WASHINGTON — Offering new products, considering a merger or altering your balance sheet may be just what the doctor ordered in this competitive environment. But material changes in strategy can also bring significant risk.

That was a key takeaway of the Office of the Comptroller of the Currency's latest report on assessing the risk landscape. As it has in previous bulletins, the OCC on Monday said strategic risk "remains high" as particularly small and midsize institutions "search for sustainable ways to generate target rates of return or struggle to implement their strategic plans."

"Some banks are struggling to find viable business models, while others are increasingly adopting innovative products, services, and processes in response to evolving customer demands and the entrance of new competitors," Comptroller Thomas Curry said in remarks for the release of the semiannual risk perspective.

"Doing so often involves assuming unfamiliar risks, including expanded reliance on third-party relationships. Banks may face heightened strategic planning and governance risk if they do not use sound risk management practices that align with their overall business strategies."

The report, for the first time, also included a section discussing the growth in marketplace lending. The OCC said it "strongly encourages responsible innovation," but noted that banks that get involved with marketplace lending firms "face potential compliance, BSA/AML, operational, and market risk issues."

Curry said the agency has "stressed that banks should have effective risk management to ensure such innovation aligns to their long-term business strategies."

The report also shined a spotlight on continued concerns about weaker credit underwriting as banks search for more loan volume and yield in a competitive credit environment, as well as persistent risks from cyber threats, anti-money-laundering requirements and compliance with new regulations. (The OCC's review reflects industry data as of the end of last year.)

"Operational risk remains elevated as banks deal with changing threats to cybersecurity and increasing reliance on third-party relationships," the OCC report said. "Bank Secrecy Act and compliance risk management remain complex areas to manage and continue to pose challenges as banks implement systems to address changes in technology and comply with new rules."

The OCC pointed to strategic risk concerns from balance-sheet changes to strengthen return on equity and heightened lending competition. "Some banks are building concentrations in areas that were problematic in the past credit cycle, while other banks with limited opportunities in their markets are adopting strategies focused on merger, acquisition, or liquidation options."

The agency said making strategic moves to innovate with new technology-based banking "involves assuming unfamiliar risks," but the report also suggested banks may face heightened risk if they do not innovate.

"Banks are increasingly offering innovative products and services, enabling them to better meet the needs of their customers," the OCC said. "While doing so may heighten strategic risk if banks do not use sound risk management practices that align with their overall business strategies, failure to innovate to meet evolving needs or financial services may place a bank at a competitive disadvantage."

With continued credit risk concerns from leveraged lending and indirect auto lending, the OCC said it has also observed an easing of underwriting standards for commercial real estate loans.

"CRE lending and concentration risk management has become an area of emphasis for regulators," Curry said.

As CRE portfolios have grown considerably in recent years, Curry added, examiners have "found looser underwriting standards with less-restrictive covenants, extended maturities, longer interest-only periods, limited guarantor requirements, and deficient-stress testing practices."

Among banks' operational risk concerns, the OCC pointed to the evolution of cyberattacks, which have now struck interbank networks and included complex malware. The report said banks and other businesses have continued to be hit with ransomware attacks, as well as through "business email compromise," or BEC.

"Public reports indicate that BEC schemes are evolving to include digital impersonation of chief executive officers," the report said. "These criminals then e-mail internal accounting and human resources offices and request copies of employee W-2 information to facilitate additional fraud and identity theft."

The OCC said digital currency and other new products adopted by banks or their customers have increased Bank Secrecy Act and anti-money-laundering concerns while difficulty in following new regulatory standards such as the integrated mortgage disclosure has added to compliance risks.

"On the compliance front, BSA/AML risk continues to increase," Curry said. "Technological developments in enhanced delivery platforms for bank products may create new vulnerabilities to cyber threats and criminal activity."

Even if banks decide to cut off their ties with potentially risky business lines or countries, risks to the financial system overall can increase, the OCC found. "If customer terminations result from such reevaluations, this may cause certain customer segments or transactions to move outside of the traditional financial system," the report said.

In addition to the integrated mortgage disclosure, other recent regulatory changes banks are adapting to include amendments to the Military Lending Act. Hiring third-party companies to help bear the burden of those changes can also create risk, the report found.