligence, as well as ineffective processes related to suspicious activity monitoring and reporting.
In the final category, the OCC said interest rate and liquidity risk can be found in the uncertain rate environment, competitive pressures, changes in technology, and untested depositor behavior after an extended low-rate environment. These factors in turn increase the difficulty of forecasting liability costs.
The report addressed the emerging risks resulting from strong competitive pressures from nonbanks, as well as from evolving technology in the financial services sector. Fintech companies and other nonbank financial services providers may influence customer expectations for the delivery of financial services, the OCC said, “and bank management should consider if and how this affects their business model.”
“While innovation is not new to the banking industry, the pace of change and the transformative nature of technology may result in a more complex operating environment,” the report cautioned. For example, innovation can enhance a bank’s ability to compete by improving operating efficiencies, but it can also elevate strategic risk when pursued without appropriate corporate governance and risk management, the OCC said.
“Management should consider this concern as part of its risk management assessments,” the report stated. “Banks that do not assess business relevancy and impacts from technological advancement or innovation, or are slow adopters to industry changes, may be exposed to increasing strategic risk. A bank’s decision to make incremental or fundamental changes should align with its business strategy and risk appetite.”
Fintechs and other nonbanks are increasingly providing products and expanded services—such as payment processing, retail loans and small-business banking—that historically were offered by banks only. In fact, in the market for unsecured personal loans, in just over three years, fintech lenders jumped from the lowest to the highest originators, the OCC said, and in 2018 they originated 40% of such loans.
The agency advised that national banks shouldn’t jump into change without proper consideration of risk, but pointed out that a “slow-adopter strategy” adds risk because the speed of change, combined with the lengthy process to evaluate and implement newer technology solutions, “can result in loss of customers or market share before the bank can respond,” the report explained.
Innovative products and processes should be reviewed by management “from end-to-end,” the OCC said, “to ensure sure that they are delivered as intended and disclosed with the appropriate risk evaluation.” For national banks collaborating with a nonbank firm, the report recommended proper due diligence and confirmation that appropriate controls are in place, as well as ongoing due diligence and appropriate oversight. “The lack of proper due diligence, oversight and controls over third-party relationships can result in elevated reputation, strategic, operational and compliance risks,” the agency wrote.
To read Semiannual Risk Perspective for Spring 2019, click here.
Why it matters
The OCC’s Semiannual Risk Perspective offers insights for national banks—and third parties that service them—about the issues the agency will be focusing on in its bank examinations. The issues discussed in the report provide a road map not just for banks but also for fintechs and other nonbank partners that will be on the receiving end as national banks try to address the concerns presented by the OCC. Rapid developments in fintech and financial innovation, when properly embraced, can make a bank more competitive, but there are risks, both for banks that fall behind and for banks that pursue changing business models without an appropriate corporate governance and risk management structure in place.