Banks must better balance resources, technology, expertise to counter rising cyber, AML threats: OCC

By Brian Monroe
January 12, 2017

The chief regulator of the largest banks in the United States is raising fresh worries that bank compliance budgets, expertise and systems may not be able to counter the rising risks of cyber attacks, corrupt insiders and a flood of questionable “de-risked” entities on their communal doorstep.

Those are just some of the critical details parsed out from the US Treasury’s Office of the Comptroller of the Currency’s (OCC) Semiannual Risk Perspective released last week.

The 29-page document is a sector-spanning look ahead to program areas where examiners will give additional scrutiny due to concerns that certain banks – particularly large, sophisticated operations in multiple jurisdictions – have not devoted adequate financial crime risk governance and control structures to ward off money launderers, fraudsters, corrupt politicians and cyber attackers.

The publication touched on the risks and rewards of banking “de-risked” customers – and noted that not engaging this class of customers or regions could result in lost financial intelligence on criminal trends.

The OCC also highlighted a common refrain tied to the gulf between examiner expectations and strained resources on the anti-money laundering (AML) side, a dynamic that could prevent some institutions from acquiring cutting edge technology to better detect and report suspicious activity and put the compliance officer in charge of that program on the proverbial hot seat.

On the cyber side, the regulator noted an upsurge and resultant damage of malware and phishing attacks. The report covered cyber vulnerabilities from the human side, such as employees clicking on the wrong email or responding to a fraudster impersonating an executive. The OCC also reiterated the importance of quickly closing matters requiring attention (MRAs).

In this latest risk perspective, the OCC gave extensive coverage to issues under the overarching umbrella of compliance risk management, including AML and cybersecurity issues, echoing statements last year by Comptroller Thomas Curry that the threats related to AML and cyber “resemble” each other.

Operational risk “remains high on our radar as banks adapt business models, transform technology and operating processes, and respond to increasing cyber threats,” Curry said in prepared comments about the risk perspective.

“Well publicized breaches have made cybersecurity a household topic, and banks and regulators must continuously up their game to protect against the latest cyber attack and ensure they are capable of maintaining their operations and recovering in the event that an attack does occur,” he said.  

The document is also informed by high-profile criticism of the agency’s past enforcement practices that led to OCC representatives being called before congress in 2012 on financial crime oversight, and a more recent grilling by lawmakers in September due to fraudulent sales practices by Wells Fargo, one of the country’s largest banks, that led to the ouster of its chief executive.

As a result, the OCC issued sweeping changes still being felt today, such as not allowing banks to hold as many rolling informal MRAs, making more informal actions formal, and making financial crime failures a more vital pillar violation that could affect deposit insurance rates.

Compliance convergence, tech duality

The OCC’s tacit call for financial crime compliance convergence was recently buttressed by the U.S. Treasury’s Financial Crimes Enforcement (FinCEN), which last year issued two pieces of guidance on “cyber-enabled frauds,” such as business email compromise, that exhorted AML, fraud, and cyber teams to unite against a common threat.

In tandem, the OCC, and other federal banking regulators, in October issued proposed rules for financial institutions with more than $50 billion in assets, requiring them to bolster cyber standards in key nodes. The rules focused particularly on boosting resilience and recovery, so that if institutions are attacked, it would not result in disruptions to the broader international financial system.

The comment period for those proposed rules ends this coming Tuesday.   

Curry also more tightly intertwined financial crime compliance as a “safety and soundness” issue that institutions should view on par with the core functions of a bank. He added that AML is such a priority the regulator last year created a new executive-level department dedicated to compliance policy and supervision.

“By focusing OCC resources on compliance, we send a clear message of the importance of compliance and ensure issues are addressed appropriately in each exam,” Curry said. “Compliance continues to be a challenge for many banks, particularly with the Bank Secrecy Act (BSA),” the chief AML law of the United States.  

But in some cases compliance can also be frustrated by technology on the opposite side of the coin, where innovation to make international transactions less costly and more efficient can leave mitigation techniques behind, according to the OCC.

“Technology developments and innovation designed to improve operational efficiency or to enhance product and service offerings by increasing access to financial services and convenience to customers may create vulnerabilities that can be exploited by criminals,” the regulator said.

“Timely identification of these vulnerabilities, and the design and application of effective controls to mitigate resulting risks, continue to present challenges for some banks,” according to the OCC, adding that skimping on compliance spending can open the door to criminal groups.

“Constraints on resources and ability to apply and maintain the level and quality of expertise” across on AML program can “increase the scale of vulnerabilities created by technology development and innovation,” with non-bank and fintech firms adding more complexity to the fray.

But as some banks address risk concerns by dropping certain customers, non-bank operations and even whole regions, that can present a trickle-down effect of risky customers moving to smaller institutions. In recent months, enforcement actions have highlighted the perils of this risk migration. Some regional banks and credit unions have been penalized for taking on customers like foreign money services businesses operating in risky jurisdictions, without having effective AML compliance controls in place.

It can also mean certain payment trails go dark, hurting U.S. investigative initiatives.

“Bank decisions to terminate customer relationships resulting from risk reevaluations continue to pose the risk that certain customer segments or transactions may move out of the formal financial system where they can be monitored and reported to law enforcement authorities,” according to the OCC.  

Moreover, there is also the “continued risk that potentially higher-risk customer relationships that are terminated by a bank may migrate to other banks that are less experienced in managing complex money laundering risks.”

Cyber threats rise in interconnected financial system

Migration patterns also include a wide array of criminal groups looking to puncture firms’ virtual vaults, from low-level hacktivists to savvy nation-state attackers.

“Sophisticated cybersecurity threats continue to pose high inherent risks to an interconnected financial services marketplace,” according to the OCC, adding that puts more pressure on institutions to go beyond the basics of software patches, but engage in “strong end-user training,” which can “help banks avoid phishing attacks and mitigate risks.”

The regulator is also cognizant of several recent “well-publicized events of exploitation of personal information and communications” which demonstrate the need for “continued vigilance, and smarter cyber practices,” including strong authentication as well as current end-point software and malware detection.

The high-profile cyber attacks against interbank networks and wholesale payment systems “have demonstrated a range of capabilities that focus on weak cyber practices and poor internal controls,” according to the OCC. “These events demonstrate the increasing ability and willingness of malicious actors to infiltrate systems and expose information or deny access to information and systems.”