The Office of the Comptroller of the Currency (OCC) – the primary federal bank regulator for a broad cross-section of U.S. banks, from community banks to the largest banks in the country – issued its Semiannual Risk Perspective (the Report) on June 29, 2020. The Report sets forth the OCC's views on the economy, as well as key supervisory and compliance risks that the nation's top banking regulator has identified for heightened concern by its regulated institutions. As such, the Report is considered a must read for all financial institutions.
The majority of the Report provides the OCC's review and analysis of the substantial downturn in the U.S. economy due to the COVID-19 pandemic. The OCC notes that before the economic downturn brought on by the pandemic, the banking sector was in a position of considerable strength, with sound capital and liquidity, low problem assets and effective risk management systems. According to the OCC, matters requiring attention (MRAs) and banks rated 4 and 5 were at 10-year lows, reflecting the strong economy and banks' sound risk management practices. The OCC linked this strong foundation to the banking system's ability "to proactively work with borrowers and be a source of strength when the pandemic started." Notwithstanding the robustness of U.S. financial institutions going into the pandemic, the OCC stresses that the sudden and dramatic downturn in the economy, in which unemployment is at its highest levels in 80 years, and business and consumer confidence has plummeted, has created significant credit and operational risks.
Credit Risk
The Report notes that because the economic downturn's "depth and duration remains uncertain," nearly every asset class on banks' balance sheets has been or likely will be affected. The OCC identified elevated leverage in nonfinancial companies across many industries, including travel, entertainment, energy, hospitality, retail, transportation, residential home building, electronics, restaurants, small businesses and nursing homes. Moreover, credit agencies have downgraded public companies in several sectors, increasing payment stress.
In order to respond to credit risk, the OCC advises banks to update their portfolio management practices regarding stress tests to incorporate both the direct and indirect impacts of changing economic and market conditions. Rather than turn to downsizing, the OCC expects that banks will increase staffing in operations, collections and loan workout functions to work with strained borrowers. Moreover, given the increased credit risk and the substantial requests for deferments and forbearances, the OCC advises that banks should closely monitor the allowance for credit losses in order to ensure that the allowance appropriately reflects the risks in the loan portfolios, with qualitative factors that consider current environmental issues. According to the OCC, this includes assessing the potential financial impact from the pandemic on borrowers.
Pandemic Impact and Response Risk
Without question, the OCC's operational risks identified are the result of the COVID-19 pandemic. Although banks have successfully amended their business processes and engaged third parties to support widespread teleworking capabilities, increased technological capacity, and leveraged innovative solutions to maintain operational resiliency and technical capacity, the shift to a more "virtual banking" experience comes with risks. The OCC has identified the following examples of risks that have arisen as bank personnel adapt to working remotely:
- Implementation of teleworking strategies using virtual private networks (VPNs), virtual conferencing services and other remote telecommunication technologies can increase cybersecurity vulnerabilities. These new or expanded connections and productivity tools need to be properly configured, secured and appropriately monitored. Additional steps maybe necessary to segment properly and secure bank networks if employees use personal devices to connect to bank systems.
- Increased use of online and mobile systems by customers, bank staff and third-party service providers may stress or adversely affect banks' telecommunications capacity. Technology infrastructures should be effectively managed to provide for additional telecommunications bandwidth where needed to maintain appropriate service levels.
- Sensitive processes performed outside of bank-owned or authorized properties and devices can increase the risk of fraud and potential for exposure of customer sensitive information. Appropriate monitoring and oversight can include the use of data loss prevention tools, callback procedures, and increased employee awareness of privacy and phishing mitigation procedures.
- Rapid implementation of new systems, including automation or processes to address evolving operating environments and customer needs, may stress existing change management processes. Appropriate change management and third-party risk management should be applied based on risk.
- Operational workloads, service levels and third-party service provider performance should be closely monitored so that potential reductions in their service delivery levels because of pandemic responses and other operational issues can be addressed in a timely manner while continuing to meet customer needs.
