In their Semiannual Risk Perspective, Spring 2020 guidance, the Office of the Comptroller of the Currency (OCC) recognized the severe shift in the risk environments of financial institutions due to COVID-19. In the report, the OCC highlights key financial, operational, and cybersecurity risk factors that have rapidly changed since the pandemic, and that banks must consider moving forward.
The OCC emphasizes that although most banks were in good operating and financial condition before the pandemic, the speed, depth, and impacts of the economic disruption ahead will be difficult to predict. We’ve taken a look at this guidance and detail the newly emerged operational, financial, information technology, and compliance risks that institutions should be specifically addressing.
Internal Audit
As the economic outlook remains uncertain, bankers need to focus on the core elements of operations, including:
Capital Adequacy
Capital has been an industry strong point since the last economic recession. The financial industry took lessons learned from prior experience and implemented sound risk management practices to adequately safeguard existing capital and build additional capital buffers. Now, COVID-19 has required these strong capital positions to be called into action. In order to protect capital against the effects of the pandemic, management should:
- Perform capital stress testing
- Run “what-if” scenarios mirroring forecasted pandemic outlooks as part of Asset/Liability Management modeling, and understand these implications on the capital position
- Analyze COVID-19-related delinquency activity and ensure Allowance for Loan and Lease Loss models are updated to include increased factor allocations to prepare for any incoming losses
Asset Quality
The industry asset quality has also greatly increased due to enhanced credit underwriting standards. These standards are particularly important during the pandemic, but don’t end with loan origination practices. Institutions should:
- Review credit underwriting criteria, and strengthen as needed
Over the last few years, the economy has flourished. A booming economy may have led some institutions to relax credit underwriting guidelines, allowing them to take on additional risk with a goal of growing the organization. It’s a great time to review existing criteria and ensure it aligns with the Board’s risk appetite, which may have changed during challenging economic conditions.
- Proactively perform annual commercial credit reviews
With record-high unemployment levels and business closings, credit risk will increase. It’s important for bankers to talk with customers during periods of economic uncertainty and understand how the pandemic is impacting your customer’s business. Do they need Paycheck Protection Program (PPP) loans, forbearance, or have trouble making payments? Or is it business as usual? Performing these reviews will help ensure management has a strong understanding of its asset quality.
- Stay informed of PPP loan guidance and regulation
New information is coming out daily about the PPP. Management should be cognizant of changes to this program and be aware of their implications and potential risks.
Management
Management must mitigate existing and emerging threats resulting from the pandemic by:
- Implementing new processes and procedures presents many operation risks
Adopting pandemic related continuity plans (like remote working) adds additional challenges to operations. As things change, it’s important to ensure policies and procedures are updated, executive management is consulted and informed, and the Board is aware of any material impacts to the organization.
- Tone at the top is important
With a virtual work environment for most employees, it’s important to maintain a control-focused culture. Risk management and audit oversight of bank operations must keep pace with the rapid implementation of pandemic-related business continuity plans, and the transition from traditional operations to a heightened operational level. The need for independent oversight and validation of control effectiveness is essential to safeguard operational integrity in the current stressed environment.
- Banks must be cognizant of industry changes, including London InterBank Offered Rate (LIBOR)
Create and formalize a project plan for this change, or review and revise existing project plans. Identify changes to the work environment and what impact it will have on the overall plan.
Earnings
Interest rates are at historic lows, past due loans and provisions for loan losses are increasing, and operational expenses are rising—which will challenge profitability. Management should:
- Examine the short history (March-June 2020) and impact of the pandemic in a budget-to-actual analysis. Additional costs to the IT budget (i.e. adding laptops or VPN licenses) may have occurred, but almost all institutions will realize unbudgeted PPP loan income and decreases to non-interest expenses. Analyze the overall shortfalls or gains to the budget and consider a re-casted budget, giving shareholders a better understanding of the 2020 earnings picture.
- Examine earnings results as part of “what-if” scenarios mirroring forecasted pandemic outlooks during Asset/Liability Management modeling. Working with internal teams or vendors to run several “what-if” scenarios gives institutions the best chance of developing plans to address earnings at risk.
- Understand impacts related to customer waived payments and fees. The Coronavirus Aid, Relief, and Economic Security (CARES) Act and other relief programs called upon the banking industry to shoulder a heavy portion of the economic burden. Before decisions are made to waive payments and fees, understand the impact to earnings.
Liquidity
Bankers should ensure institutions have sufficient liquidity—focusing on funding new lending activity and daily liquidity needs of customers.
- Monitor the daily liquidity position closely. Making sure the cash position meets expectations daily is an important step to preserving liquidity. The Federal Reserve, among others, has provided additional outlets for banks to access to ensure liquidity disruptions are avoided.
- Evaluate stress testing results, run “what-if” scenarios that mirror economic downturn, and monitor early warning indicators frequently. These activities will give management the ability to actively respond to liquidity disruptions and ensure day-to-day operations won’t be compromised.
- Ensure contingent funding sources are operational and up to date. Lines of credit with corresponding institutions should be tested to ensure availability in the time of need.
Sensitivity
Probably the most important risk to monitor during the pandemic is sensitivity. With the Net Interest Margin (NIM) 2020 outlook uncertain given the volatile rate environment and global pressures, banks may see a need to take on additional risks to meet earning pressures. This is especially important for banks that have asset sensitive balance sheets, which negatively affects earnings when interest rates decline and remain low. Before these decisions are made, management should:
- Spend additional time in Asset Liability Committee (ALCO) meetings
These meeting are critical for strategic decision making. During uncertain economic times, extra effort should be made analyzing additional NIM scenarios, evaluating responses to policy violations, and strategizing the uncertain future.
