The Office of the Comptroller of the Currency (OCC) released its supervision priorities and objectives for its fiscal year 2023 (October 1, 2022 – September 30, 2023). OCC managers and staff use this plan to guide their supervisory priorities, planning, and resource allocations. https://www.occ.gov/news-issuances/news-releases/2022/nr-occ-2022-124a.pdf
To whom does this announcement apply?
|Individual national banks||Third Party service providers|
|Federal savings associations||Federal Branches|
|Agencies of foreign banking organizations (collectively, banks)|
The OCC continues to use a risk-based supervision with heightened focus in 2023 on the following areas.
|Safety and soundness, and fairness||Operational resilience and cybersecurity|
|Third parties and related concentrations||Credit|
|Allowances for credit losses (ACL)||Interest rate risk|
|Liquidity risk management||Consumer compliance|
|Bank Secrecy Act (BSA), anti-money laundering (AML) and Office of Foreign Assets Control (OFAC)||Fair Lending|
|Community Reinvestment Act (CRA)||New products and services|
|Climate-related financial risks|
Important Area of Note
Third-party relationships are called out in two ways: the financial institution’s use of and controls surrounding third-party relationships AND the controls that a third party deploys.
Management, clear contractual terms, and controls surrounding third-party relationships remain vital. Conducting a deep dive into the critical relationships, including full documentation of how an institution determines who is and is not a critical partner (including a periodic refresh of the inventory), is important to have on hand as the regulatory definition of vendors/third parties is purposefully broad.
Examiners will look for cyber-related risks that may develop because of a third-party relationship, evaluation of the institution’s review of the third-party’s own cybersecurity risk management and resilience skills, and whether all parties in this relationship have qualified staff that can meet the contractual obligations.
If you are unclear of your own institution’s preparedness, contact Fortrex Technologies today for conversation.