[author: Henry Umney]
Banking regulators around the world often proactively engage with their chartered banks to provide advice on their priorities.
They want feedback, comment and contribution about issues that may need to be resolved. This helps regulators and regulatees get a comprehensive view of complex issues and helps develop initiatives that create better outcomes for banks, consumers and the economy at large.
As part of this market commitment, the United States Office of the Comptroller of the Currency (OCC) recently released its Fall 2021 Semi-annual risk outlook.
The review highlights that the OCC sees operational risk issues as the most significant risk banks will face in 2022. Compliance risk is also an issue for the OCC, in part due to a continued stream of regulatory requirements, but also the end of the CARES (Coronavirus Aid, Relief, and Economic Security Act) Paycheck Protection Program (PPP) and other forbearance programs. The OCC is also aware of the impact on banks of low interest margins and the need to improve profits.
The OCC’s focus on operational risk has come to light, in part because of the challenges of the past two years, but also because of longer-term developments. These have been driven by technological developments and the need to provide new products and services in a low interest economy.
Three interconnected operational risks
The OCC has identified three critical operational risks that are interconnected: cybersecurity, ongoing digitization banking services, and the recourse to third parties to provide critical services.
Cybersecurity is a well-understood issue, but the changing nature of banking services – and the potential for new threats to emerge – means that investments in this area remain significant and essential. Many of these changes in banking have been driven by the rapid growth of digital banking. These changes are in turn shaped by how banks have worked closely with third parties, either as providers of data, technology or business applications, or as partners providing new access routes. at the market.
The main concern? Third party risk
In many ways, it is third-party risk that is of most concern to U.S. regulators, as the OCC, Federal Deposit Insurance Corporation (FDIC), and Federal Reserve collaborate on how best to manage relationships with third parties.
Historically, banks have been slow to adopt third-party services, especially cloud services, compared to their peers outside of financial services. However, with safety considerations fully taken into account, banks are more than making up for lost time. They are aggressively adopting cloud-based computing capabilities for their own use, as well as cloud-based services that feature in many services provided through its supply chain, directly by third-party vendors as well as vendors located at the heart of the fourth and fifth floors.
These third-party services are essential to the delivery of many new services and products, where vendors and partners provide much of the data, technology, information and market access routes that banks need to make these companies a success. Quite simply, third-party organizations may provide these services faster and more cost effective than if the banks went it alone.
However, as regulators and banks have observed, data security and management standards and processes that are in the banks must be mirrored at their third-party service providers, and their supply chains. Banks, and ultimately regulators, need to be confident that these providers have the capabilities to implement and monitor their requirements.
This third-party risk management principle is at the heart of the Proposal of inter-agency guidelines for relations with third parties, published by the OCC, the FDIC and the Fed, which is currently under consultation. Regulators and banks need visibility into their relationships with third parties and the deeper supply chain, which in turn supports these businesses. Issues related to operational robustness and concentration risks are at the forefront as regulators search for new systemic risks that could impact banks and the broader economy.
The data security and management standards and processes that characterize banks must be reflected in their third-party service providers and their supply chains.
The capabilities needed to deal with third-party risk
It will be interesting to see the conclusion of the consultation process. Nevertheless, there is clear third-party risk management capabilities that banks will have to adopt and should start thinking about now, even before the requirements inspired by the consultation are finally published.
The issue of supply chain depth means that a decentralized application in SaaS mode is key to any successful third party risk management (TPRM) initiative. This approach will help companies in the third, fourth and fifth tiers of a supply chain quickly and easily implement any bank’s TPRM requirements.
A bank will need a centralized repository containing the relevant contracts, standard policy documentation and risk profiles of the different vendors. Risk and compliance teams need of proactively monitor the different elements of the supply chain, so they can react quickly if problems arise at any level before a minor problem turns into something more serious.