The OCC’s focus on operational risk has emerged, in part through the challenges in the last two years, but also because of longer-term developments. These have been led by technology developments, and the need to deliver new products and services in a low interest rate economy.
Three interconnected operational risks
The OCC has identified three critical operational risks that are interconnected: cyber-security, the ongoing digitization of banking services, and the use of third parties to deliver critical services.
Cyber-security is a well-understood issue, but the changing nature of banking services – and the opportunities for new threats to emerge – means that investments in this area remains significant and essential. Many of these changes in banking have been driven by the rapid growth of digital banking services. These changes are in turn shaped by the ways that banks have worked closely with third parties, either as suppliers of data, technology, or business applications, or as partners offering new routes to market.
The main concern? Third-party risk
In many ways, it is third-party risk is concerning US regulators the most, to the extent that the OCC, The Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve are collaborating on how best to manage third-party relationships.
Historically, banks have been slow to adopt third-party services, especially cloud-computing services, compared with their peers outside financial services. However, with security considerations fully addressed, banks are more than making up for lost time. They are aggressively adopting cloud-based computing capabilities for their own use, as well as adopting cloud-based services that feature in many of the services provided through its supply chain, directly by third party suppliers as well as suppliers deep in the fourth and fifth tier.
These third-party services are core to delivering many new services and products, where suppliers and partners provide much of the data, technology, insight, and routes to market that banks need to make these ventures a success. Quite simply, third-party organizations can deliver these services faster and more cost-effectively than if banks went it alone.