OCC: Third-party Risk is a Key Issue for US Banks in 2022

The review highlights that the OCC considers operational risk issues as the most significant risk facing banks in 2022. Compliance risk is also an issue for the OCC, in part owing to an ongoing stream of regulatory requirements, but also down to the winding up of the Coronavirus Aid, Relief, and Economic Security (CARES) Act’s Paycheck Protection Program (PPP) and other forbearance programs. The OCC is also aware of the impact on banks of low interest margins and the need to improve earnings.

The OCC’s focus on operational risk has emerged, in part through the challenges in the last two years, but also because of longer-term developments. These have been led by technology developments, and the need to deliver new products and services in a low interest rate economy.

Three interconnected operational risks

The OCC has identified three critical operational risks that are interconnected: cyber-security, the ongoing digitization of banking services, and the use of third parties to deliver critical services.

Cyber-security is a well-understood issue, but the changing nature of banking services – and the opportunities for new threats to emerge – means that investments in this area remains significant and essential. Many of these changes in banking have been driven by the rapid growth of digital banking services. These changes are in turn shaped by the ways that banks have worked closely with third parties, either as suppliers of data, technology, or business applications, or as partners offering new routes to market.

The main concern? Third-party risk

In many ways, it is third-party risk is concerning US regulators the most, to the extent that the OCC, The Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve are collaborating on how best to manage third-party relationships.

Historically, banks have been slow to adopt third-party services, especially cloud-computing services, compared with their peers outside financial services. However, with security considerations fully addressed, banks are more than making up for lost time. They are aggressively adopting cloud-based computing capabilities for their own use, as well as adopting cloud-based services that feature in many of the services provided through its supply chain, directly by third party suppliers as well as suppliers deep in the fourth and fifth tier.

These third-party services are core to delivering many new services and products, where suppliers and partners provide much of the data, technology, insight, and routes to market that banks need to make these ventures a success. Quite simply, third-party organizations can deliver these services faster and more cost-effectively than if banks went it alone.

However, as regulators and banks have observed, the security and data management standards and processes that feature in banks must be mirrored in their third-party service providers, and their supply chains. The banks and, ultimately regulators, need to have visibility that these suppliers have the capabilities to implement and follow their requirements.

This principle of managing third-party risk goes to the heart of the Proposed Interagency Guidance for Third-party Relationships, issued by the OCC, the FDIC, and the Fed, which is currently out for consultation. Regulators and banks need visibility of their third-party relationships and the deeper supply chain, which in turn support these businesses. Issues around operational robustness and concentration risks are front of mind as regulators search for new systemic risks that could impact banks and the broader economy.