Forewarned is Forearmed – What’s On the Regulators’ Minds?

Bank directors and management teams have it particularly
tough when it comes to satisfying corporate constituencies. Not only must they
cater to their shareholders, creditors, employees and local communities – they
have the unenviable task of keeping at least one federal bank regulatory agency
satisfied with the way they run the bank.

Keeping the regulators happy is no small feat: Regulatory
priorities can change from one year to the next, affected by economic,
political, technological and social changes. Fortunately, federal regulators
periodically reveal topics that are of significance and focus for them. The
Office of the Comptroller of the Currency publishes its “Semiannual Risk
Perspective,” and the Federal Deposit Insurance Corp. issues “Supervisory
Insights“ twice each year.
Additionally, the FDIC published its “Consumer Compliance Supervisory
Highlights” this past summer. Below is a discussion of several hot-button risk
topics discussed in these publications.

Credit Risk
Credit quality is generally strong, as measured by performance metrics such as delinquencies, loan losses and problem loans. Now is a great time for boards and management teams to focus on credit administration ahead of the next cyclical downturn in credit. Regulators specifically focus on timely and accurate credit-risk identification, risk mitigation and loan loss reserve methodology. Two additional credit-related regulatory topics of interest are preparation for the phase-out of the London Interbank Offered Rate (LIBOR) and implementation of current expected credit losses (CECL) standard. While the effective dates for these changes are several years in the future, banks should be prepared to discuss the status of their transition plans to date.

Operational Risk
Heightened operational risk in the banking industry has been a consistent message from the regulators over the past decade. One primary driver of the increased focus is persistent cybersecurity threats to bank systems, especially threats to bank systems from third-party service providers. Malicious actors continue to hone their skills, tools and tactics, which makes it imperative for banks to reassess, validate and enhance their cyber controls and defenses. Regulators expect to see:

• Effective user awareness training and testing on
  malicious social engineering tactics.
• Robust authentication systems to prevent
  improper outside access to systems and information.
• Strong controls around permitted internal system
  access.
• Strong processes for system and software
  inventory management, including maintenance, updates, patches and disposition.
• Robust third-party vendor diligence procedures.

Strategic Risk
Bank regulators describe strategic risk as the risk to a bank’s financial condition from bad business decisions, poor implementation of business decisions or ineffective responses to significant changes in the industry. Each of these components of strategic risk is implicated by a bank’s decision to invest in technology, whether the investment is in products, services, operational systems, customer acquisition or any combination thereof.

Regulators will look for evidence that a bank has sound
corporate governance practices, such as board/committee deliberations on
technology investment, assignment of appropriate management supervision of
technology investments and periodic committee/board reporting on technology
investment performance. Proper documentation of a bank’s process is imperative.

Compliance Risk
Consumer compliance in the industry has been satisfactory, despite several high-profile consumer-compliance debacles over the past few years. However, during the FDIC’s 2018 examination cycle, it identified several areas of noncompliance worth noting, including overdrafts, Real Estate Settlement Procedures Act (RESPA) and Regulation E liability and error resolution.

In the overdraft arena, the FDIC identified problems in
programs using the available-balance method in the assessment of fees.
Specifically, the FDIC identified inadequate description of the
available-balance methodology as a potentially unfair or deceptive practice.

The FDIC also uncovered violations of the anti-kickback
provisions of RESPA. A number of the kickback violations stemmed from purported
office rental arrangements, which were disguises for illegal payments for
referrals.

In the Reg E space, the FDIC identified incorrect calculation of consumer liability for unauthorized transfers, as well as faulty error-resolution processes. Whether a bank received criticism in any of these areas during its last exam or as a result of an internal compliance review, it will be well-served by commissioning a close internal review of these technically difficult compliance areas.

From a bank-regulatory perspective, there is no substitute for operating a comprehensively safe, sound and compliant institution. No bank should let its guard down in any area. However, bank boards and management teams would do well to pay particular attention to the hot-button issues at the top of regulators’ minds. Forewarned is forearmed.