-
Regulators are focusing attention on ensuring community banks have proper security systems in place in the wake of a string of cyberattacks on megabanks.
June 12 -
Banks are in danger of "taking excessive risk" in order to boost profits damaged by a slow economy by offering risky new products and lowering underwriting standards, a new report from the OCC said. The fiscal cliff could also take a toll.
December 20 -
The Office of the Comptroller of the Currency published its first Semiannual Risk Review, a report offering a rare distillation of what it sees as the greatest safety and soundness threats facing banks, including weaker underwriting standards and new, potentially dangerous, products.
July 5
WASHINGTON Cyber threats are the fastest-growing risk to banks, according to a report released Tuesday by the Office of the Comptroller of the Currency.
While the agency's third semiannual Risk Perspective report once again highlighted concerns about banks stretching too far to make up for lost profit, the OCC for the first time prominently highlighted cybersecurity as a top concern.
"The cyber threats continue to increase in both sophistication and volume and require a heightened awareness and appropriate resources to be able to identify and mitigate the associated risks," said Carolyn DuChene, the OCC's deputy comptroller of operational risk, in a conference call with reporters. "We continue to implement a broader strategy that involves increased outreach to all of the banks we supervise in an effort to increase their ongoing awareness and preparedness strategies."
Asked whether the banking agencies are prepping new rules on cybersecurity, DuChene said that regulators are thinking "not in terms of regulations."
Cybersecurity was mentioned a single time in the OCC's previous risk report released six months ago, which mostly warned about loosening underwriting standards and new potentially risky bank products. But the report released Tuesday had an entire section devoted to cyber threats for banks of all sizes.
The regulatory focus on cybersecurity has intensified since some megabanks were attacked by denial of service attacks earlier this year. Last week, the OCC hosted a webinar for more than 1,000 community banks on cybersecurity standards.
"Clearly our largest banks are dealing with that issue on an almost daily basis," said Darrin Benhart, deputy comptroller for credit and market risk at the OCC, on the call. "One of the concerns is the potential migration of that threat to some of our midsize and community bank population."
The agency is worried that as cyber threats increase and become more sophisticated, the costs and resources devoted to the issue will skyrocket. As a result, many banks may outsource services in an effort to reduce expenses, which the OCC says could inadvertently increase operational risk.
"Some banks are changing the way they apply technologies, including adopting new and less market-tested applications, reengineering business processes, and increasing their use of outsourcing to reduce operating costs," the report said. "While these tactics can help meet strategic business objectives, banks need to understand and manage the associated risks and provide effective ongoing oversight."
In the same section, the OCC said electronic bank fraud has also increased, saying some banks are not employing "sufficient resources" to deal with Bank Secrecy Act and anti-money laundering compliance.
"BSA and AML risks are increasing as bank programs fail to evolve or incorporate appropriate controls into new products and services," DuChene said. "As risks, both threats and vulnerabilities, change or morph and as regulatory requirements change, the bank's system of internal control, processes, IT systems and risk management must change as well."
Despite a more "positive" economic outlook, the OCC said banks are still anxious to generate earnings against the low interest rates and loan demand. Loan growth is half its average pace during the last 25 years, according to the report.
This has caused some banks to "chase yields," offering new products that the bank is unfamiliar with or lowering underwriting standards to compete for commercial loans.
"Banks must address the challenges of carefully identifying alternative sources of revenue, prudently diversifying balance sheets and revenue sources, and effectively managing their cost structures," the report said. "New products and services may present unfamiliar risks for which some banks may lack the requisite expertise, management information systems, and appropriate risk controls."
Strategic risk was a particular concern for community and midsize banks in the report which breaks down risks by size of institution. The OCC cautioned these banks of jumping into certain business lines that require "specialized risk management" such as asset-based lending, leveraged loans, indirect auto financing, mortgage banking and energy lending. It again warned small and midsize banks of higher interest rate risk as many banks are purchasing more mortgage-backed securities to invest their deposits when loan demand is down, thereby expanding the duration of their investment portfolios.
For small to mid-size banks, the OCC said its supervision and policies will focus on seven areas: strategic and capital planning; risk management of new or modified products and services including outsourcing activities; operational and technology risks; underwriting of commercial and industrial loans; interest rate risk; compliance with consumer laws and anti-money laundering schemes; and commercial real estate concentration.
"For community banks and midsize banks, our examiners are really going to be focused on strategic and capital planning," Benhart said. "That's where we actually see a lot of the risk as banks move into new or emerging areas."
For large bank supervision, the OCC said it will focus on 10 areas: governance and oversight starting with the bank's board; operational risk; cyber-threats; strategic business and new product planning; mortgage servicing problems; commercial credit underwriting, especially for leveraged loans; Basel capital standards; home equity lines of credit that are set to mature; compliance with consumer financial protection laws; and exposure to the euro zone.
"In our large bank space we are really focusing on strengthening their governance, oversight and operational risk issues as the lapses that we've seen in some of the controls, processes and oversight are still being worked out," Benhart said.
The OCC said many large banks in particular face profitability and operational risks because of litigation costs over mortgage foreclosure settlements and "persistently high levels of credit stress" in residential loan portfolios.
The OCC indicated that large banks continue to have weaknesses in foreclosure and mortgage servicing practices, internal control failures and lapses in oversight control functions such as BSA/AML oversight, to name a few. The agency is calling for some large banks to change their operational models.
"Large banks are grappling with the need for fundamental changes to their business models as a result of weakening revenue growth, including shifts in trading, securitization, and consumer fee income," the report said. "Operational risk remains heightened during this transition period."
The OCC's ongoing push for tighter operational risk has caused some of the largest banks to begin changing their fundamental strategies. But OCC officials indicated they were still pressing the issue.
"It's [operational risk] been high on our list, especially for our largest banks and we are seeing them put into place better governance structures, better risk management processes as they react and look to mitigate some of the weakness that we've been identifying," Benhart said. "I would say they have been making good progress but we continue to emphasize that area."
