Our Take: financial services regulatory update – September 29, 2023

On September 28th, the OCC released its Committee on Bank Supervision Operating Plan for fiscal year (FY) 2024. The plan guides the OCC’s policy initiatives, supervisory priorities and planning for the following year. It highlights several key areas for examiners to focus on, including:

• Asset and Liability Management: The plan highlights the importance of stress testing and contingency planning in light of vulnerable market conditions, rising interest rates and geopolitical events. There is also a focus on whether banks’ risk appetites and policy limits are consistent with projected risk to asset values, deposit stability, liquidity, capital, and earnings.
• Credit and Allowance for Credit Losses (ACL): The plan notes the importance of stress testing for vulnerable retail and commercial borrowers, particularly for commercial real estate. It states that examiners will also be looking at effectiveness of banks’ ACL methodologies at estimating lifetime expected credit losses considering present economic conditions.
• Climate-related financial risks: The plan notes that any banks with over $100 billion or more in assets need to provide information on banks’ climate-related risk frameworks, including strategic planning, policies and procedures, and scenario analysis capabilities.
• Distributed ledger technology (DLT) related activities: The plan highlights the importance of strong risk management around crypto-asset custody, tokenization of real-world assets and liabilities, payments, and other uses to support business operations. It also specifically highlights adherence to the OCC’s expectations that firms receive a supervisory nonobjection before engaging in DLT activities.
• Cybersecurity: Noting that cybersecurity risk remains a supervisory focus, the plan states that examinations should focus on controls to identify, detect and prevent vulnerabilities including system and data backup techniques, authentication, access controls segmentation, patch management, incident response, end-of life program and third-party risk management.
• Operations: The plan focuses on identifying and assessing products, services and third party relationships with unique, innovative, or complex structures, such as real-time payments, banking-as-a-service (BaaS) arrangements, distributed ledger-related activities and use of artificial intelligence technologies. It specifically calls out the importance of managing third party relationships with fintech companies.
• Change management: Examiners are instructed to identify banks that are implementing significant changes in their leadership, operations, risk management frameworks, and business activities, including the use of third-party service providers that support critical activities.
• Payments: The plan notes the importance of assessing banks’ payment systems and payments related products and services, especially new or novel products, services, or delivery channels, such as person-to-person payments. It also indicates that it will be looking at risk management practices related to the use of the FedNow payment system.
• Consumer compliance: The plan calls for examiners to focus on compliance for new products and services offered through third parties, especially those with fintech or BaaS activities. It stresses prohibiting unfair, deceptive, or abusive acts or practices, including review of risk management practices for overdraft protection programs and the use of clear and consistent language when communicating with consumers.
• Fair lending and Community Reinvestment Act (CRA): According to the plan, examiners should assess how banks ensure fair access to credit “on a nondiscriminatory basis” and mitigate redlining risks across the full lifecycle of credit products including “the potential for mortgage lending discrimination resulting from appraisal bias or discriminatory property evaluations. The plan indicates that upcoming CRA exams will place emphasis on making sure that assessment areas are appropriately defined. It also encourages banks to be ready to incorporate any changes to the imminent CRA modernization rule.
• AML: The plan highlights the importance of ensuring a bank’s operations and system help mitigate risk and bank plans for implementing requirements of the 2020 AML Act.

Our Take

While the OCC’s FY24 supervisory plan covers similar topics to last year, there is a call to action for financial related topics such as liquidity stress testing scenarios with respect to volatile economic conditions and depositor preferences. As such, bank management should prepare to present to examiners analyses of their uninsured deposits and balance sheet profiles as well as explanations of how they have (a) updated their internal liquidity stress testing assumptions for behaviors exhibited during the recent bank failures and (b) tested their capacity to execute contingency funding plans.

Another thread across the priorities is the focus on the ability of banks to evaluate and manage risks posed by novel products, many of which use innovative technology and partnerships with fintechs. The focus on growing relationships with fintechs, which was also highlighted in the June 6th interagency guidance on Third Party Risk Management, means that banks must be able to demonstrate adequate due diligence, on-going monitoring and sufficient oversight capabilities. This may involve reviewing agreements with third parties to provide transparency and auditability of their systems as well as having the talent necessary to adequately provide oversight and understand the associated risks.

These examination priorities should be considered with the understanding that examiners are under pressure to escalate concerns more quickly following the recent bank failures. Banks should therefore be prepared to (a) identify and correct issues before examiners find deficiencies; (b) act with urgency to remediate findings in a timely manner; (c) equip risk functions with sufficient resources and authority to oversee and address issues; and (d) enhance reporting of remediation efforts to support board and senior management oversight.

As economic conditions as well as geopolitical risk factors continue to evolve, regulators will expect that banks have the ability to adapt to the evolving conditions and regulatory priorities.