By Madeleine G. Kvalheim
On Jan. 18, the Office of the Comptroller of the Currency released its semiannual report on risks plaguing the federal banking system during the fall of 2017. The report highlights the OCC’s ongoing concerns for federal banks as they affect consumers and the integrity of the banking system in relation to compliance mandates. The report acknowledges the fierce competition in the banking sector as institutions face continuing pressure to efficiently lend money in a fast-paced environment where consumers demand rapid technological advancements. And this is all in the face of similarly complex and ever-changing regulations. These factors create a plethora of risks and insurmountable exposure for the federal banks under the purview of the OCC.
The OCC explains that while most loans are secured by dependable assets, underwriting overall is merely “acceptable” in its current state. Examining the strong competition for loans in a slow-growth market with marginal returns, the OCC concludes the current market favors an easing in underwriting processes, which exposes banks to increased risks in later uncertain markets. Banks have grown seemingly relaxed in our post-recession society, which the OCC urges has led to lender “complacency.” The agency encourages lenders to instead hone in on stabilizing their credit practices within risk ranges that are sustainable “under less benign economic conditions,” such that risks are accounted for in potential allowances or losses. This is especially true for agricultural lenders faced with growing concerns that once-profitable agricultural sectors are slowly deteriorating.
Increasing Privacy Threats
Occurring with exponential frequency and advancement, cyberattacks target vulnerabilities offering the greatest potential for obtaining proprietary information and personally identifiable information of employees and customers. The two main types of attacks include phishing — the use of rigged messages to trick recipients — and watering holes — infecting popular websites with malicious codes that are transferred to visitors.
The OCC explains that outdated software and security are to blame for most breaches, and that banks should not only routinely maintain and update their security systems but also test their processes for weaknesses and establish action plans to employ in the event of a breach. Additionally, banks should be aware that information technology products and services are also frequent targets, as they are part of a bank’s supply chain and can be the weakest link. The OCC encourages a “layered security approach,” with strong authentication and strict management of those system users with unfettered access.
Lastly, the OCC notes that the concerning trend of consolidation among third-party service providers, upon which growing numbers of banks rely, makes the remaining entities more desirable targets for cyberattacks. Thus, the use and reliance upon third parties to provide new products and services to banks represents an external risk that must be managed, tested and planned for like internal risks.
Heightened Compliance Risks
In light of the previously discussed threats of security breaches, the OCC emphasizes that banks must be mindful of adherence to Bank Security Act requirements. The platforms offered to consumers and used internally create potential points of failure that implicate the BSA. The OCC also emphasizes the need to comply with the upcoming implementation of the Financial Crimes Enforcement Network’s beneficial ownership/customer due diligence regulation and new Office of Foreign Assets Control sanctions.
Next, forthcoming changes to consumer protection regulations pose internal challenges to banks. The OCC specifically references the integrated mortgage disclosure requirements under the Truth in Lending Act and Real Estate Settlement Procedures Act, and the updated requirements of the regulations implementing the Home Mortgage Disclosure Act and Military Lending Act. While the integrated disclosure requirements set forth specific calculations and limits for fees, payment streams and timing in October 2015, the OCC continually encounters non-conforming banks that risk reimbursements, recessions and statutory damages as a result of their actions.
Alternatively, new HMDA requirements obligate banks to (1) update their submission process for data collected in 2017 such that by March 2018, they will be ready to use a new platform with specifications issued by the CFPB; and (2) collect additional data points for applications received in 2018 to be submitted in March 2019. The MLA has expanded protections to those in the military to a broader range of products, such that additional charges are included in the tabulation of the maximum annual percentage rate of 36 percent in comparison to the stipulations under Regulation Z. In total, the OCC asserts that “amendments have the potential for significant compliance, credit and reputation risk exposure in OCC-supervised banks.”
Finally, the OCC addresses the broad umbrella of bank compliance in asserting that internal quality is essential in risk-management processes aimed at ensuring compliance. The regulator explains that “banks are expected to have consumer compliance risk-management systems commensurate with the risk inherent in their products and services.” The OCC ends its substantive report with the notion that “in some banks, these systems have not kept pace with the increasing complexity of the regulatory and risk environments in which they operate.”
The finite amount of resources in comparison to the cost of compliance, business, new and competitive products and services, and reliance on third parties increases the demand on strained risk-management and compliance systems. These factors coalesce into mounting exposure for banks, increasing public scrutiny, potential likelihood of compliance failure, and impact on customers — all of which the OCC encourages banks to get ahead of through diligent management and planning.
Madeleine G. Kvalheim is a litigation associate in Baker Donelson’s Atlanta office. She can be reached at firstname.lastname@example.org.