Why it matters

The OCC’s most recent report on current key risks should be read by all banks, regardless of size or regulator, as a road map in preparing for the next examination. Few banks would ever admit they may have eased their loan underwriting standards or practices. However, they must be prepared to prove the negative in the next exam if any loan growth might suggest otherwise to an examiner. And if the bank does any auto lending, expect a full-body-scan exam of that line of business. Further, if a bank is looking at any new fee income opportunities, it would be best to reach out to the bank’s examiners early and make them a partner in the bank’s planning and not just a Monday-morning quarterback. Finally, if the Board of Directors has not undertaken thorough, and likely costly, third-party review projects and implemented changes for IT and cyber risk, and heightened BSA due diligence for high-risk customers, fair lending compliance and enterprise-wide risk management and governance, the Board most likely can expect Management Required Action findings for those areas if not worse criticisms and recommended enforcement action in the next report of examination.

Detailed discussion

The OCC’s Semiannual Risk Perspective for Fall 2014 highlighted several areas of risks facing the federal banking system.

Declining revenues and profitability have resulted in increasing credit risk in the banking sector, the regulator found. Coupled with rising competition for limited lending opportunities, the OCC “has observed weak underwriting standards,” especially in areas such as direct and indirect auto lending, commercial and industrial loans, and asset-based lending, as well as increases in policy and underwriting exceptions.

Another worry for the OCC: a prolonged low-interest-rate environment. Expressing concern about future vulnerability, the report features a special section with data collected to study bank-reported interest rate sensitivities. “Banks that extend asset maturities to pick up yield could face significant earnings pressure and potential capital erosion depending on the severity and timing of interest rate moves,” the regulator wrote.

In an effort to generate revenue and compete with nonbank firms, some banks are reevaluating “business models and risk appetites,” the OCC noted. Efforts to lower overhead expenses include the outsourcing of critical control functions to third parties and the leveraging of technology through cloud computing and mobile banking.

Yet even as banks continue to expand their third-party relationships and permit employees access to systems with personal devices such as mobile phones and tablets, they are failing to incorporate cybersecurity considerations into their overall governance, risk management, or strategic planning process, the OCC said. To ensure that banks establish and follow appropriate risk management processes along the way, examiners “will focus on banks’ strategic planning,” the report noted.

As for BSA/AML risks, the OCC explained that bank fraud methodology continues to grow and evolve. As a result, banks “are expected to incorporate appropriate controls to oversee new products and services, and higher-risk customers,” the agency said.

Over the next 12 months, the report outlined the areas of heightened supervisory focus by the OCC. For large banks, corporate governance and oversight, operational risk (including cybersecurity and data protection), and credit underwriting top the list. For community and midsize banks, the regulator will key in on strategic planning and execution (assessing whether banks’ plans are realistic and appropriate, for example), corporate governance, stress testing, operational risks, and cyber threats.

To read the OCC’s Semiannual Risk Perspective, click here.