May 18 - Comptroller of the Currency Thomas J. Curry discussed operational risk facing national banks and federal savings associations during his speech to the Exchequer Club in Washington, D.C., on May 16, 2012. His speech is below.
Thank you for inviting me back to the podium of the Exchequer Club, which is home to so many good friends and colleagues. It is a great honor to come before you as Comptroller of the Currency. Twenty-nine distinguished Americans have held the office since the OCC was founded nearly 150 years ago, and I’m proud to be the bearer of their legacy.
After all that has happened over the past half-decade, I feel fortunate indeed to assume the responsibilities of the office at a time when the system of national banks and federal thrifts is on the mend and returning to a satisfactory condition. On average, balance sheets are stronger, earnings are improving, and the number of problem institutions and institutional failures, while still too high, is declining. Asset quality has been improving over the past several years. Among our largest banks, charge-off rates have fallen across all product lines, with reductions of 50 percent or more from 2009 levels in credit cards, commercial and industrial lending, and commercial real estate. Better asset quality has enabled banks and thrifts to trim new provisions for loan-losses, increasing the resources available for their own and their customers’ use. Some asset concentrations remain embedded in institutions’ portfolios, particularly in residential real estate, but they are mitigating the risks such concentrations entail. Capital now stands at its highest level in a decade, system-wide – the result of increased earnings, low dividend payouts, new capital issuances, and reductions in risk-weighted assets. And with a strong base of deposits, banks and thrifts have the liquidity they need to handle any reasonable contingency.
These improving measures of financial health do not mean that the institutions we supervise are out of the woods. Loan demand remains sluggish, as the economy continues to under-perform. Non-interest income is down, and the yield curve continues to be unfavorable. These factors all bear watching, keeping in mind that failures in the fundamentals of sound credit underwriting and balanced growth drove the decline from which we’re still recovering. Our economic prospects – local, regional, national and international – depend on a banking system that is both safe and sound.
But as the industry continues to heal from the credit and capital market challenges of the financial crisis, it is evident that another type of risk is gaining increasing prominence. That is operational risk—generally defined as the risk of loss due to failures of people, processes, systems, and external events. The risk of operational failure is embedded in every activity and product of an institution – from its processing, accounting, and information systems to the implementation of its credit risk management procedures. Managing operational risk requires banks and thrifts to control the straightforward things – like ensuring that legal documents are properly signed and contain accurate information – as well as the more multifaceted ones, like validating the inputs, assumptions, and algorithms in their risk models. Operational risk is heightened when these systems and procedures are most complex.
Given the complexity of today’s banking markets and the sophistication of technology that underpins it, it is no surprise that the OCC deems operational risk to be high and increasing. Indeed, it is currently at the top of the list of safety and soundness issues for the institutions we supervise. This is an extraordinary thing. Some of our most seasoned supervisors, people with 30 or more years of experience in some cases, tell me that this is the first time they have seen operational risk eclipse credit risk as a safety and soundness challenge.
Rising operational risk concerns them, it concerns me and it should concern you. We all know about the damage operational deficiencies can cause. Inadequate systems and controls were a primary reason for the recent problems in mortgage servicing and foreclosure documentation practices—problems that have had a big impact on the reputation and financial condition of the large banks that were implicated in those practices, on the timely clearing of non-performing loans, and on the general housing market.
Those banks did a poor job supervising both their own internal processes and the providers to which they outsourced some of these functions, and they are paying the price for their mistakes. Operational risk for institutions of all sizes can arise also from flawed risk assessment and risk management systems within the institution. For community institutions with credit concentrations, a flawed assessment of risk can lead to inadequate controls and insufficient risk management systems.
For the largest institutions, the challenges here can be exceedingly complex. One example takes the form of faulty risk assessment and risk management of the inter-relationship of risks in different markets on the value of the institution’s assets. Too often, we have seen conspicuous and expensive examples of the toll that one form of operational risk—flawed risk models—can take. This so-called "model risk" is a species of operational risk, and is an important supervisory issue. Together with the Federal Reserve, we issued supervisory guidance on model risk management about a year ago. This replaced previous OCC guidance on model validation and emphasized the importance of approaching model risk as an important focus of risk management for institutions that make material use of models.
