On January 18, the Office of the Comptroller of the Currency (OCC) released its semiannual report on risks plaguing the federal banking system during Fall 2017. The report highlights the OCC's ongoing concerns for federal banks as they affect consumers and the integrity of the banking system in relation to compliance mandates. The report acknowledges the fierce competition in the banking sector, as institutions face continuing pressure to efficiently lend money in a fast-paced environment where consumers demand rapid technological advancements, all in the face of similarly complex and ever-changing regulations. These factors create a plethora of risks and insurmountable exposure for the federal banks under the purview of the OCC.
Concern Regarding Relaxed Underwriting
The OCC explains that while most loans are secured by dependable assets, underwriting overall is merely "acceptable" in its current state. Examining the strong competition for loans in a slow-growth market with marginal returns, the OCC concludes the current market favors an easing in underwriting processes, which exposes banks to increased risks in later uncertain markets. Banks have grown seemingly relaxed in our post-recession society which the OCC urges has led to lender "complacency." The OCC encourages lenders to instead hone in on stabilizing their credit practices within risk ranges that are sustainable "under less benign economic conditions," such that risks are accounted for in potential allowances or losses. This is especially true for agricultural lenders over growing concerns that once-profitable agricultural sectors are slowly deteriorating.
Increasing Privacy Threats
Occurring with exponential frequency and advancement, cyber-attacks take the most economic approach by targeting vulnerabilities with the greatest potential for obtaining personally identifiable information of employees and customers (PII) and proprietary information to enable their criminal schemes. The two main types of attacks include phishing – the use of rigged messages to trick recipients – and watering holes – infecting popular websites with malicious codes that are transferred to visitors.
The OCC explains that outdated software and security are to blame for most breaches, and that banks should be not only routinely maintaining and updating their security systems, but also testing their processes for weaknesses and establishing an action plan to engage in the event of a breach. Additionally, banks should be aware that information technology products and services are also frequent targets, as they are part of a bank's supply chain and can be the weakest link. The OCC encourages a "layered security approach" with strong authentication and strict management of those system users with unfettered access.
Lastly, the OCC notes that the concerning trend of consolidation amongst third-party service providers, upon which growing numbers of banks rely, makes the remaining entities more desirable targets for cyber-attacks. Thus, the use and reliance upon third-parties to provide new products and services to banks represents an external risk that must be managed, tested, and planned for like internal risks.
Ongoing Heightened Compliance Risks
In light of the previously discussed threats of security breaches, the OCC emphasizes that banks must be mindful of adherence to Bank Security Act (BSA) requirements. The platforms offered to consumers and used internally create potential points of failure that implicate the BSA. The OCC also emphasizes the need to comply with the upcoming implementation of the Financial Crimes Enforcement Network's Beneficial Ownership/Customer Due Diligence regulation and New Office of Foreign Assets Control sanctions.
Next, forthcoming changes to consumer protection regulations pose internal challenges to banks. The OCC specifically references the integrated mortgage disclosure requirements under the Truth in Lending Act and Real Estate Settlement Procedures Act, and the updated requirements of the regulations implementing the Home Mortgage Disclosure Act (HDMA) and Military Lending Act (MLA). While the integrated disclosure requirements set forth specific calculations and limits for fees, payment streams, and timing in October of 2015, the OCC continually encounters non-conforming banks who risk reimbursements, recessions, and statutory damages as a result of their actions. Alternatively, new requirements of the HDMA obligate banks to (1) update their submission process for data collected in 2017 such that by March 2018, banks will be ready to use a new platform with specifications issued by the CFPB and (2) collect additional data points for applications received in 2018 to be submitted in March of 2019. The MLA has expanded protections to those in the military to a broader range of products, such that additional charges are included in the tabulation of the maximum annual percentage rate of 36 percent in comparison to the stipulations under Regulation Z. In total, the OCC asserts that "amendments have the potential for significant compliance, credit, and reputation risk exposure in OCC-supervised banks."
Finally, the OCC addresses the broad umbrella of bank compliance in asserting that internal quality is essential in risk-management processes aimed at ensuring compliance, explaining that "[b]anks are expected to have consumer compliance risk management systems commensurate with the risk inherent in their products and services," the OCC ends its substantive report with the notion that "[i]n some banks, these systems have not kept pace with the increasing complexity of the regulatory and risk environments in which they operate." The finite amount of resources in comparison to the cost of compliance, business, new and competitive products and services, and reliance on third parties increases the demand on strained risk management and compliance systems. These factors coalesce into mounting exposure for banks, increasing public scrutiny, potentially likelihood of compliance failure, and impact on customers, which the OCC encourages banks to get ahead of through diligent management and planning.