The US Office of the Comptroller of the Currency’s Semi-annual Risk Perspective for Fall 2024 reports an uptick in traditional and novel fraud activity targeting backs, writes Nicholas Dynon.
The Office of the Comptroller’s (OCC) Semiannual Risk Perspective report addresses key issues facing banks in the US, focusing on those that pose threats to the safety and soundness of banks and their compliance with applicable laws and regulations.
Published in November 2024 by the OCC’s National Risk Committee, the report identifies ongoing risk exposures in the areas of credit risk, strategic risk, operational risk and compliance risk, singling out fraud as a key emergent threat.
In summary
Global economic growth has been supported by higher growth in the US and large emerging economies, but there is persistent weakness in some of the world’s largest economies states the report’s executive summary.
“Ongoing geopolitical conflicts and tensions continue to affect the normal functioning of the global economy,” it states. “These conflicts and tensions could disrupt global trade, supply chains, and commodity markets.”
As a result, banks’ operational risks are elevated in an evolving and increasingly complex operating environment.
“Evolving cyber threats by sophisticated malicious actors target the financial services industry and their key service providers. Recent significant disruptions across many sectors, including the financial sector, highlight the importance of sound third-party risk management and operational resilience.”
Special Focus: External fraud activity
The frequency and sophistication of both traditional and novel fraud activities targeting customers and banks continues to increase.
The OCC urged banks to maintain sound fraud risk management practices through prudent controls and fraud monitoring capabilities to identify, investigate, mitigate, and report fraudulent activity. Banks can also support their customers by providing educational information about trending fraud activities and ways to protect themselves.
The report commented that while artificial intelligence (AI) can enhance fraud risk management capabilities, reduce costs, and improve efficiency, it is also being used to enable increasingly sophisticated and frequent fraud activities.
Fraudsters could utilise AI, for example, “to implement sophisticated frauds by digitally altering voices, biometric systems, or images (also known as “deepfakes”), or to facilitate social engineering schemes, identity theft, and impersonation of a trusted business or government agency.”
Increasing product and service digitisation can also increase exposure to fraud risk, including fraud targeting peer-to-peer (P2P) and other fast payment platforms. Criminals have exploited these platforms due to the irreversible and irrevocable nature of payments that are made through them.
Managing the risk
Effective fraud risk management, states the report, includes appropriate internal controls, which includes authentication, customer identification and verification processes, fraud monitoring, and “open lines of communication between bank departments responsible for researching unusual activities.”
It is critical for banks to promptly identify, investigate, and resolve suspicious activities and potential fraudulent concerns and to avoid investigation backlogs, particularly in light of an evident increase in fraud cases
“Recent increases in the volume of fraud cases have led to heightened unfair or deceptive acts or practices (UDAP) risk as some banks may take prolonged timeframes to complete investigations or implement broad account access limitations, preventing customers—including those who are not victims of fraud— from accessing their funds,” states the report.
“If banks on either side of the transaction do not complete investigations expeditiously, customers may not have access to funds for extended periods of time, which may create financial hardship for them.”
In cases where multiple departments are responsible for researching unusual account activities across functions, open lines of communication between departments will assist in ensuring expedited resolution.
Banks can also develop policies and procedures regarding what and how to communicate with customers when the bank determines that account access should be limited, taking care not to reveal the existence of any suspicious activity report (SAR) filing, and ensuring that the communication is otherwise consistent with safe and sound banking practices. Communications can provide critical information to customers seeking to access their funds.
The OCC also suggests that bank staff can be trained to identify and respond to customers seeking to conduct unusual transactions, such as a large withdrawal, that may be outside of their usual transaction habits. Training may also include identifying red flags and actions in relation to financial exploitation, such as the exploitation of the elderly.
Generally, banks should support customers by providing information about scam and fraud trends and preventative measures they can take.
Cybersecurity
Banks’ operational risk remains elevated due to cyber threat actors evolving and refining their tactics by using emerging technologies, such as AI. Cyberattack surfaces are, at the same time, expanding due to banking services engaging with third parties, including fintech firms, expanding the cyberattack surface.
A financial entity’s exposure to cyber threats and operational disruptions extends beyond its own network. Threat actors are increasingly targeting vulnerabilities and deficient security practices at financial service providers and their third parties.
This means that the probability and potential impact of cyber incidents are increasing, highlighting the importance of third-party risk management, change management, and operational resilience measures.
“The OCC continues to see compromised systems involving the exploitation of publicly known vulnerabilities on internet-accessible networks,” states the report. “This underscores the need for banks to maintain an inventory of assets and external connections and remediate vulnerabilities promptly.”
In particular, suggests the OCC, banks should ensure that third parties throughout the bank’s information technology supply chain are adhering to secure software development standards to reduce the risk of disruptions or compromises.
“Additionally, it is critical that banks and their service providers have effective threat and vulnerability monitoring processes and security measures, including the use of multi-factor authentication (MFA), hardening of systems configurations, testing software updates before implementation, phased rollouts of software updates, timely vulnerability patch management, and immutable backups.”
Progress toward quantum computing capabilities and associated risks to encryption technique is also a risk that the OCC is keeping an eye on, as well as controls such as the recently released NIST post-quantum computing (PQC) encryption standards. “The process for transitioning to these new post-quantum computing (PQC) standards will likely take years to fully test and implement,” states the report.
“Banks are encouraged to conduct inventories of where encryption is used within their operations and work with third parties to assess their PQC transition plans to ensure long-term security and interoperability. Institutions that develop their own software are also encouraged to begin the migration process.”