- Analyze assumptions used in Interest Rate Risk (IRR) modeling
Assumptions that mirrored the institution’s actual results six months ago may not work for the next 3-12 months. With historically low rates, prepayment speeds may increase due to refinance activity. Tweaking assumptions to make the most accurate model results will help management make the best strategic decisions while navigating unknown future economic conditions.
- Run doomsday “what-if” scenarios
This is the perfect time for the ALCO to analyze the most drastic situations that could occur. Banks could start by reviewing what efforts management would need to make during a worst-case scenario, and the factors that would contribute to a true “worst-case scenario.” It’s critical to understand the capacities of business operations. If worst-case is in the distance, then banks may be seeded in a great position during these hardened times. If it’s only a few wrong decisions away, banks need to consider what strategic moves they need to make to steer down a better path.
Information Technology
The OCC has recognized that remote work environments and the use of new technologies are two of the most prominent procedural changes made to complete customer transactions. Banks must be aware of new risks they could face as a result of these shifts, including new cybersecurity vulnerabilities, fraud and risk exposure, stress on change management processes, and the impact on telecommunications capacities and service delivery levels.
Cybersecurity Vulnerabilities
Teleworking has been one of the main adjustments for banks during this pandemic. Banks are implementing both virtual private networks and conferencing tools to continue normal operations. These technologies, as well as lack of employee experience and training, have led to a spike in phishing attacks against bank customers and employees, and increased attacks targeting teleworking weaknesses. It’s essential that these tools be configured, secured, and monitored in accordance with the strictest security requirements that you enforce over your critical internal systems.
Fraud and Risk
Sensitive processes normally performed internally that are now occurring outside of the bank can increase the risk of fraud and potential for exposure of customer information. On top of phishing, destructive malware and ransomware attacks have increased during the pandemic. The use of data loss prevention tools, callback procedures, and increased employee awareness of privacy and phishing mitigation procedures are just some of the ways banks can protect themselves from these impending threats.
Change Management
The timing of the pandemic forced many financial institutions to implement new systems quicker than they normally would in order to meet customer needs. These new implementations may stress the existing change management processes in place. Change management and third-party risk management should always be risk-focused.
Telecommunication/Service Delivery Levels
The increase in telecommunication by employees, customers, and bank associates has affected banks’ telecommunication capacities. Where possible, banks should provide additional bandwidth in order to meet the growing demand. Banks should also actively monitor workloads and performance levels so that any reductions in service delivery levels for customers can be minimized.
Regulatory Compliance
The OCC calls out the increasing compliance risk as a result of COVID-19 in their latest guidance—citing “reduced operations, employee teleworking, and rapidly changing customer service environments” as the sources of considerable challenges to compliance. There are significant Bank Secrecy Act (BSA), Regulatory Compliance, and Fair Lending risk factors to be aware of in the post-pandemic environment.
Bank Secrecy Act, Anti-Money Laundering (AML), and Office of Foreign Assets Control (OFAC)
The ever-present risks associated with BSA/AML and OFAC are heightened. The OCC correctly points out that reduced or modified work arrangements that were rapidly enacted to remediate pandemic concerns can lead organizations to make significant alterations to their compliance processes.
Unfortunately, given the high degree of overlapping processes in BSA, a change to one process will have a knock-on effect in another. For example, an institution that chose to postpone enhanced due diligence reviews may not readily detect or prevent money laundering appropriately.
Additionally, new scams, frauds, and opportunities to layer, place, and integrate illicit gains are emerging in the COVID-19 landscape. If a bank is, or has been, struggling to keep pace with the otherwise routine demands of maintaining a strong BSA program, new threats are more likely to be overlooked.
Regulatory Compliance and Fair Lending
The OCC states that the risks of reduced operating capacity, BSA of remote work, and the PPP process are also prevalent in Regulatory Compliance and Fair Lending. We’re seeing more audit issues and errors related directly to these risk factors across all of our regulatory compliance audits. The root cause appears to be the fact that maintaining compliance at a financial institution relies heavily on staff outside of the compliance department.
More importantly, the stress of a remote work and dynamic operating environment has shifted the priorities of many institutions to simply “getting the work done.” As a result, regulatory compliance has a tendency to become deprioritized—leading to leading to compliance mistakes that otherwise might not happen. This can become exacerbated in high risk areas like lending, where the rules are technical and complex, and the impact of a compliance mistake isn’t always immediately apparent. In fact, the OCC is particularly concerned about the impacts COVID-19 is having on the bank’s ability to prevent fair lending violations.
While the forbearance and loan modifications allowed under that the CARES Act and the PPP are incredibly important to keep customers and the economy going, fair lending controls can’t be overlooked. It’s critical that financial institutions are proactive in preventing discrimination and ensure fair and equitable access to credit products and financial relief. Race, marital status, nationality, gender, age, or religion and any proxy for those reasons shouldn’t be used in decision making when it comes to determining access to credit products or financial relief.
Conclusion
COVID-19 has radically changed the risks faced by financial institutions, and banks need to shift their attention and address these new challenges to ensure continuity. The OCC’s Semiannual Risk Perspective, Spring 2020 guidance aims to describe these risks in detail, giving banks the necessary information to develop effective procedures to mitigate these threats and prepare for those on the horizon.
