OCC Identifies AML/BSA and Cyber Threats as Elevated Risks Facing Banks
Last week, the Office of the Comptroller of the Currency (“OCC”) published the Spring 2018 Semiannual Risk Perspective (the “Report”), which uses up-to-date data to identify risks to U.S. banks and measure their compliance with applicable laws and regulations. The Report concluded that some of the OCC’s primary concerns are with banks’ abilities to comply with the anti‑money laundering (“AML”) laws and regulations, as well as to manage risks associated with cybersecurity threats.
Many of the OCC’s observations and recommendations remained the same from its Fall 2017 report, about which we previously blogged, begging readers to wonder what will spur less conversation and potentially more action among OCC-supervised banks or concrete guidance by the OCC. Regardless, a common thread running throughout both reports is the potential risk presented to financial institutions by emerging technologies, which carry the simultaneous blessing and curse of business opportunities and compliance risks.
AML Compliance: An Emphasis on Risk Assessments and the Risks of New Technologies
The Report laments that “BSA/AML/OFAC compliance risk management is an area of emphasis because some banks have not adopted appropriate risk management systems to keep pace with evolving risks, resource constraints, changes in business models, and regulatory changes.”
The OCC in particular stressed the need for sufficient risk assessments, claiming that the OCC has linked many risk assessment concerns to a bank’s exclusion of its compliance function from decisions to change products or services:
The OCC continues to find instances when banks have not adjusted or realigned BSA/AML/OFAC risk assessments to reflect changes in risk profiles resulting from multiple factors. These include growth (organic and through mergers and acquisition), the introduction of new products and services, new or growth in inherently high-risk customers, and significant increases in transaction volume. A sound risk assessment is the foundation of an effective BSA/AML program and can be the basis to identify coverage gaps within AML systems. The OCC has tied many risk assessment concerns to weaknesses in change management processes, such as excluding the bank’s compliance function from decisions involving changes in product or service offerings.
The Report also noted that when banks embrace new technology to increase their financial product offerings and convenience to customers, they simultaneously “may also create vulnerabilities that criminal can explot as vehicles for money laundering.” Further, the OCC acknowledged that U.S. economic and trade sanctions have been evolving due to “dynamic” –i.e., frequently changing – foreign policy and national security goals, thereby creating compliance challenges and risks for banks. Morevoer, and consistent with its prior report, the OCC stated that banks must implement effectively the new BSA regulation regarding Beneficial Ownership and Customer Due Diligence, which became effective on May 11, 2018.
Although not formally contained within the section of the Report addressing AML risks, the Report noted that attempted fraud and successful fraudulent transactions appear to be increasing, based on reports from industry. This trend, when coupled with a business environment that is changing rapidly and involves “faster payments, mobile payment solutions, and emerging technology and delivery channels,” highlights the need for institutions to implement comprehensive risk assessments, effective internal controls, layered anti-fraud protections, communications and coordination with peers and law enforcement, and effective risk management of any third party relied upon by a bank for fraud prevention and detection.
Management of Cybersecurity Threats
The Report also noted the increasing severity of cyber threats—a significant number of which originate from social engineering like malware and malicious links distributed by phishing emails. Because cyber threats are ever-evolving, the Report advised that banks must stay vigilant in guarding customer data and bank funds. The OCC suggested the following measures:
- “It is important for banks to implement appropriate technical controls and conduct regular, mandatory information security training for staff on their responsibilities. Such training should include how to identify and prevent social engineering and phishing attempts and how and when to report suspicious activities.”
- “As part of a layered security approach, it is important for banks to implement strong authentication and management of privileged and high-value user access (e.g., staff administrators, staff capable of moving funds, and directors and executives with access to sensitive information).”
- “Use of unpatched or unsupported software and hardware by banks and their service providers is another common vulnerability. A sound system-development life cycle requiring regular maintenance and system updates is important to protect against these weaknesses.”
- “Given the increasing operational risk and severity of consequences associated with cyber attacks, it is important for banks to have a well-established and tested response plan in case a cyber incident occurs. Bank management should clearly designate appropriate personnel for key response mechanisms, which include operations, service providers, public affairs, legal, law enforcement, and other government entities.”
In sum, the Report repeats many of the same observations it made in the Fall 2017 report, but offers little in the way of concrete guidance on how to manage these risks. Perhaps public examples of the consequences of data breaches are enough to encourage banks to evaluate and respond to risks, but the broad-sweeping observations of the Report leave something to be desired in the way of establishing methodic procedures by which banks manage risk. However, the overarching and ever-important advice offered by the OCC to banks is to pay attention and stay vigilant—whatever that means to a given bank.