The Office of the Comptroller of the Currency (OCC) published its supervisory plan for banks for 2023 and issued a statement, from the Acting Comptroller Michael J. Hsu, welcoming the proposed rule on resolution-related resource requirements for large banks. The proposed rule aims to re-evaluate the resolvability risks and requirements for globally non-systemic banks to help mitigate the too-big-to-fail risk. OCC also announced plans to establish the Office of Technology early next year, aiming to provide strategic leadership, vision, and perspective for its financial technology activities and related supervision. Additionally, the Federal Financial Institutions Examination Council (FFIEC) updated the cybersecurity resource guide for financial institutions.
FFIEC amended the October 2018 Cybersecurity Resource Guide for financial institutions to update certain references and include ransomware-specific resources to address the ongoing threat of ransomware incidents. The guide is aimed to help financial institutions meet their security control objectives and prepare to respond to cyber incidents. In another development, OCC recently released the "Bank Supervision Operating Plan," which facilitates the implementation of supervisory strategies for individual national banks, federal savings associations, federal branches, and agencies of foreign banking organizations as well as identified third-party services subject to OCC examination. The plan outlines supervisory priorities for 2023 (October 01, 2022 to September 30, 2023) and aligns with OCC's Strategic Plan, Fiscal Years 2023–2027 and the National Risk Committee’s (NRC) priorities. In addition to the baseline activities, OCC risk-based supervision will heighten its focus on the following areas:
- The potential impact to operational risk from cybersecurity threats, control breakdowns, and risk management gaps remains a supervisory focus. Operational resilience examinations should consider incident response and business resumption practices, with explicit evaluation of data backup and recovery capabilities. Information and cybersecurity examinations should focus on fundamental controls to identify, detect, and prevent threats and vulnerabilities; such controls include authentication, access controls segmentation, patch management, and end-of-life programs. Examiners should review the effectiveness of governance processes dealing with technology investment and the implementation of systems and infrastructure changes.
- Examiners should determine whether banks are providing proper risk management governance of their third-party relationships and should identify the risk attributes of these relationships, for example, if they involve customer-facing products and services, are critical to bank operations, represent significant concentrations, affect the bank’s operational resilience, or affect compliance with requirements such as the Bank Secrecy Act and consumer protection laws. Additionally, examiners should determine whether the bank and third parties have sufficient, qualified staff to meet contractual obligations. Examiners should be aware of the cyber-related risks arising from third parties and evaluate the bank’s assessments of third parties’ cybersecurity risk management and resilience capabilities.
- Examiners should assess whether banks remain vigilant when considering growth and new profit opportunities. Examiners should assess bank management’s and the board’s understanding of the impact of innovative or new activities, including activities offered through third-party relationships, on the bank’s financial performance, strategic planning process, and risk profile. Such activities could potential involve areas such as payments, fintech, and digital assets.
- OCC will continue to work to better understand climate-related financial risks, particularly as they relate to risks at large banks. During 2023, the agency will continue information gathering efforts and plan on conducting additional industry outreach. At the largest banks, examiners will monitor the development of climate-related financial risk frameworks and will engage with bank management to understand the challenges that banks face in this effort, such as data and metrics, governance and oversight, policies, procedures, and limits, strategic planning, scenario analysis capabilities and techniques, and incorporation of the frameworks into current bank risk management processes.
- Other focus areas include credit risk management, allowances for credit losses, interest rate risk, liquidity risk management, consumer compliance, Bank Secrecy Act, fair lending, and Community Reinvestment Act
- Supervisory Plan for 2023
- Statement from Michael J. Hsu
- Launch of Office of Financial Technology
- FDIC on Cybersecurity Resource Guide
- FFIEC Cybersecurity Resource Guide (PDF)
Keywords: Americas, US, Banking, Regtech, Interest Rate Risk, Credit Risk, Liquidity Risk, Fintech, Digital Assets, Operational Resilience, Cyber Risk, Third Party Arrangements, Climate Change Risk, Scenario Analysis, Basel, FDIC, FFIEC, OCC
Dr. Denton provides industry leadership in the quantification of sustainability issues, climate risk, trade credit and emerging lending risks. His deep foundations in market and credit risk provide critical perspectives on how climate/sustainability risks can be measured, communicated and used to drive commercial opportunities, policy, strategy, and compliance. He supports corporate clients and financial institutions in leveraging Moody’s tools and capabilities to improve decision-making and compliance capabilities, with particular focus on the energy, agriculture and physical commodities industries.
Previous ArticleCMF Proposes Liquidity Rules for Banks in Chile
The Board of Governors of the Federal Reserve System (FED) adopted the final rule on Adjustable Interest Rate (LIBOR) Act.
The European Central Bank (ECB) published an updated list of supervised entities, a report on the supervision of less significant institutions (LSIs), a statement on macro-prudential policy.
The Hong Kong Monetary Authority (HKMA) published a circular on the prudential treatment of crypto-asset exposures, an update on the status of transition to new interest rate benchmarks.
The European Commission (EC) adopted the standards addressing supervisory reporting of risk concentrations and intra-group transactions, benchmarking of internal approaches, and authorization of credit institutions.
The China Banking and Insurance Regulatory Commission (CBIRC) issued rules to manage the risk of off-balance sheet business of commercial banks and rules on corporate governance of financial institutions.
The Hong Kong Monetary Authority (HKMA) made announcements to address sustainability issues in the financial sector.
The European Banking Authority (EBA) published regulatory standards on identification of a group of connected clients (GCC) as well as updated the lists of identified financial conglomerates.
The General Board of the European Systemic Risk Board (ESRB), at its December meeting, issued an updated risk assessment via the quarterly risk dashboard and held discussions on key policy priorities to address the systemic risks in the European Union.
The Financial Conduct Authority (FCA) is seeking comments, until December 21, 2022, on the draft guidance for firms to support existing mortgage borrowers.
The Financial Stability Board (FSB) published a report that assesses progress on the transition from the Interbank Offered Rates, or IBORs, to overnight risk-free rates as well as a report that assesses global trends in the non-bank financial intermediation (NBFI) sector.