Third Party Risk Management

OCC Banking Supervision Priorities – 2022

On Friday, October 15, 2021, The Office of the Comptroller of the Currency (OCC) released its bank supervision operating plan for fiscal year 2022 (October 1, 2021 – September 30, 2022). OCC staff members use this plan to guide their supervisory priorities, planning, and resource allocations.

To whom does this announcement apply?

  • Individual national banks
  • Federal savings associations
  • Federal branches
  • Agencies of foreign banking organizations (collectively, banks)
  • Technology service providers that provide critical processing and services

What are the examiners’ priorities as they prepare to review my financial institution?

Strategic and operational planning to ensure banks maintain stable financial positions Credit risk management, allowances for loan and lease losses, and allowances for credit losses
Cybersecurity and operational resilience Oversight of third parties & related concentrations
Consumer compliance management systems and fair lending risk Community Reinvestment Act performance
Impact of a low-rate environment and the transition to alternative reference rates given the cessation of LIBOR Payment systems products and services
Fintech partnerships for potential cryptocurrency-related activities and other services Climate change risk management
Bank Secrecy Act/anti-money laundering (BSA/AML) compliance management

Is there a theme to these priorities and what does this mean to my financial institution?

Similar to the Architecture, Infrastructure, and Operation (AIO) guidance published in June 2021, financial institutions are being encouraged to take a wholistic approach to their Operations and Risk programs. Programs that are isolated from one another expose the institution to unnecessary risk.  Senior management and Boards of Directors are accountable for remaining informed and engaged in meaningful ways. Comprehensive documents are essential to a sound program. This includes documentation such as Policy guides, Procedure guides, and Board minutes. If it’s not written down, it doesn’t count.

Management and oversight of Third Party relationships continues to be a priority. It remains vital to perform a deep dive into the critical relationships. Full documentation of how your institution determines who is and isn’t a critical partner (including a periodic refresh of the inventory) is important to have on hand as the regulatory definition of Vendors/Third Parties is purposefully broad.

The Pandemic is cited.  How it did and continues to impact your economic, financial, operational, and compliance programs. Your organization would be wise to document its pandemic response and perhaps write a Lessons Learned paper identifying any updates and projects you have planned. Demonstrate that the institution continues to push for improvement and program maturity.

Take note of the risks identified on the Supervision Priorities list. Are your risk programs and controls appropriately designed and implemented for your institution’s size, complexity, and risk profile?  If not, take suitable steps to address any gaps.

In conclusion.

The regulatory standards have not changed. This Operating Plan is for the examiners. Nevertheless, take advantage of knowing the test questions. Do your homework/investigation in a methodical and thoughtful way. Cramming 24 hours before Test Day has never worked. When the examiner arrives, you will be soundly prepared.

Related Links