Our Take: financial services regulatory update – October 4, 2024

• What happened? On October 1st, the OCC released its Fiscal Year (FY) 2025 Bank Supervision Operating Plan. The plan guides the OCC’s policy initiatives, supervisory priorities and planning for the FY running from October 1st, 2024 to September 30th, 2025.
• What’s new for FY25? Relative to the FY24 supervision plan, the new plan covers largely similar topics with a number of changes and additions across the following categories:
  • Capital: The FY25 plan includes a new dedicated section on capital including an expectation for examiners to monitor capital optimization activities with a focus on credit risk transfer transactions. It states that examiners should review risk management systems and governance around these transactions.
  • Third-party risks: While the FY24 plan covered third-party risks across a number of different sections, the FY25 plan covers them in a dedicated section while also mentioning them in others. It notes a focus on relationships with fintechs and risk management around third parties that support critical activities. It also states that “examiners should consider structuring reviews to provide an enterprise-wide view of third-party risk management.”
  • Credit: The FY25 plan specifies examiners’ evaluation of management’s actions to measure and monitor credit risk, as well as identify and control it. It also notes a focus on the adequacy of credit risk review, consistency with the bank’s risk appetite, the accuracy of risk ratings, assessments of credit utilization, and changes in payment behavior. It includes a similar focus on commercial real estate risks and newly notes risks associated with “multifamily stresses from higher operating expenses, oversupply pressures, and rent regulations.” The plan further includes a new aspect of evaluation of loan renewal and maturity exposures, particularly for borrowers less likely to qualify for renewal or refinancing.
  • Asset and liability management: There is a new specification for examiners to: “determine whether board and management teams understand and manage projected risk to asset values, deposit stability, liquidity, capital, and earnings under a full range of plausible interest rate scenarios.” It also specifies that deposit stability considerations could include composition and concentrations (including uninsured and brokered deposits), repricing assumptions, and the potential for rapid changes.
  • Climate-related financial risks: Whereas the FY24 plan focused on information gathering, the FY25 plan directs examiners to “conduct target examinations to assess banks’ ability to identify, measure, monitor, and control climate-related risks in a safe and sound manner.” It also notes that examiners will integrate climate-related financial risk supervision into ongoing supervision.
  • Change management: The new plan highlights examination of changes around new technologies including migrations to the cloud, artificial intelligence (AI) and distributed ledger technology. It also newly covers “notable changes in strategic plans” and significant changes in product and service delivery such as channels through fintech partners.
  • Operations: New areas highlighted for reviews of operating environments include talent management trends, new regulatory requirements, legacy system issues and lack of investment in new technology.
  • Payments: The FY25 plan includes new focal areas for payments including fraud risk management, real-time and instant payments, third-party risk management, and new products, services or delivery channels.
  • Fair lending: The fair lending section adds a new line stating that “when necessary, examiners will coordinate with the Chief Counsel's Office to take enforcement actions related to fair lending laws and regulations, cite violations consistently, and make referrals to the U.S. Department of Justice and the U.S. Department of Housing and Urban Development.”
  • AML: The FY25 plan includes additional areas of focus, namely fraud identification capabilities, investigations and suspicious activity report filing processes.
  • Other: Unlike the FY24 plan, the FY25 plan does not include a section on distributed ledger technology (DLT) related activities. There were relatively minor differences across the following priority areas: allowance for credit losses, cybersecurity, consumer compliance, and Community Reinvestment Act (CRA).

Our Take

Changes provide insight into evolving supervisory priorities. While the latest supervisory plan covers similar topics to prior years, even subtle updates are valuable signals of where the OCC plans to redirect examiners’ attention. In particular, including an entirely new section focusing on credit risk transfer transactions shows that the OCC has recognized them as a growing capital optimization strategy and wants to make sure banks have developed commensurate risk management and governance frameworks.

Although supervisory focus on third-party risks is far from new, the inclusion of a dedicated section in this year’s plan underlines the fact that the OCC is concerned about banks’ evaluation and monitoring of third parties. Over a year since the issuance of joint third party risk management guidance, insufficient oversight of third-party activities is increasingly likely to result in supervisory findings. As with other agency issuances, the FY25 plan repeatedly highlights concerns around fintech partnerships, innovations in product and service delivery, and the use of new technologies such as cloud and AI. However, as the plan also includes a supervisory focus on legacy system issues and lack of investment in new technology, banks should continue to innovate while making sure they perform thorough due diligence as well as ongoing monitoring and oversight. This may involve reviewing agreements with third parties to provide transparency and auditability of their systems as well as having the necessary talent to adequately understand the risks of new technologies.

In addition, the climate-related risk section demonstrates a notable shift from information gathering to examination and supervision. This should spur impacted banks (i.e., those with over $100 billion in assets) to review the banking agencies’ climate risk management principles and identify where they fall short of leading practices, as last year’s information gathering likely formed the initial basis for comparisons across peer institutions and set the curve for exams.

Overall, these examination priorities should be considered with the understanding that examiners remain under pressure to escalate concerns more quickly following last year’s bank failures. Banks should therefore be prepared to (a) identify and correct issues before examiners find deficiencies; (b) act with urgency to remediate findings in a timely manner; (c) equip risk functions with sufficient resources and authority to oversee and address issues; and (d) enhance reporting of remediation efforts to support board and senior management oversight.