OCC: Third-party Risk is a Key Issue for US Banks in 2022
Banking regulators across the world often engage proactively with their chartered banks to provide guidance about their priorities.
They want feedback, comment, and input about issues that may need addressing. This helps regulators and the regulated get a fully rounded view of complex issues and helps to develop initiatives that create better outcomes for banks, consumers, and the broader economy.
As part of this market engagement, the US Office of the Comptroller of the Currency (OCC) has recently published its Fall 2021 Semi-annual Risk Perspective.
The review highlights that the OCC considers operational risk issues as the most significant risk facing banks in 2022. Compliance risk is also an issue for the OCC, in part owing to an ongoing stream of regulatory requirements, but also down to the winding up of the Coronavirus Aid, Relief, and Economic Security (CARES) Act’s Paycheck Protection Program (PPP) and other forbearance programs. The OCC is also aware of the impact on banks of low interest margins and the need to improve earnings.
The OCC’s focus on operational risk has emerged, in part through the challenges in the last two years, but also because of longer-term developments. These have been led by technology developments, and the need to deliver new products and services in a low interest rate economy.
Three interconnected operational risks
The OCC has identified three critical operational risks that are interconnected: cyber-security, the ongoing digitization of banking services, and the use of third parties to deliver critical services.
Cyber-security is a well-understood issue, but the changing nature of banking services – and the opportunities for new threats to emerge – means that investments in this area remains significant and essential. Many of these changes in banking have been driven by the rapid growth of digital banking services. These changes are in turn shaped by the ways that banks have worked closely with third parties, either as suppliers of data, technology, or business applications, or as partners offering new routes to market.
The main concern? Third-party risk
In many ways, it is third-party risk is concerning US regulators the most, to the extent that the OCC, The Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve are collaborating on how best to manage third-party relationships.
Historically, banks have been slow to adopt third-party services, especially cloud-computing services, compared with their peers outside financial services. However, with security considerations fully addressed, banks are more than making up for lost time. They are aggressively adopting cloud-based computing capabilities for their own use, as well as adopting cloud-based services that feature in many of the services provided through its supply chain, directly by third party suppliers as well as suppliers deep in the fourth and fifth tier.
These third-party services are core to delivering many new services and products, where suppliers and partners provide much of the data, technology, insight, and routes to market that banks need to make these ventures a success. Quite simply, third-party organizations can deliver these services faster and more cost-effectively than if banks went it alone.
However, as regulators and banks have observed, the security and data management standards and processes that feature in banks must be mirrored in their third-party service providers, and their supply chains. The banks and, ultimately regulators, need to have visibility that these suppliers have the capabilities to implement and follow their requirements.
This principle of managing third-party risk goes to the heart of the Proposed Interagency Guidance for Third-party Relationships, issued by the OCC, the FDIC, and the Fed, which is currently out for consultation. Regulators and banks need visibility of their third-party relationships and the deeper supply chain, which in turn support these businesses. Issues around operational robustness and concentration risks are front of mind as regulators search for new systemic risks that could impact banks and the broader economy.
The security and data management standards and processes that feature in banks must be mirrored in their third-party service providers, and their supply chains.
The capabilities needed to address third-party risk
It will be interesting to see the conclusion of the consultation process. Nevertheless, there are obvious third-party risk management capabilities that banks will need to adopt and should start thinking about now, even before the requirements inspired by the consultation are finally published.
The issue of supply chain depth means that a decentralized, SaaS-based application is key to any successful third-party risk management (TPRM) initiative. This approach will help companies in the third, fourth, and fifth tiers of a supply chain quickly and easily implement the TPRM requirements of any bank.
A bank will need a centralized repository containing the relevant contracts, policy standard documentation, and the risk profiles of the various suppliers. Risk and compliance teams will also need to proactively monitor the various elements of the supply chain, so they can respond swiftly if issues emerge at any level before a minor issue develops into something more serious.
Mitratech offers powerful and proven TPRM solutions that will help banks respond positively and decisively to the enhanced expectations of their regulator.