Last week, the Office of the Comptroller of the Currency (“OCC”) published the Spring 2018 Semiannual Risk Perspective (the “Report”), which uses up-to-date data to identify risks to U.S. banks and measure their compliance with applicable laws and regulations.  The Report concluded that some of the OCC’s primary concerns are with the elevation in operational risk “as banks adapt business models, transform technology and operating processes, and respond to evolving cyber threats.”  The Report also focused on elevated compliance risk associated with bank efforts to “manage money-laundering risks in a complex environment.”

Many of the OCC’s observations and recommendations remained the same from its Fall 2017 report, leaving readers to wonder what will spur less conversation and potentially more action among OCC-supervised banks or concrete guidance by the OCC.  Regardless, a common thread running throughout both reports is the potential risk presented to financial institutions by emerging technologies, which carry the simultaneous blessing and curse of greater business opportunities, but also greater operational and compliance risks.

Management of Cybersecurity Threats

The Report noted that banks face increasingly sophisticated cyber threats that “seek to exploit personnel, processes, and technology.”  In particular, many attacks involve social engineering (including phishing emails) as an initial attack vector into a network, from which various types of technological exploitation may follow.  Misuse of compromised account credentials, which are often obtained from outside of the bank’s systems, continues to lead to massive amounts of fraud and other unauthorized transactional activity.  Overall, these threats target personal information and intellectual property “to facilitate fraud and misappropriation of funds at the retail and wholesale levels.”  Other threats seek to disrupt or otherwise impair bank operations.

The Report also discussed growing third-party risk.  The OCC has observed a “heightened third-party concentration risk, in which a limited number of providers service large segments of the banking industry for key financial services.”  Due to the risk concentration, cyber incidents at these larger service providers could significantly impact the financial industry.

The Report’s conclusions and recommendations were based on its 2015 implementation of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) into its examination process.  The majority of OCC-supervised banks have completed at least two examination cycles, and have shown improvement across all of the CAT evaluation domains.  The Report’s recommendations focus on the CAT categories noted below.

Cybersecurity Controls

Because cyber threats are constantly evolving, the Report emphasized that banks must remain vigilant in monitoring and protecting their networks, devices and data.  The OCC suggested the following measures:

  • “It is important for banks to implement appropriate technical controls and conduct regular, mandatory information security training for staff on their responsibilities.  Such training should include how to identify and prevent social engineering and phishing attempts and how and when to report suspicious activities.”
  • “As part of a layered security approach, it is important for banks to implement strong authentication and management of privileged and high-value user access (e.g., staff administrators, staff capable of moving funds, and directors and executives with access to sensitive information).”
  • “Use of unpatched or unsupported software and hardware by banks and their service providers is another common vulnerability.  A sound system-development life cycle requiring regular maintenance and system updates is important to protect against these weaknesses.”
  • “Given the increasing operational risk and severity of consequences associated with cyber attacks, it is important for banks to have a well-established and tested response plan in case a cyber incident occurs.  Bank management should clearly designate appropriate personnel for key response mechanisms, which include operations, service providers, public affairs, legal, law enforcement, and other government entities.”

Third-Party Connections

Many third-party service providers are being targeted for exploitation, resulting in the weaponization of their systems to target a bank’s systems and operations.  It is therefore imperative that banks understand their “connections, system interfaces, and access entitlements with these third parties,” to ensure the implementation of appropriate risk management controls.

Resilience Testing

The most concerning cyber threats to banks include those that could adversely impact business operations and continuity.  As noted above, robust incident response planning is essential.  Such planning should be integrated with business continuity planning.  The OCC specifically points banks to the Financial and Banking Information Infrastructure Committee’s Financial Sector Cyber Exercise Template, which “provides a high-level scenario and series of questions every bank should be able to answer when responding to an incident.”  Scenario-based exercises are an essential part of incident response planning.

AML Compliance: An Emphasis on Risk Assessments and the Risks of New Technologies

In addition to its focus on cybersecurity, the Report also focuses on the increasingly related area of money laundering and financial fraud risks.  The Report laments that “BSA/AML/OFAC compliance risk management is an area of emphasis because some banks have not adopted appropriate risk management systems to keep pace with evolving risks, resource constraints, changes in business models, and regulatory changes.”

The OCC stressed the need for sufficient risk assessments, claiming that it has linked many risk assessment concerns to a bank’s exclusion of its compliance function from decisions to change products or services:

The OCC continues to find instances when banks have not adjusted or realigned BSA/AML/OFAC risk assessments to reflect changes in risk profiles resulting from multiple factors.  These include growth (organic and through mergers and acquisition), the introduction of new products and services, new or growth in inherently high-risk customers, and significant increases in transaction volume.  A sound risk assessment is the foundation of an effective BSA/AML program and can be the basis to identify coverage gaps within AML systems.  The OCC has tied many risk assessment concerns to weaknesses in change management processes, such as excluding the bank’s compliance function from decisions involving changes in product or service offerings.

The Report also noted that when banks embrace new technology to increase their financial product offerings and convenience to customers, they simultaneously “may also create vulnerabilities that criminals can exploit as vehicles for money laundering.”  Further, the OCC acknowledged that U.S. economic and trade sanctions have been evolving due to “dynamic” –i.e., frequently changing – foreign policy and national security goals, thereby creating compliance challenges and risks for banks.  Moreover, and consistent with its prior report, the OCC stated that it expects banks to implement effectively the new BSA regulation regarding Beneficial Ownership and Customer Due Diligence, which became effective on May 11, 2018.

Although not formally contained within the section of the Report addressing AML risks, the Report noted that attempted fraud and successful fraudulent transactions appear to be increasing, based on reports from banking industry.  This trend, when coupled with a business environment that is changing rapidly and involves “faster payments, mobile payment solutions, and emerging technology and delivery channels,” highlights the need for institutions to implement comprehensive risk assessments, effective internal controls, layered anti-fraud protections, communications and coordination with peers and law enforcement, and effective risk management of any third party relied upon by a bank for fraud prevention and detection.

To stay updated on these issues, please subscribe to CyberAdviserPlease also visit our sister blog, and Money Laundering Watch, to receive regular updates on BSA/AML issues.  To learn more about Ballard Spahr’s Privacy and Data Security Group, please click here.