US bank regulator reports key risks and effects of COVID-19

New Zealand Security Magazine - February-March 2021

Bank risks
COVID-19 ushers in a new era of risks for US banks.

The US Office of the Comptroller of the Currency’s Semi-annual Risk Perspective for Fall 2020 reports risky times for banks – from terrorist financing to cyberattacks and shady cryptocurrency activity.

The Office of the Comptroller of the Currency’s (OCC) Semiannual Risk Perspective addresses key issues facing banks in the US, focusing on those that pose threats to the safety and soundness of banks and their compliance with applicable laws and regulations. 

Published in November 2020, this edition is something of a COVID ‘special issue’, with the report noting increased risk exposures in the areas of credit risk, strategic risk, operational risk and compliance risk, and highlighting emerging areas of risk fuelled by the new realities of the COVID era.

Credit risk 

According to the OCC, credit risk is increasing in the US as the COVID induced economic downturn impacts on customers’ ability to service their debts.

COVID – and efforts to contain its spread –triggered a historic economic downturn from March. “The private service sector suffered the most, with massive job losses in high-touch industries, such as leisure, hospitality, and retail trade,” the report stated.

Placing the impact in historical context, real GDP in the US declined 10.1 percent between the fourth quarter of 2019 and the second quarter of 2020, compared with a peak-to-trough decline of 4.0 percent during the 2008–2009 recession.

Despite a rebound in economic growth due to businesses reopening after initial lockdowns, commercial, retail, and mortgage credit risks are all increasing. Added to this, states the report, unprecedented government stimulus packages are likely masking significant losses within financial services.

In terms of commercial lending, there are challenges in most sectors. According to the OCC, businesses that were weak before the pandemic, including highly leveraged borrowers, are especially vulnerable. 

“Commercial real estate, oil and gas, retail businesses, transportation, leisure and hospitality, and agricultural lending are areas of increasing risk exposure,” it stated. “Commercial borrowers’ cash flows have been negatively affected, including businesses that do not offer telework flexibility.”

Its guidance to banks is that they continue to work prudently with borrowers that are or may become unable to meet payment obligations, and that they maintain accurate and timely loan risk ratings based on the borrower’s repayment ability and ability to manage through the COVID crisis.

Strategic risk

Strategic risk is an emerging issue, says the OCC, due to historically low interest rates, potential credit stress, extent of asset growth in low yielding assets, and weak loan demand. These all negatively impact on bank profitability.

“During the second quarter of 2020, net income declined sharply due to higher loan loss provisions and lower net interest margins (NIM) primarily due to banks holding high levels of low yielding assets. Second-quarter NIM was the lowest measured in the past 30 years.”

Banks will face pressure to improve earnings by cost cutting and increasing risk. As asset managers seek alternative revenue sources or ways to reduce costs, risk exposure will increase.

“In response to similar challenges, banks have traditionally cut costs to maintain margins. Key control functions and processes, such as risk management, audit, compliance, and staff development, should be maintained to ensure risk management oversight during times of economic stress.”

Operational risk 

The move to remote working and an evolving and complex operating environment are elevating financial institutions’ exposure to operational risk. Cybersecurity threats are a key contributor to this heightened operational risk environment.

“Financial institutions are adjusting to a changing cyber landscape to protect their operations and customers from cyber criminals and fraud while many employees are working remotely,” observed the OCC. “Growth in bank employees’ teleworking during the crisis increased controls risks.

“Banks adjusted operating models to accommodate large-scale telework but are having to manage the complexities of unique security and internal control challenges. Additionally, the adoption of new and innovative products and operating models in the financial sector requires banks to manage rapid technological and operational changes to business processes.”

The sector has seen an increase in ransomware attacks, with phishing emails as the predominant attack vector. Malicious cyber actors are not only targeting and encrypting bank data for ransom, but also threatening to auction or publish customer information on the dark web. 

According to the OCC, potential operational impacts from ransomware include “disruption of core business activities, operational outages, lockout of business data, and switching to manual operations.”

The regulator suggests that banks need to have the capability to identify and respond to new threats in a timely manner in order to prevent potentially significant impacts. 

“Bank personnel should be made aware of possible threats that may affect their line of business, and the board of directors and senior management should be informed of critical cybersecurity threats that may affect the bank, its customers, or suppliers.”

Compliance risk 

Compliance risk has also been elevated, states the OCC, due to a combination of remote working and the need to rapidly operationalise COVID recovery programs designed to support businesses and consumers.

“Banks expedited the implementation of assistance programs, which elevated compliance risk. These programs featured increased compliance responsibilities and high transaction volumes while banks were trying to assess the impact of a weakened economy.”

Added to this, criminals have adapted their approach and money-laundering techniques to new COVID context, scamming people into moving illicit money on their behalf through funds transfers, physical cash movements, and other methods. 

The OCC urges banks to be vigilant in identifying potentially illicit activity, “including monitoring for schemes designed to take advantage of people affected by the COVID-19 pandemic and other means that criminals can use to exploit the situation.”

COVID-related scams are likely to increase if the pandemic drags on, the regulator suggests. Scams may include the targeting of people in need of care by advertising and trafficking counterfeit medicines and phishing schemes aimed at stealing personal and financial information. 

“Criminals and terrorists may exploit the public’s goodwill by setting up fake charities to accept donations that appear to be intended to help others suffering from the pandemic. Other scams include work-from-home schemes aimed at people who are out of work or those looking to earn a living while quarantined at home.”

The OCC recommends that banks ensure their anti-money-laundering programs are commensurate with their risk profile, and that they monitor information provided by law enforcement agencies in relation to trends in scams and money-laundering techniques targeting vulnerabilities created by the pandemic.

Emerging risks

The report also highlights emerging risks in payment products and services. interest in electronic and other forms of contactless payment has increased due to the COVID, and evidence suggests that nearly 40 million Americans own cryptocurrencies.

The increased use of mobile technologies, apps, and contactless payment devices have broadened the delivery channels and functionality of payment systems. “The adoption of these innovative delivery channels, however, may require additional or different controls to continue to safeguard against fraud, terrorist financing, or operational errors.”

The introduction of new entrants into the payment ecosystem has also provided a wider threat landscape, with many banks turning to third-parties to manage new technologies and payment products. 

“As part of this growth, banks are entering into partnerships with nonbanks to offer faster payment functionality, especially for retail payment services,” observes the OCC. “Banks should conduct appropriate due diligence and oversight commensurate with the risk of the payment activity to manage these third-party relationships.

“As the processing of payments evolves and new entrants are introduced into the payment ecosystems, it is important that bank’s risk management and controls keep pace with this change. Controls include governing the integrity, timeliness, security, and resilience of payments regardless of the technologies used or innovative process used.”

The OCC

The OCC regulates, and supervises national banks and federal savings associations in the US as well as federal branches and agencies of foreign banking organisations in order to ensure they operate in a safe and sound manner, provide fair access to financial services, treat customers fairly, and comply with applicable laws and regulations.

The OCC’s National Risk Committee (NRC) monitors the condition of the federal banking system and identifies key risks. The NRC also monitors emerging threats to the system’s safety and soundness and ability to provide fair access to financial services and treat customers fairly. 

The fall 2020 Semiannual Risk Perspective report reflects data as of 30 June 2020, and is available from the OCC website www.occ.treas.gov