The guidance stresses the need for ongoing monitoring and analysis to ensure that models are likely to continue to perform as expected. In line with that guidance, and in view of the complexity of some models, institutions should be comparing their model results to the results of alternative approaches, and should supplement model results with other information and analysis. This helps avoid narrow reliance on single approaches, which can increase the risk of model failures and the related operational losses.
The OCC has directed the institutions we supervise to comply with this guidance, and we actively apply it through our ongoing supervisory processes. Yet, as banks and thrifts face greater resource constraints and higher compliance costs, they may feel greater pressure to economize on systems and processes in order to enhance their income and operating economies—and therefore may be at greater danger of those systems and processes breaking down. All institutions, regardless of size, must resist the temptation to under-invest in the systems and controls they need to prevent greater risk and larger losses in the future.
They should take their cues from the cases in which such breakdowns have occurred. Many examples exist in addition to those I’ve just described. For example, where financial institutions have been less than vigilant about the IT security of processors with whom they contract to provide merchant processing services, breaches have occurred, and millions of credit and debit account holders were impacted. Banks and thrifts lacking adequate controls over their third-party marketing relationships have unwittingly given their blessing to consumer financial products with unfair and deceptive characteristics, exposing the institution to sanctions by the OCC for unfair and deceptive practices.
And we’ve seen institutions outsourcing such functions as debt collection but not taking adequate care to ensure that the third-party contracted to perform those functions follows the laws and regulations governing them. The result has been regulatory penalties and reputational damage. Let me say that the OCC is very supportive of efforts by the banks and thrifts it supervises to operate efficiently and to offer a wide range of products and services that provide value to the consumer. That’s what a safe and sound banking system must do, and sometimes those goals are best advanced through partnerships with third-parties.
But when a bank or thrift enters into a third-party relationship, it must understand that it does not wipe its hand of responsibility for the quality and characteristics of the products that are offered to its customers through this channel—even if those products are not marketed with the institution’s brand. Due diligence in identifying, measuring, and monitoring the risk from third-party relationships, and establishing mechanisms for controlling and continuously monitoring those risks, is thus an essential part of managing operational risk, which in turn affects its safety and soundness.
An area where the intersection of operational and other risks is very evident today concerns Bank Secrecy Act and anti-money laundering compliance. When things go wrong in those areas, not only is the integrity of the institution’s operations compromised, but national security and drug trafficking interdiction goals can be undermined, as well. This, too, affects institutions of all sizes, even though it’s large banks that are most likely to make the headlines when they are found to have BSA/AML deficiencies. But the OCC also is finding a rising number of BSA/AML problems in, and taking appropriate supervisory and enforcement actions against, midsize and community institutions, for problems that include ineffective account monitoring, inadequate tracking of high-risk customers and bulk cash transactions, and lapses in monitoring suspicious activity. BSA/AML compliance is inherently difficult.
It combines the challenges of sifting through large volumes of transactions to identify features that are suspicious, with the presence of criminal and possibly terrorist elements dedicated to and expert in concealing the nature of the transactions they undertake. Rendering BSA/AML compliance more challenging is the fact that BSA/AML risks are constantly mutating, as criminal and terrorist elements alter their tactics to avoid detection and penetrate our defenses. They move quickly from one base of operations to another, finding sanctuary in places where law enforcement, or sympathy for U.S. policy objectives are weakest. Thus, success is often transient where BSA/AML is involved, and efforts must be constantly re-energized. Controls that may be entirely adequate today may prove inadequate for tomorrow’s risks and threats. However, it is critical that banks and thrifts instill strong cultures and oversight processes.
Management needs to focus on key controls and maintain knowledgeable and sufficient staff. We can never underestimate the determination and ingenuity of our adversaries—and we must be equal to that risk as it evolves. This, I recognize, is a major challenge. If we are to defend the security of our financial system and our nation—as we must—industry and government cooperation is crucial. As regulators, one of our most important jobs is to identify risk trends and bring them to the industry’s attention in a timely way. No issues loom larger today than operational risk in all its dimensions, the manner in which all risks interact, and the importance of managing those risks in an integrated fashion across the entire enterprise. These themes are a supervisory priority for us at the OCC today and they should similarly command the attention of the industry. Thank you.