Strategic and operational planning, operational resiliency (especially with regard to cybersecurity), and third parties and related concentrations are the top three of 13 key areas of “heightened focus” identified by the national bank regulator in its bank supervision operating plan for fiscal year 2023, the agency said Thursday.
Also on the list of key areas – albeit the final item – is climate-related financial risks.
The Office of the Comptroller of the Currency (OCC) said the plan is intended to provide a foundation for policy initiatives and supervisory strategies it applies to the national banks and federal savings associations it oversees. The plan also informs the agency’s approach for dealing with other federal agencies and technology service providers, the OCC said.
In addition to the four key areas listed at the top and bottom of the list, the OCC said the other nine key areas to be addressed in FY 2023 are:
- Credit risk management
- Allowances for credit losses
- Interest-rate risk
- Liquidity risk management
- Consumer compliance
- Bank Secrecy Act (BSA)
- Fair lending
- Community Reinvestment Act (CRA)
- New products and services
On strategic and operational planning, the plan urges a focus by examiners to “to assess whether banks maintain stable financial positions, especially regarding capital, allowance for credit losses, management of net interest margins, liquidity, and earnings. Examiners’ reviews of bank governance should assess the effectiveness of talent recruitment, training, retention, and succession management processes.”
For operational resiliency, the plan recommends that examinations consider incident response and business resumption practices, “with explicit evaluation of data backup and recovery capabilities. Information and cybersecurity examinations should focus on fundamental controls to identify, detect, and prevent threats and vulnerabilities; such controls include authentication, access controls segmentation, patch management, and end-of-life programs.”
Third-party focus, the plan states, should determine “whether banks are providing proper risk management governance of their third-party relationships, commensurate with the risks posed, which may include relationships with financial technology (fintech) companies.” Examiners should identify the risk attributes of these relationships, the plan states, if, for example, they involve customer-facing products and services, are critical to bank operations, represent significant concentrations, affect the bank’s operational resilience, or affect compliance with requirements such as the Bank Secrecy Act (BSA) and consumer protection laws.
On climate-related risks, the agency noted that in 2023 it will continue information gathering efforts and plans to conduct additional industry outreach. “At the largest banks, examiners will monitor the development of climate-related financial risk frameworks and will engage with bank management to understand the challenges that banks face in this effort, such as data and metrics, governance and oversight, policies, procedures, and limits, strategic planning, scenario analysis capabilities and techniques, and incorporation of the frameworks into current bank risk management processes.”
Fiscal Year 2023 Bank Supervision Operating Plan (PDF)