In identifying these risks, the OCC notes that banks' risk management and audit oversight functions need "to keep pace with the rapid implementation of pandemic-related business continuity plans and transitioning from traditional operations to a heightened risk level." The OCC calls independent oversight and validation of controls "essential to safeguard operational integrity in the current stressed environment," thereby suggesting that the OCC examiners will step up their review of banks' internal audit functions and management's ability to respond rapidly to identified deficiencies.
Heightened Cybersecurity Risk
As discussed above, the OCC has identified cybersecurity risk as an area of heightened supervisory concern as a result of the pandemic. According to the Report: "Phishing threats against bank customers and staff are elevated, and there have been an increasing number of attacks focused on the use of virtual private networks, virtual teleconferencing services, and other remote telecommunication technologies because of widespread transitions to telework models." The OCC sees the trend in phishing, destructive malware, ransomware and other cyber threats to continue as banks navigate through the economic disruption.
Prior to the pandemic, the OCC and the Federal Deposit Insurance Corporation (FDIC) issued their Joint Statement on Heightened Cybersecurity Risk on Jan. 16, 2020. This statement advised of the importance of implementing and maintaining effective cybersecurity controls. According to the January 2020 guidance, the agencies advised that sound cybersecurity risk management controls include:
- reviewing, updating and testing backup, incident response and business continuity plans to ensure data is sufficiently segregated
- protecting against unauthorized access through use of strong authentication
- securely configuring systems and services to protect against malware and malicious actors' access.
Now, the OCC advises that banks should consider measures to enhance the resilience of systems and operations against cyber threats. These may include maintaining system backups either on logically segmented portions of the network or offline media, testing recovery capabilities, and having board and management "clearly understand their roles and responsibilities" in responding to a cyberattack.
Bank Secrecy Act Risk
The OCC's remarks as to the Bank Secrecy Act (BSA) seem to underscore the agency's view that there has been some regulatory easing with respect to BSA and sanctions program compliance. The Report is arguably a reset to some degree as the OCC expects banks to remain vigilant. The OCC notes that the Financial Crimes Enforcement Network (FinCEN) has provided regulatory relief under the risk-based approach to BSA compliance and that the Office of Foreign Assets Control (OFAC) has issued a statement recognizing that the pandemic may cause delays in compliance. The OCC also acknowledges that pandemic response measures and programs may affect timely compliance with bank obligations implementing BSA programs and OFAC-administered sanctions, (e.g., onboarding processes, customer due diligence updates, suspicious activity alert investigations, and blocking reports).
Notwithstanding the apparent regulatory easing with respect to BSA compliance (or in light of it) the OCC encourages banks to monitor information provided by law enforcement agencies and international anti-money laundering (AML) standard-setting organizations regarding the ways that criminals are adapting scams and money laundering techniques to exploit vulnerabilities created by the pandemic. The OCC also advises banks to be aware of evolving typologies and ensure that their AML compliance programs are commensurate with their risk profiles.
Even with some regulatory allowances for the difficulties in maintaining normal BSA compliance functions, banks are cautioned against viewing the regulatory easing as tantamount to regulatory forgiveness. While the OCC acknowledges the potential for difficulties, the OCC nonetheless expects banks to "implement appropriate risk-based adjustments in their BSA systems based on COVID-19-related circumstances and keep their examiners updated on potential BSA and sanctions compliance issues, including potential delays in meeting regulatory reporting requirements." The OCC expects banks to track and manage deferred actions and temporary waivers so that the banks can readjust their systems after a return to a normal operating environment. It also is expected that the OCC may scrutinize these deferrals and waivers to ensure that they are consistent with a risk-based approach to a BSA/AML/OFAC compliance model. In other words, banks may take certain steps to alter their compliance approach to meet the special circumstances created by the COVID-19 crisis, but examiners will expect banks to demonstrate that such adjustments are nonetheless commensurate with the banks' risk. If OCC examiners suspect that that a bank augmented its BSA/AML/OFAC compliance approach in a manner that created increase risk, examiners can be expected to cite an MRA. Thus, like any compliance approach, banks need to document their efforts to provide evidence that they acted with a risk-mitigation focus.
