Bank directors and management teams have it particularly tough when it comes to satisfying corporate constituencies. Not only must they cater to their shareholders, creditors, employees and local communities — they have the unenviable task of keeping at least one federal bank regulatory agency satisfied with the way they run the bank.
Keeping the regulators happy is no small feat: Regulatory priorities can change from one year to the next, affected by economic, political, technological and social changes. Fortunately, federal regulators periodically reveal topics that are of significance and focus for them. The Office of the Comptroller of the Currency publishes its “Semiannual Risk Perspective,” and the Federal Deposit Insurance Corp. issues “Supervisory Insights” twice each year. Additionally, the FDIC published its “Consumer Compliance Supervisory Highlights” this past summer. Below is a discussion of several hot-button risk topics discussed in these publications.
Credit quality is generally strong, as measured by performance metrics such as delinquencies, loan losses and problem loans. Now is a great time for boards and management teams to focus on credit administration ahead of the next cyclical downturn in credit. Regulators specifically focus on timely and accurate credit-risk identification, risk mitigation and loan loss reserve methodology. Two additional credit-related regulatory topics of interest are preparation for the phase-out of the London Interbank Offered Rate (LIBOR) and implementation of current expected credit losses (CECL) standard. While the effective dates for these changes are several years in the future, banks should be prepared to discuss the status of their transition plans to date.
Heightened operational risk in the banking industry has been a consistent message from the regulators over the past decade. One primary driver of the increased focus is persistent cybersecurity threats to bank systems, especially threats to bank systems from third-party service providers. Malicious actors continue to hone their skills, tools and tactics, which makes it imperative for banks to reassess, validate and enhance their cyber controls and defenses. Regulators expect to see:
- Effective user awareness training and testing on malicious social engineering tactics.
- Robust authentication systems to prevent improper outside access to systems and information.
- Strong controls around permitted internal system access.
- Strong processes for system and software inventory management, including maintenance, updates, patches and disposition.
- Robust third-party vendor diligence procedures.
Bank regulators describe strategic risk as the risk to a bank’s financial condition from bad business decisions, poor implementation of business decisions or ineffective responses to significant changes in the industry. Each of these components of strategic risk is implicated by a bank’s decision to invest in technology, whether the investment is in products, services, operational systems, customer acquisition or any combination thereof.
Regulators will look for evidence that a bank has sound corporate governance practices, such as board/committee deliberations on technology investment, assignment of appropriate management supervision of technology investments and periodic committee/board reporting on technology investment performance. Proper documentation of a bank’s process is imperative.
Consumer compliance in the industry has been satisfactory, despite several high-profile consumer-compliance debacles over the past few years. However, during the FDIC’s 2018 examination cycle, it identified several areas of noncompliance worth noting, including overdrafts, Real Estate Settlement Procedures Act (RESPA) and Regulation E liability and error resolution.
In the overdraft arena, the FDIC identified problems in programs using the available-balance method in the assessment of fees. Specifically, the FDIC identified inadequate description of the available-balance methodology as a potentially unfair or deceptive practice.
The FDIC also uncovered violations of the anti-kickback provisions of RESPA. A number of the kickback violations stemmed from purported office rental arrangements, which were disguises for illegal payments for referrals.
In the Reg E space, the FDIC identified incorrect calculation of consumer liability for unauthorized transfers, as well as faulty error-resolution processes. Whether a bank received criticism in any of these areas during its last exam or as a result of an internal compliance review, it will be well-served by commissioning a close internal review of these technically difficult compliance areas.
From a bank-regulatory perspective, there is no substitute for operating a comprehensively safe, sound and compliant institution. No bank should let its guard down in any area. However, bank boards and management teams would do well to pay particular attention to the hot-button issues at the top of regulators’ minds. Forewarned is forearmed.