On June 14, 2023, the Office of the Comptroller of the Currency (OCC) released the spring edition of its Semiannual Risk Perspective (SARP). The report covers risks facing national banks, federal savings associations, and federal branches and agencies.
Based on data accumulated until December 31, 2022, the report focuses on issues that pose a threat to the safety and soundness of banks, the fair treatment of their customers, and their compliance with applicable regulations and legislation. The report acknowledged that, although banking faced increased volatility in the first quarter of 2023 due to a liquidity crisis, the overall strength of the federal banking system is sound. Despite this relative strength, the OCC counsels that “banks should remain diligent and maintain effective risk management practices.”
The report groups risk into key themes including liquidity, operational, credit, and compliance, and expands on several major risk factors in each of these areas. When it comes to operational risk and resilience, a concern is the concept of ‘tech debt’ amid the rapid advance of technology within banking and finance.
While the SARP acknowledges that banks are continually investing in maintaining and updating their technology infrastructure, it also states that “some may struggle to keep up with technological advances while continuing to maintain legacy infrastructure”, explaining:
“The continued use of aging technologies and End of Life (EOL) systems can be driven by costs associated with system upgrades, challenges with updating large and highly complex system architectures, lack of a clear technology strategy, or a combination of factors. Prolonged use of these older or legacy systems could increase the likelihood of operational outages, introduce security vulnerabilities, create system maintenance challenges, and create other concerns that could reduce operational resilience.”
While organizations can successfully and compliantly run architectures built on legacy systems, overreliance on older or near-EOL technology and an unwillingness to engage in system updates or hardware upgrades “can create risks to an organization and unnecessarily increase its ‘tech debt’”. As such, the OCC has “identified increasing supervisory concerns related to EOL, patch management, and system and data architecture”.
There is a compelling business case for organizations to keep pace with advances in infrastructure and avoid falling into tech debt. Upgrades to systems allow businesses to capture more opportunities by scaling up, avoid the risk of being unable to engage in certain practices or partnerships because of inflexible legacy systems, and maintain their reputation by ‘keeping up with the Joneses’ in terms of tech.
But the compliance and operational resilience case for avoiding tech debt should be just as compelling. Bad actors have had a long time to figure out – and exploit – flaws in legacy architectures, and allowing tech debt to accumulate also allows risk of outages, breaches, data theft, and business disruption to build.
Ensuring awareness of emerging technologies and engaging in consistent evaluation and auditing of the efficacy of existing systems is crucial to maintaining operational resilience, and upholding secure data vaulting and protection practices alongside this can reduce the risks of breaches, theft, and business outages.
The external factor
Another key risk area highlighted by the OCC is how outside influences and unexpected external channels can have impacts on activity within the banking and financial space:
“Recent bank failures underscore how technological advances can enable rapid deposit outflows. Today’s technology can be used to support real-time money movement and accelerate communications across social media and other digital channels.”
These bank failures include the collapse of Silicon Valley Bank, which was accelerated by conversation on social media and depositors’ access to digital banking technology that allowed them to withdraw funds in near real-time, reacting to the influx of social media information – and disinformation. A report reviewing the collapse of SVB by the US Federal Reserve included an apt summary of this emerging risk area by Michael Barr, Vice-Chair for Supervision:
“The combination of social media, a highly networked and concentrated depositor base, and technology may have fundamentally changed the speed of bank runs.”
How communications – especially those playing out in the public eye via social channels and digital media outlets – can affect organizations and markets is a consideration that needs to be part of any modernized risk management strategy. The ongoing furore around cryptocurrency and regulation is a good example of how these new channels are presenting a new area of risk. Organizations would do well to heed the OCC’s advice from the SARP, and consider investing in solutions that enable communications monitoring, both internally and externally, that include the opportunity for AI-driven sentiment analysis:
“As part of a bank’s risk management practices, it may be prudent for bank management to monitor digital channels for unusual or higher-volume activities … and monitor social media for shifts in sentiment or other negative news.”
Giving third parties the third degree
Within the OCC’s analysis is a caution around organizations’ involvement with third-party partners and service providers. While working with third parties can be a source of strength and capability, the SARP counterpoints that, if managed incorrectly, it can become a source of risk:
“Adoption of … new products, services, and delivery channels, as well as expanded relationships with fintech companies and other third parties, can contribute to a complex operating environment along with increasing compliance, reputational, strategic, and other risks.”
Some organizations seeking to minimize their tech debt may find themselves working with multiple vendors for multiple solutions, creating a web of complexity and increased risk where solutions leave unforeseen ‘gaps’ in interoperability that outside operators may exploit, or where a third party is subject to a data breach or service outage.
There are plenty of cautionary tales to choose from when it comes to the fallibility of third parties, and the potential organizational, regulatory, and (increasingly) individual risks a lack of good third-party management can lead to, with the recent £80,000 penalty imposed on the CIO of TSB for the mismanagement of a data-migration involving a third-party just the latest example.
For organizations looking to balance the pros and cons of third parties, identifying a third-party partner that can provide a comprehensive and complete solution that cuts through multi-vendor complexity also offers increased operational resilience, reduced risk, and single-source accountability.
Compliance, not complacency
On 14 June, Michael J. Hsu, the Acting Comptroller of the Currency, released a statement summarising the key takeaways identified in the SARP. He said that the OCC will “expect banks to be on the balls of their feet” when it comes to risk management, and urged organizations to focus on:
“Maintaining discipline and strong risk management across all risk areas, not just in response to headlines, and preparing to communicate clearly, credibly, and promptly about their condition and risk profile should questions arise from customers, investors, depositors, and other stakeholders.”
An awareness of the impacts of the interplay between external forces – like social media and the news cycle – and risk, and an adherence to the core tenants of communication, accountability, and transparency, are key to both effective risk management and managing the external perception of that risk. The OCC’s expectations around how banks and financial organizations engage with and control risk place a significant – but justifiable – burden on them and their compliance teams to anticipate risk and take the right steps to mitigate its impact.
Hsu’s statement acknowledges this pressure, highlights that managing risk is inherently a shared responsibility, and zones in on a cardinal sin of compliance:
“Maintaining such vigilance can be challenging, though. That is why it is critical for us all to continue to guard against complacency.”
While the SARP encourages organizations to become more operationally resilient, less burdened by ‘tech debt’, and more cognizant of the impact of external factors on the risk environment, there’s one thing they absolutely can’t afford to become – complacent.