Credit risk, interest rate risk and cybersecurity concerns pose growing risks, according to a semiannual risk report issued Wednesday by the Office of the Comptroller of the Currency.
It found that institutions are continuing to loosen underwriting standards for a number of loan categories to search for yield in a low interest-rate environment.
"In the area of credit risk, the warning lights are flashing yellow. Regulators and bank management need to act now to prevent those risks from becoming reality," Comptroller of the Currency Thomas Curry said in a briefing accompanying the report. "We can't afford to wait until the warning lights turn red."
The report found that banks were easing standards in the loan structure, terms, pricing, and collateral, among other moves. It also found such credit loosening more prevalent with indirect auto, commercial and industrial, and multifamily commercial real estate loans.
"As the economic cycle turns, we see banks and thrifts reaching for yield and growth, sometimes extending their reach at the expense of sound underwriting, strong risk management, and adequate loan loss provisioning," Curry said. "OCC examiners will be paying close attention to each of those areas in the coming months."
The easing of credit was actually slightly greater in 2014 than this year, according to the OCC's latest credit underwriting survey, which was included in the semiannual risk report. However, the looser underwriting standards have reached the levels of the 2006-2007period, right before the financial crisis.
Regulators are particularly worried about lenders concentrating on energy loans amid low oil and gas prices.
"There is no question the energy industry has been hit hard with the decline in oil and gas prices … problem energy loans have increased," Curry said. "Losses from these loans have been moderate so far, but we are likely to see some increases in the months ahead."
Curry also emphasized a concern with interest rate risk for banks, particularly as the Federal Open Market Committee said Wednesday it would raise interest rates for the first time in more than nine years.
"Interest rates have remained at historic lows for an extended period, and bank earnings could be affected negatively if short-term interest rates rise relative to long-term rates," Curry said. "We expect banks to assess their interest rate risk exposure under a variety of scenarios specific to the bank's own risk and complexity. We also expect banks to assess the risk that the large deposit growth that occurred during the recession could potentially change direction quickly as rates rise."
Compliance was also an issue that came up repeatedly in the report, particularly in areas like cybersecurity and Bank-Secrecy Act/anti-money laundering.
The OCC's strategy "is to be much more open in terms of asking banks to take the initial step to make a critical assessment on their own and to take proactive steps," said Curry during the question-and-answer session with reporters. "And we intend to supplement that with our ongoing examination programs which will increasingly focus on cyber risk."
The report noted that a bank's dependence on third parties and innovation into new areas like virtual currencies may also pose risks in preventing cyberattacks.
"Ideally you want the bank to have adequate defenses against these threats but you also have to plan for the potentiality that they will succumb to an attack," Curry said. So the "emphasis is on your ability to resume business, or to have the resiliency to continue to function either immediately or within a reasonable period of time afterwards."
When asked whether banks are doing enough to have the right technology in place to combat cyberattacks, Curry recognized that it is an evolving feat for banks.
"Banks are investing a considerable amount in terms of investments in BSA/AML. The issue is, which is a concern we have with cybersecurity too, is the dynamic is constantly changing," Curry said. "And there's the need to keep up and that requires additional investment both in systems and individual management personnel."
The exposure to risks differed somewhat between large banks and community banks, the OCC said.
"Our priorities for large bank examiners include governance and oversight, credit and underwriting, and in the area of compliance, we will focus on cyber, BSA/AML, fair access, and operational risk," Curry said. "For community banks, examiner priorities include strategic planning and governance, underwriting, interest rate risk, as well as the compliance issues mentioned for large banks."
While the OCC's report said that underwriting and cybersecurity risks are increasing, it concluded that strategic, compliance and interest rate risks "remain stable.”