The Office of the Comptroller of the Currency (OCC) published its Fall 2020 Semiannual Risk Perspective.  Naturally, COVID-19 is a large factor on the risk environment for financial institutions.  These risks include credit risks and consumers’ ability to service debts, financial performance in a long-term low-rate environment, cybersecurity risks from altered work environments, and compliance risks with institutions trying to keep up with new programs designed to support businesses and consumers.

Credit Risk

Commercial, retail, and mortgage credit risks are increasing. Reduced business activities and record levels of unemployment have adversely affected customers’ ability to service debts, and nonperforming loans have increased. Losses, however, have yet to fully materialize across many segments of the banking industry. The system-wide offering of proprietary relief and mandated programs coupled with unprecedented stimulus efforts is likely masking potential losses within the financial services industry.

Banks should continue to work prudently with borrowers that are or may become unable to meet their ongoing contractual payment obligations. The OCC expects banks to maintain accurate and timely loan risk ratings based on the borrower’s financial condition, repayment ability, and ability to manage through the COVID-19 crisis. This includes maintaining an appropriate allowance for loan and lease losses or allowance for credit loss (ACL), as applicable.

Financial Performance

Bank profitability is emerging as a strategic risk as banks are challenged by low interest rates, credit quality concerns, significant asset growth in low yielding assets, and weak loan demand.

Most banks have asset-sensitive balance sheets contributing to the margin reduction as interest rates sharply declined early in 2020. Deposits and assets at OCC banks increased by $1.7 trillion
with growth of $1.5 trillion in large banks since year end 2019. Most of the growth was in low-yielding assets, which had a negative impact on margins. The combination of the low-rate environment and uncertainty around the stability of recent balance-sheet growth creates a difficult environment for profitability. Similarly, bank fiduciaries are experiencing intense fee compression driven by competition, digital disruptors, and increased investor demand for lower cost products and services. Reputation, compliance, and strategic risks are elevated as asset managers seek alternative revenue sources or ways to reduce costs. Bank management should consider the need for liquidity with the need for internal capital generation through earnings.

Cybersecurity

Banks should remain vigilant concerning cybersecurity control and risk management practices as banks face continuous threat from cyber actors. These actors have become less inhibited and
more sophisticated with their knowledge of the financial institution operations and vulnerabilities in bank applications or systems. In addition to exploiting susceptibilities, cyber actors continue to use popular exploitation methods, such as phishing and credential theft, to compromise bank systems.

While banks overall have adequate cybersecurity systems, examiners continue to identify concerns in banks related to bank information technology (IT) systems, change management, and
information security.

The financial sector continues to see an increase in ransomware attacks with cyber actors using phishing emails as the main attack vector. Recently, cyber actors have elevated their tactics to
not only target and encrypt bank data while compelling payment but also threaten to auction or publish customer information on the dark web. Banks should have a clear understanding of the
impact of a ransomware attack and the potential effects on the banks’ customers and third parties. Potential operational impacts from ransomware include disruption of core business activities, operational outages, lockout of business data, and switching to manual operations.

Compliance

Compliance risk is increasing, driven by government programs and mandates related to the CARES Act and state government requirements. These factors can create challenges for full and
accurate implementation of bank policies to meet BSA, consumer protection, and fair lending requirements. Specifically, these include responsibilities associated with underwriting and
opening new accounts, monitoring customer activity, processing transactions and loan modifications, servicing loans, communicating with customers, and meeting BSA and Office of
Foreign Assets Control compliance obligations.

Banks should follow effective change management and compliance risk management processes to identify, measure, monitor, and control the emerging risks related to consumer products or
services associated with the COVID-19 pandemic. Pandemic-related changes in bank staffing and availability may affect banks’ ability to comply with CARES Act provisions and other
regulatory requirements. In addition, banks’ strategies for processing consumer requests and applications may vary with implementation, increasing the risk of disparate treatment and
disparate impact on a prohibited basis. Appropriate monitoring measures help banks provide fair and consistent assistance and support to applicants and borrowers.

See the Perspective for more information.

If your institution has questions or just wants to make sure you are doing it right, contact us.

Please be advised that CSG provides financial services compliance audit and consulting services to our clients.  The services that we provide include certain tasks that may be characterized as “law-related services” under Rule 5.7 of the Rules of Professional Conduct governing lawyers.  Since some of our employees are lawyers with an active bar license but are NOT engaged in the private practice of law, that Rule requires us to make disclosures clarifying that the services we perform may be law-related services, but they are not legal services.  Because they are not legal services, those services and our relationship will not be governed by the Rules of Professional Conduct that guide the client-lawyer relationship, such as rules applicable to privileged communications and prohibitions of conflicts of interest.  Notwithstanding this disclaimer, we will continue to govern our relationship with you using reasonable ethical and professional standards that are expected to meet your expectations.