OCC semiannual risk perspectives

OCC highlights key risk themes and additional challenges across operations and compliance.

Key points

  • Operational and compliance risks are elevated, driven in large part by advances in technology, pressures to cut costs, competition from nonbanks, and reliance on third-parties.
  • Banks are struggling to attract and retain skilled talent to manage compliance programs and change management processes.
  • Artificial intelligence, machine learning, and other innovative technologies are increasingly considered to improve compliance efficiencies and effectiveness and address other resource constraints.

The Office of the Comptroller of the Currency (OCC) released the Spring 2019 edition of its Semiannual Risk Perspective Report highlighting key risks across four themes as well as additional challenge areas that the OCC believes also pose risk to the industry.

Key themes:

  • Credit quality. OCC states that increased credit risk is evident through eased underwriting, a higher tolerance for policy exceptions, and high concentrations in commercial real estate lending. OCC notes, in particular, that many leveraged loan transactions have weak structures and cautions bank boards and management about the potential effect these loans might have on the financial system while adding that most of the credit risk associated with leveraged loans is outside the federal banking system.
  • Operational risk. Operational risk is elevated due to increasing and evolving cyber threats to financial institutions and third-party systems, innovation in financial products and services, and increasing reliance on third-party service providers for technology and operational support. OCC states these risks underscore the need for effective change management and operational resilience when implementing new products, services, and technologies and when maintaining existing operations.
  • Compliance risk. Compliance risks remain high in large part due to advances in technology, including artificial intelligence (AI) and machine learning, which banks and their third-party service providers are deploying to improve efficiency and effectiveness in the compliance program. OCC specifically calls out compliance risks associated with BSA/AML requirements (including traditional financial products and services as well as newer products such as virtual currency and crypto assets), U.S. economic and trade sanctions programs administered by Treasury’s Office of Foreign Asset Control (OFAC), the application of new payment delivery channels and customers, and the potential for fair lending risks associated with the use of AI and/or alternative data sets.
  • Interest rate risk. Interest rate risk and related liquidity risk implications may pose potential challenges to earnings given the uncertain rate environment, competitive pressures, changes in technology, and “untested depositor behavior.”

Additional challenges:

  • Talent acquisition and staff retention. Banks face challenges to attract, onboard, and retain skilled staff to manage compliance operations and risks and change management processes related to new products, services, and technologies. OCC states that there are ongoing staffing challenges in specialized or complex areas such as BSA/AML and OFAC operations and compliance programs. Competition for talent has also intensified as banks focus on building new innovation divisions and/or programs to manage their third-party relationships and partnerships. OCC cautions that certain new technologies, such as AI and machine learning, may add complexity and limit transparency, increasing the potential for compliance risk.
  • Reliance on third-party service providers. Banks increasingly rely on fintech firms and third-parties to provide innovative technologies, scale economies, staffing expertise, and other resources (such as to supplement/support their existing compliance operations), in order to expand their product and services offerings, increase speed to market, and increase efficiency and effectiveness. These relationships must be actively managed; a lack of due diligence, oversight, and controls over third-party relationships can result in elevated reputational, strategic, operational, and compliance risks.
  • Elevated strategic risk. OCC states strategic risk is heightened by a number of drivers, including: the pace of industry change; poor business decisions; imprudent or incomplete change management plans; pressure to reduce expenses and control costs; the burden of some legacy technology systems, resource limitations, and the need for scale of operations. OCC also states that banks that are slow to adapt to industry changes may be exposed to increasing strategic risk.

KPMG perspectives

The OCC’s identified key themes and regulatory challenges align with its priorities for bank supervision released last September (click here for KPMG’s Regulatory Alert). Banks should anticipate that examiners will evaluate their governance and risk management efforts in each of these areas, including assessing how they are adapting to market pressures, implementing new technologies, and maintaining governance and controls over their risk management frameworks. The OCC notes that the transformative nature of technology may result in a more complex operating environment; dependence on third party vendors for the rapid deployment or scalability of advanced analytics and AI technologies can further heighten governance, accountability, and consumer protection risks.

Banks should consider taking action in key areas, including:

  • Strengthening risk management practices, including oversight and specific accountability for enterprise risk identification, risk assessment, scenario analyses, issues management, controls, and reporting.
  • Aligning their credit strategy with their credit risk appetite.
  • Demonstrating adequate review, examination, and investigation of AI-generated decisions and outcomes, especially with regard to fair lending and consumer compliance requirements related to credit decisions.
  • Managing and mitigating risks from exposure to third parties (e.g., compliance failures, cybersecurity weaknesses, data privacy breaches, reputational risks, concentration risks).
  • Integrating third party risk management across performance-based areas, risk functions, and disciplines.
  • Clarifying the roles and accountability of the Board of Directors and management and ensuring that the Board and management have sufficient awareness and understanding of new technologies.
  • Assessing and enhancing (as appropriate) recruiting, hiring, and retention processes for skilled compliance talent.
  • Ensuring that agile and effective change management processes are in place to allow for resilient and compliant business processes across changes to business models, delivery models, automation, third party relationships, and regulatory requirements.
  • Reassessing core processes and controls to determine where streamlined governance and enhanced risk management might add value.
  • Identifying opportunities to converge controls across operational and business units for more streamlined compliance, improved risk management, and enhanced first line ownership of compliance risks.

KPMG issued a point-of-view paper on the regulatory challenges financial services may face related to the use of advanced analytics and AI solutions. The paper, AI | Compliance in Control, raises many of the issues identified in the OCC’s Semiannual Risk Perspective and highlights related drivers and actions.