Consumer Compliance and Fair Lending Risk
The Report indicates that banks should follow established change management and compliance risk management processes to identify, measure, monitor and control the emerging risks associated with the COVID-19 national health emergency. The OCC notes that banks' strategies for processing consumer requests and applications will vary with implementation, and as such, may bring an increasing risk of disparate treatment and disparate impact discrimination on a prohibited basis. The OCC expects banks to implement appropriate monitoring measures to guard against such occurrences.
The OCC also noted that the shift to teleworking may create consumer compliance issues. Specifically, the Report highlighted that branch closures, reduced operations and communication issues may result in increased customer complaints. In response, the OCC cautions that banks must "remain diligent" in their consumer protection role, ensuring that fair lending and other laws are observed, particularly when dealing with applications for new or modified loans and working with customers affected by the COVID-19 pandemic. Some banks have in the past had difficulty meeting deadlines set under the mortgage loan modification process in response to the last crisis – and that was without the specter of a global health pandemic. Even in the current environment, examiners expect banks to meet the regulatory deadlines imposed on consumer-oriented transactions. The OCC further notes that increased reliance on remote work environments may create challenges to maintaining safeguards for protecting the privacy of consumer information and for monitoring customer interactions for consistency with bank policies and procedures.
Conclusions and Observations
In view of the Report, in order to mitigate the risk of a supervisory or enforcement action resulting from OCC scrutiny of COVID-19 related measures, banks should consider certain steps:
- Ensure that policies and procedures in such key areas as credit risk, BSA/AML, cybersecurity and fair lending are being complied with, and where modifications have been made, ensure that such modifications do not create increased risk and are documented.
- Compliance departments should coordinate with internal auditing departments to ensure that when the latter is reviewing the institution's operations and identifying gaps, audit does not cite as a problem a gap that is permissible by pandemic-related regulatory flexibility.
- Proactively review customer complaint logs to identify high-volume substantive areas, as they may suggest key areas of customer confusion. This is a best practice that is advisable even absent a global health pandemic.
- Review third-party service providers in critical infrastructure areas to ensure that benchmarks continue to be met. Particular scrutiny should be applied to the extent that third-party vendors are utilized to support activities that have been transited to remote working.
- After the pandemic subsides, banks should review their business continuity plans to determine whether the implementation of the plan in response to the pandemic performed according to the bank's needs and supervisory expectations. If not, then the bank should review and revise the plan accordingly. In other words, this is a good opportunity to observe the sufficiency of the business continuity plan in action.
As discussed above, the OCC has explained that the COVID-19 pandemic has created – or at least highlighted – multiple credit and operational risks facing banks. Given its dismal economic forecast, the OCC appears to expect that the operational and credit challenges that have surfaced continue into the remainder of 2020. Given the OCC's observations and guidance set forth in the Report, expect increased examiner scrutiny over risk management and internal audit functions to ensure that existing policies and procedures are still being followed, and that any adjustments to a bank's operations to allow for pandemic-related flexibility do not ignore risk. To be clear: While a bank may modify its operations in accordance with agency guidance, including the way that it interfaces with customers, if such modifications create additional risk, leave risks unaddressed, or even do not consider how a certain risk might be affected, examiners will notice and take appropriate supervisory action.
Finally, while the OCC acknowledges and is sensitive to the fact that bank personnel are going through difficult times and attempting to adjust not only to their customers' needs but also to their own operational challenges, the OCC does not expect banks to modify their operations at the expense of risk management, compliance or fair treatment of customers. Undoubtedly, regulators will take appropriate supervisory or enforcement actions to ensure compliance, even in the face of a global health pandemic.