The Office of the Comptroller of the Currency (OCC) recently published the 2024 bank supervisory operating plan for the 2024 fiscal year (FY). It provides banking organizations with an understanding of where the OCC – and other regulators that follow – will focus examinations in 2024.
To provide further insight on the topics of heightened regulatory focus or decreased emphasis compared to FY 2023, an appendix is available highlighting the degree of changes, including a year-over-year comparison. While all changes are important, key takeaways are highlighted below:
Third-Party Risk Management
- Third-party risk management (TPRM) is no longer a standalone topic in the guidelines. It is important to know that this does not indicate a lack of priority, especially with the OCC’s release of interagency guidance on risk management. TPRM can be applied to and is now embedded throughout several relevant OCC topics including cyber, operations, change management and consumer compliance. Given the interconnectivity of fintech and banking ecosystems, the OCC added language that directs examiners to assess a bank’s existing risk management processes and controls of third-party relationships, particularly those with fintech companies.
New Products and Services
- Similar to TPRM, new products and services are no longer a standalone topic. Now embedded throughout relevant OCC topics, specific guidance within various sections is provided on considering novel products in the assessment of operations, change management, payments, distributed ledger technology, consumer compliance and credit. As an example, the OCC empowers examiners to evaluate existing payment systems, including the related products that are offered or planned – especially new or original products, services or delivery channels (e.g., person-to-person payments).
Board and Management Risk and Control Oversight
- The OCC added language in the closing statement of the FY 2024 operating plan directing examiners to focus on significant risks and “the board and management’s ability to control those risks.” With the recent look-back on the banking crisis uncovering several governance and risk management deficiencies and the Federal Deposit Insurance Corporation (FDIC) publishing guidance around risk management supervision, examiners will continue to scrutinize the board and management’s qualifications to provide effective challenges of risk and control activities. While this expectation applies to all risk domains and functions of the company, the OCC emphasized the importance of management having sufficient expertise to manage distributed ledger technology (DLT).
It is critical that banks allocate adequate resources when preparing for an upcoming examination. Effective preparation is necessary to provide complete and accurate evidence that each significant issue has been identified (prioritizing past due and/or retargeted issues) and addressed in a timely manner via a remediation plan.
During a 2023 testimony on Supervision and Regulation before the Financial Services Committee and the U.S. House of Representatives, the Vice Chair for Supervision of the Federal Reserve Michael S. Barr stated “recent events demonstrate that we—as regulators—must do better. We need to ensure that we have strong supervision and regulation to make the financial system safer and fairer, in support of an economy that serves the needs of households and businesses.” These comments combined with a lack of timely identification of significant risks and control deficiencies during the recent bank crisis has led to a consensus that examiners will be vigilant in identifying related issues and escalating them promptly for FY 2024 and beyond.
Detailed Year-Over-Year OCC Plan Comparison (2023 vs. 2024)
OCC Plan Sections:
Asset and liability management
It is implied that more examinations will focus on strategic oversight of interest rate risk and liquidity risk by merging the two sections together. This includes an additional emphasis on stress testing with specific guidance around scenarios, assumptions, risk appetite, policy limits and contingency planning.
Degree of change: Materially expanded and/or new
Operations
This is a new section that reinforces the need for examiners to focus on governance of “unique innovative, or complex structures” such as real-time payments, banking as a service, distributed ledger technology or artificial intelligence — especially when managed by third parties. This implies that examiners will expect heightened third-party governance over other fintech companies to safeguard bank risk.
Degree of change: Materially expanded and/or new
Distributed ledger technology (DLT)-related activity
DLT-related activity was added as a standalone topic, where it was previously embedded in other sections. This assumes a heightened exam focus, with particular attention on acquiring adequate talent to manage the technology and related financial, operational, compliance, strategic and reputation risks.
Degree of change: Materially expanded and/or new
Change management
Change management was also added as a standalone topic; it is broader in nature as it relates to M&A, systems conversions, regulatory requirements (e.g., CRA, BSA) and implementation of new, modified or expanded products. Examiners are instructed to identify and evaluate significant changes in leadership, operations, risk management frameworks and business activities using third parties that support critical activities.
Degree of change: Materially expanded and/or new
Payments
The topic of payments was promoted to a standalone section and continues to be a focus area, specifically on person-to-person payments (e.g., FedNow) and associated risk management practices. This includes governance and controls of change management, IT, information security, compliance and fraud.
Degree of change: Materially expanded and/or new
Credit
The plan updates from 2023 to 2024 around credit suggests an enhanced focus on stress testing adverse economic scenarios including increased operating and borrowing costs for vulnerable retail and commercial borrowers, including commercial real estate.
Degree of change: Enhanced scrutiny
Allowance for credit losses (ACL)
Examiners will focus more on the operating effectiveness of the ACL methodologies vs. the implementation. This implies an expectation of an elevated level of maturity.
Degree of change: Enhanced scrutiny
Cybersecurity
Cybersecurity plan changes imply examiners will place reliance on banks’ cyber assessments to drive risk-based exams. More emphasis is placed on proactive controls such as cyber intelligence gathering and analysis, threats and vulnerability detection, etc.
Degree of change: Enhanced scrutiny
BSA/AML/CFT/ OFAC
Similar concepts are covered this year without detailed methodology guidance, allowing the focus to remain on the product, services and geographies and the continued assessment of the implementation plans of the AML Act of 2020.
Degree of change: Materially similar
Consumer compliance
Clear focus on the introduction of consumer compliance issues by new products (e.g., person-to-person payments) and/or third-party services, especially related to fintech and banking as a service.
Degree of change: Materially similar
Community Reinvestment Act (CRA)
CRA evaluations due in 2024 are the focus and specific guidance on methodology is provided – including redlining and change management now that implementation is complete.
Degree of change: Materially similar
Fair lending
Concepts are similar to FY 2023 with additional detail related to assessment factors (e.g., strategy, personnel) and guidance to align to the 2023 annual statistical Home Mortgage Disclosure Act (HMDA) screening.
Degree of change: Materially similar
Climate-related financial risks
Principles mirror FY 2023; however, applicability is limited to large banks with at least $100 billion in consolidated assets.
Degree of change: Materially similar