What’s the OCC Banking Regulatory Outlook for 2022?

As the year’s end approaches, the US Office of the Comptroller of the Currency (OCC), a primary US banking regulator, has published its Banking Supervision Operating Plan for 2022.

As you might expect, much of the OCC’s focus is on managing the repercussions of the pandemic and the resulting economic, financial, operational, and compliance implications. The specific points it raises complement the existing baseline requirements of OCC bank examinations.

One objective for the OCC in 2022 is to ensure banks do not become complacent in managing their strategic and operational planning, especially related to capital, credit losses, and earnings. The OCC will focus closely on how banks plan to manage new initiatives and their impact on a bank’s risk profile, financial performance, and strategic planning process.

The OCC will also be looking at the economic fallout of the pandemic and any long-term impacts, especially around credit risk and allowances for credit losses. Other areas of interest will include climate financial risk, the transition away from LIBOR, and interest rate risk.

Other areas of OCC interest

Other areas that the OCC is focusing on chime with the conversations we have with our customers and industry practitioners. Third-party risk and the potential for concentration risk continue to resonate with regulators. We already have the Interagency guidance on third-party risk, which is currently out for consultation. In it, the OCC, Federal Reserve, and the FDIC are pooling their thinking about how best to tackle third-party risk. In the UK, banking regulators are also looking to enhance their supply chain resilience for the UK’s financial services sector.

The specific guidance offered by the OCC – which will likely echo the guidance of the FDIC and Federal Reserve – will focus on ensuring that banks have proper oversight of their significant third-party relationships, including their partnerships. Banks will need to demonstrate which relationships are critical to a bank’s operations and identify where there are concentration risks that fall outside a bank’s risk tolerances.

Banks also need to assess the cyber risk profile of their third-party supply chain and ensure that their critical suppliers have measures in place that protect themselves and their customers, the banks.

New challenges for US banks

This presents an array of challenges for US banks. Clearly, banks recognize the value of third-party relationships and partnerships, as they help them deliver services faster and more efficiently than if they tried to provide them in-house themselves.

The issue is that there are few purely third-party relationships in a hyper-networked world. Instead, there are an array of third, fourth, and fifth-party relationships that need to be managed too. These deeper relationships can easily hide the concentration risk that regulators are understandably worried about.

The issue is that there are few purely third-party relationships in a hyper-networked world.

For example, there are many SaaS-based services provided to banks by numerous vendors, many of which are underpinned by a small number of huge Cloud Computing service providers. This concentration could expose banks to technical, operational, or commercial issues that can swiftly impact a bank’s ability to deliver its services to its customers and compromise confidence in the wider banking sector.

So how can banks address best address these issues? Third-party Risk Management (TPRM) solutions are not necessarily new. Still, their significance is taking on a level of importance as regulators in the US and further afield recognize the risk banks can be exposed to and are raising their expectations of how it is managed.

What’s needed from a TPRM tool for banks?

So, what might a TPRM solution that meets the needs of regulators look like?

Engaging at depth within the supply chain means that a decentralized, SaaS-based application is essential. Companies in the third, fourth, and fifth tiers of a supply chain need to be able to implement the TPRM requirements of a bank quickly and easily, even where there is no direct relationship.

A centralized repository containing the relevant contracts, policy standards documentation, and the risk profiles of the various suppliers will also help manage third-party risk more effectively.

Another capability is the ability to monitor the various companies in the supply chain proactively. If issues emerge at any level – technical, commercial, operational, or political, for example – a bank’s risk, operations, and compliance functions can respond quickly and positively when they need to. Spotting issues early is the most effective way of ensuring issues get resolved fast.

This article is authored by Henry Umney, General Manager GRC Strategy at Mitratech. We received permission from Mitratech to republish the article for the ADCG community. The original can be found here.

Previous
Previous

Senate Hearing on Promoting Competition and Privacy in the Tech Sector: Two Hearings in One?

Next
Next

What Your Organization Can Learn From GDPR Enforcement