Our Take: financial services regulatory update – December 20, 2024

• What happened? On December 16th, the OCC published its latest Semiannual Risk Perspective for Fall 2024.
• What risks does the OCC discuss? The latest risk perspective describes risks across the following areas:
  • Fraud (special topic): The perspective includes a special topic on increases in external fraud targeting the federal banking system, including check fraud and wire transfer schemes. It notes that risk is heightened due to increased digitization and fraudsters using AI to enable more sophisticate attacks by digitally altering voices, biometric systems, or images. The OCC advises banks to strengthen their fraud risk management practices, including authentication controls, and educate customers.
  • Credit risk: Credit risk remains moderate but with persistent challenges in commercial real estate (CRE), particularly in office spaces and luxury multifamily properties, due to refinancing difficulties and valuation pressures. Rising costs and changing rent regulations in some areas compound risks. Retail credit is stable, though credit card and auto loan delinquencies show upward trends, reflecting consumer stress from elevated costs. The OCC recommends that banks conduct portfolio stress testing, enhance credit loss allowances, and closely monitor vulnerable segments, including highly leveraged consumers and CRE borrowers in overbuilt or high-cost areas.
  • Operational risk: Operational risk remains elevated due to cyber threats, digitalization, and third-party reliance. OCC recommends that banks implement multi-factor authentication (MFA) and enhance vulnerability monitoring. In response to added complexity from new technologies, like cloud computing and AI, the OCC advises robust governance, secure software practices, and thorough testing. It also notes that rising reliance on third-party providers requires stronger oversight and resilience plans. To address fraud, the OCC suggests real-time monitoring, cross-departmental collaboration, and consumer education while maintaining sufficient staffing and expertise in risk management functions.
  • Compliance risk: Compliance risks include data governance gaps, sanctions complexity, and consumer protection including fraud and fair lending. Rising fraudulent payment incidents, such as P2P scams, heighten operational and legal risks. The OCC recommends that banks ensure timely investigations of unauthorized transactions, strengthen BSA/AML monitoring, and conduct independent testing of compliance systems. Banks should strengthen frameworks and controls for managing evolving regulations and sanctions.
  • Market risk: Market risk has stabilized as deposit volumes and funding costs have eased, but pressures on net interest margins persist. Unrealized investment portfolio losses remain a concern despite improvements. The OCC recommends that banks refine deposit pricing models, stress-test for funding risks, and maintain robust liquidity contingency plans. Banks are also encouraged to monitor depositor behavior closely in a declining rate environment to anticipate potential interest rate and liquidity risks along with strengthened modeling and risk management practices.
  • Climate-related financial risk: Climate risks are intensifying, with increased physical risks from extreme weather resulting in higher insurance costs and limited availability in high-risk areas. The OCC recommends that banks refine climate-risk frameworks, incorporate granular insurance data into scenario analyses, and monitor geographic vulnerabilities.

Our Take

A final risk assessment from Hsu’s OCC reminds banks not to let their guards down. As the OCC prepares for leadership change from the incoming Administration, this is the last risk perspective – and possibly last official issuance of any kind – from the OCC under Acting Comptroller Michael Hsu. However, even as banks look ahead to a new regime, they should recognize that most of the included risks are perennial concerns and will continue to be areas of focus for examinations in the years ahead – except for climate-related risk. While climate-related risk is not likely to be included in the spring 2025 risk perspective, there is growing recognition across the industry that physical and transition risks associated with climate change can have a real impact on their strategies and operations. While there will be no supervisory actions associated with climate risk management anytime soon, examiners will likely still be interested in how banks are integrating climate considerations in their management of credit, operational and market risks.

Focus on fraud and security. The perspective echoes the Fed’s most recent supervision and regulation report in that it finds that banks are largely adequately managing financial risks that have stabilized following last year’s bank failures while issues around non-financial risks and controls are growing. Part of this is due to constantly evolving technology and threats of cybersecurity attacks and fraud. Banks should recognize that they cannot “set and forget” their strategies to mitigate these risks and preserve operational resilience. As they are increasingly leveraging new technologies to advance their client offerings, they should be simultaneously assessing and managing new risks presented by these technologies as well as evaluating how they can integrate new technologies into their risk management and compliance functions. Beyond methods like MFA and quantum-resistant encryption as discussed by the OCC, banks should consider enhancements like automated customer notification and resolution through multiple channels as well as algorithmic real-time monitoring of customer and employee activity. Banks also need to understand and scrutinize cybersecurity and fraud protections among their third parties, including fintech partners. Such actions are particularly important as weaknesses in fraud prevention and cybersecurity will not only result in examinations findings under any regulatory leadership, they could also result in reputational damage and loss of consumer trust.