On June 23, 2022, the Office of the Comptroller of the Currency (OCC) released its Semiannual Risk Perspective (SRP) for spring 2022. In the SRP, the OCC opines on its current safety and soundness concerns for banks under its regulatory umbrella, focusing on Russia sanctions, climate-related risk, and rising inflation. Despite these challenges, the OCC believes that “[b]anks’ financial condition remains strong and positioned to deal with the economic headwinds.”
Of special note, the OCC also believes compliance risk is “heightened” for Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) compliance because of world events and compliance staffing concerns. In addition, the OCC warns that banks face an “elevated” risk of cyber attacks and fraud or cybersecurity risks related to digital assets.
BSA/AML Compliance Risks
The OCC devotes a paragraph to discussion of BSA/AML and OFAC concerns related to “environmental crimes.” The OCC decries the climate risk and pollution caused by such crimes. And, echoing the Financial Crimes Enforcement Network (FinCEN) recent notice on the same topic, the OCC cautions that environmental crimes “have a strong association with corruption and transnational criminal organizations.” We have blogged about this topic several times in several facets, noting how these crimes are estimated to create hundreds of billions in illicit funds each year. Like FinCEN, it appears that the OCC has this near the top of their priority list.
The OCC then zeroes in on another perennial concern: fraud in government relief programs. Citing the Covid-19 pandemic and “recent natural disasters,” the OCC typifies fraud stemming from government relief programs as a “significant risk.” Predicting that natural disasters will become more, rather than less, common, the OCC predicts long-term increased risk of fraud and urges banks to include both environmental crimes and government relief fraud into long-term planning and risk assessments. The OCC clearly thinks that BSA/AML and OFAC concerns will continue to haunt government relief programs.
In the first SRP since the Russian invasion of Ukraine, the OCC reminds banks that they must “assess the applicability” of the “complex and evolving” Russia sanctions “on their institutions and customers.” The OCC urges banks to consider both the impact on branches here and abroad as well as overseas offices and subsidiaries. Hearkening back to two March FinCEN alerts (here and here) on which we blogged (here and here), the OCC warns banks to “be vigilant against potential efforts to evade” sanctions and reminds banks that suspicious transactions may involve “real estate, luxury goods, and other high-value assets of sanctioned Russian elites and their family members and associates.” The OCC urges banks to use this as a springboard to increase efforts to detect foreign public corruption and kleptocracy.
The SRP notes that these compliance risks are currently more difficult to respond to because “[b]ank compliance functions also are experiencing challenges retaining and replacing staff.” It is no surprise that banks, like many other employers, are finding it difficult to hire and retain talent. The SRP warns that “lack of access to subject matter expertise,” funding cutbacks, over-reliance on third parties to assist in these critical functions, and telework are exacerbating compliance risk.
The OCC has long been concerned with operational risks posed to banks from cyber attacks. The SRP now estimates that operational risks to banks remain “elevated” because cyber attacks continue to “evolve” and “become more sophisticated.” Specifically, the OCC notes an increase in distributed denial of service (DDoS) attacks and ransomware campaigns directed at the financial services sector, including banks. We noted the increase in ransomware attacks and ransomware-related SARS discussed in FinCEN’s October 15, 2021 financial trend analysis on ransomware.
The OCC suggests “heightened threat monitoring” and “greater public-private sector information sharing” as two methods to combat DDoS and ransomware attacks. The OCC states, as a practical matter, that banks should implement and regularly test backup systems to ensure operational resilience and require multifactor authentication and “timely patch management” to make it harder for cyber attackers to gain access. These echo the suggestions of the Cybersecurity and Infrastructure Security Agency, a government agency within the Department of Homeland Security, in their recently announced Shields Up initiative.
Risks of Engaging with New Technologies, Including Distributed Ledger Technologies and Digital Assets
Finally, the OCC devotes significant time to cybersecurity and fraud risks related to digital assets. While the OCC recognizes that new technologies, including distributed ledger technologies and digital assets, “can offer many benefits to both banks and their customers” the OCC believes new technologies are a common target for fraudsters. Citing this risk of fraud and the possibility of cyber attacks, the OCC provides a number of suggestions for banks considering engaging with digital assets:
- Banks should ensure that they have sufficient knowledge and expertise in the digital assets and the technology before engaging in new activity with digital assets;
- Banks should pay special attention to distributed ledger or digital assets companies “delivering banking and bank-like products and services”;
- Banks should consider their size, complexity, and risk profile before engaging in new activity with digital assets;
- Banks should engage in “appropriate due diligence, change management, and risk management processes” prior to engaging in new activity with digital assets;
- Banks may need to consider whether “additional or different controls [are needed] to safeguard against fraud, financial crimes, violations of sanctions requirements and consumer protection and fair lending laws, and operational errors”; and
- Finally, before engaging in certain activities with digital assets, banks supervised by the OCC should first obtain non-objection.
The SRP’s bottom line: banks should be deliberate and do their due diligence when engaging with new technologies, including distributed ledger technologies and digital assets.
The OCC also promises greater clarity on regulation of digital assets to come in the future, likely a reference to the Sprint Initiative the OCC is engaged in with the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation, on which we previously blogged. The OCC is currently working to “develop a common vocabulary of terms” and “use cases and risks” to create “policy and supervision considerations” for digital assets for banks. With only another vague reference to coming regulations, it remains to be seen what shape they will take and when they will be unveiled.