This Week in AML

OCC's Semiannual Risk Perspectives

Written by AML RightSource | May 21, 2021

The OCC has issued the Spring 2021 edition of its Semiannual Risk Perspectives. This week, Executive Vice President John Byrne, and Creative Director Elliot Berman of the AML RightSource staff discuss the report and its value to the financial crimes compliance community. John and Elliot explore some of the themes in the report and the importance of understanding how FI regulators are looking at various risks going forward.

 

OCC's Semiannual Risk Perspective TRANSCRIPT

Elliot Berman: Hi, John, how are you this week?

John Byrne: Hi, Elliot. How's it going?

Elliot Berman: It's going okay. So this week I noticed that the OCC national risk committee put out their semi-annual risk perspective, which they put out twice a year. This was the one that comes out in the spring and it's based on data as of year-end, 2020.

Did you see that paper?

John Byrne: I did. And it's interesting, as long as we both have been in this area, they've been doing these and even going back to my days at the ABA, I always thought was important to read these reports. And I know it doesn't get the play that perhaps it should, not that they don't communicate it well, and put it out on social media on their websites, but this really gives you a sense of not only what they think the risks are, which is the obvious point, but also what examiners at the OCC and possibly other agencies are looking at for sort of strategic direction.

So definitely they're taking a look at all the different things that have challenged the industry and the regulators in 2020.

Elliot Berman: Indeed. And not surprisingly, they go at a whole bunch of things. I think you and I are going to focus away from the credit risk side, but they do talk about credit risk and strategic risk, operational risk and compliance risk.

And then deep dive into that. And while a lot of this is backward looking, focusing on the recent past because the data's pretty current, they have an important section toward the end, which is really looking at evolving risk. And so that's a little more of the near and far horizon look.

And I think that's really valuable because it's a reminder of not just trying to keep up with what's already happening, but keeping an eye on where some of the big risks are evolving too, right?

John Byrne: I think they make some clear and direct comments on COVID-19 scams, obviously that we've all been aware of - we've done programming on everything from medical-related frauds to fake charities, those sorts of things. So obviously that's front and center, but a couple of sections that sort of drew my attention -one was the ongoing focus that needs to occur on cyber security. And obviously we've seen the ransomware attacks and some of the other things, but they also make a statement embedded in the report that jumped out at me because it's so practical and they say this, they say “banks should make appropriate risk-based adjustments to their BSA and OFAC compliance programs based on COVID-19 and keep examiners updated on potential issues”.

And this is the key - including potential delays in meeting regulatory requirements. And that's an age-old issue, right? As we both know, having advised clients and members over time about the importance of “don't surprise your examiners”.

If there's a change in product delivery, if there's a change in issues, the remote working maybe has caused some challenges in terms of compilation of documents, let your regulator/examiner know. The last thing you need is to surprise them.

Elliot Berman: Yes. Another thing that I saw that caught my eye was in the cybersecurity area.

They were reminding folks that it's not just their own systems that they have to make sure have great integrity, but they really have to think about the supply chain. Because the reality is that very few organizations today control all of their own systems - they use third-party vendors whether it's for connectivity or certain types of data processing or storage and understanding the cybersecurity, strength and weaknesses and evaluating that is something that is getting more important.

Now, vendor risk management, which this fits into, certainly has been a rapidly evolving point of interest in the regulators and expectation. But I think particularly in the cybersecurity area, that's something that folks really have to figure out how to evaluate that risk and make smart decisions.

John Byrne: Yeah. And to your point on a cybersecurity – right at the end, they list in their part five, the supervisory actions, and they do what's important from my perspective, it's not enforcement actions it's matters requiring attention and the outstanding MRA concerns. The ones that had the most focus were operational risks. So 40% of the MRAs were on operational risks, but 23% were compliance risks. So I thought that was important, but I would imagine that most of the operational risk issues are in the cyberspace, as you may know.

Elliot Berman: I would expect that's right. The other thing wasn't surprising is just the reminder, and again, hopefully it's just a reminder that even in the BSA/AML space, that typologies are constantly changing. And really we all in the community, you really need to be not just thinking about, “have we seen this before?”, but “are we seeing something new?”. And that's a critical challenge.

I think the industry has actually done a very good job - recognizing, identifying and sharing those typologies, but also as you and I have talked many times - getting specifics from the government, and that's not the purpose of this report, but, because they see, they have the opportunity to see the industry across the broad Playing field.

Right. And the last thing I'd highlight - something we've talked about constantly. They said one thing to be aware of is that banks will face further challenges with the rapid pace of regulatory change. Specifically, those that will be implemented by the AML Act of 2020. So they're saying, watch the space, they expect more, we know some of those things you've already talked about, so I do think there is more, not just potential, but there's definitely going to be changes through 2021 and beyond. So to your point, looking ahead, staying engaged, filing comment letters, being at the table all become pretty important.

Elliot Berman: Correct. So I just want to remind all of our listeners you can find us on Spotify. Or wherever you get your your podcast watch both for this week and AML and other things under our AML conversations umbrella. And John, I will talk with you next week.

John Byrne: Take care. Stay safe.

Elliot Berman: You too. Bye-bye.