Banks struggling on compliance staffing due to soaring sanctions, hot competition for SMEs, examiners more tightly linking ESG, financial, AML risks in specter of new ‘climate-related financial risk’ exams: OCC

The Skinny:

  • Many of the nation’s largest banks are struggling to find, hire and keep senior-level staff with the experience, knowledge and skills to manage ever-more complex, scrutinized and liability-laden fincrime compliance programs, according to a just-released federal regulatory bulletin.
  • The update also highlights that compliance in the near future will not get any easier as examiners are preparing the sector for a new and rigorous review of environment, social and governance (ESG) initiatives under the overarching rubric of “climate-related financial risk” exams – an initiative interlinked in some cases with fincrime compliance duties. 
  • The 31-page report is a sector-spanning look ahead to program areas where examiners will give additional scrutiny due to concerns that certain banks – particularly large, sophisticated operations in multiple jurisdictions – have not devoted adequate financial crime risk governance and control structures to counter money launderers, fraudsters, corrupt politicians and cyber attackers.

By Brian Monroe
bmonroe@acfcs.org 
June 24, 2022

Many of the nation’s largest banks are struggling to find, hire and keep senior-level staff with the experience, knowledge and skills to manage ever-more complex, scrutinized and liability-laden fincrime compliance programs, according to a just-released federal regulatory bulletin.

The update also highlights that compliance in the near future will not get any easier as examiners are preparing the sector for a new and rigorous review of environment, social and governance (ESG) initiatives under the overarching rubric of “climate-related financial risk” exams – an initiative interlinked in some cases with fincrime compliance duties.  

Those are just some of the key takeaways from the U.S. Treasury’s Office of the Comptroller of the Currency’s Semi-Annual Risk Perspective.

The 31-page report is a sector-spanning look ahead to program areas where examiners will give additional scrutiny due to concerns that certain banks – particularly large, sophisticated operations in multiple jurisdictions – have not devoted adequate financial crime risk governance and control structures to counter money launderers, fraudsters, corrupt politicians and cyber attackers.

Here are some snapshots for fincrime compliance fighters: 

Financial Crime Compliance: Soaring sanctions, ‘great resignation’ challenging compliance staffing, overall experience/risk balances

Compliance risk remains heightened. Banks are navigating the complexity of sanctions imposed in response to the Russian invasion of Ukraine.

For U.S. banks, although the direct exposure to Russia and Ukraine is limited ($15.8 billion as of December 31, 2021), indirect risks are broad and enforcement of sanctions that have been imposed by various countries will likely strain banks’ compliance resources.

This could be a particular challenge for the banks with the greatest Russian sanctions direct and indirect risk and sanctions exposure points.

Why? They are charged with meeting compliance requirements to identify and freeze the assets of more than 300 oligarchs and companies targeted by U.S. sanctions on the Iron Curtain, its proxies and Putin cronies.

At the same time, the OCC has observed an increase in the competition for compliance subject matter experts, at both the bank management and staff levels.

Bank compliance functions also are experiencing challenges retaining and replacing staff.

At issue: A lack of access to subject matter expertise may result in increased compliance and operational risks, particularly if existing compliance processes, controls, testing, and training become subject to funding cutbacks or limitations, or if future compliance management program enhancements and maintenance are delayed.

Additionally, compliance and operational risk may increase or evolve if banks begin using, or expand use of, third-party relationships for support or to fill critical roles, especially if banks do not conduct appropriate due diligence on third parties or select inexperienced or unqualified third parties.

Such risk also may increase if banks expand the use of telework either to remain competitive or retain employees; or if they hire from different geographical areas to fill openings.

OCC links environment crimes, money laundering, corruption, AML program goals

The Financial Crimes Enforcement Network (FinCEN) issued a notice to call attention to an upward trend in environmental crimes and associated illicit financial activity. Environmental crimes have a strong association with corruption and transnational criminal organizations.

Combating corruption and transnational criminal organizations are among the priorities FinCEN announced in the Anti-Money Laundering and Countering the Financing of Terrorism National Priorities issued on June 30, 2021.

Environmental crimes contribute to climate risk by threatening ecosystems, decreasing biodiversity, and increasing carbon dioxide in the atmosphere.

Cyber defense, resilience, recovery: Surging attacks require stronger virtual armor

Operational risk is elevated. Cyber threats are elevated and continue to evolve, with an observed increase in attacks on the financial services industry.

Operational risk remains elevated as cyberattacks evolve, become more sophisticated, and inflict damage to the U.S economy.

Additionally, recent geopolitical tensions have further increased cyber risks and highlighted the importance of heightened threat monitoring, greater public-private sector information sharing, and safeguarding against disruptive attacks targeting the financial sector

The current geopolitical situation further heightens the importance of cyber threat monitoring and effective defensive capabilities.

Ransomware attacks have been observed impacting financial services.

These attacks leverage phishing emails that target employees with the goal of compromising credentials to gain access to networks.

After gaining access, the bad actors conduct ransomware and other extortion campaigns. An increase in distributed denial of service (DDoS) attacks has also been observed.

Additionally, cyber actors continue to exploit publicly known and dated software vulnerabilities and weak authentication against broad target sets, including banks and financial service providers.

Banks’ increasing reliance on third-party relationships, development and adoption of innovative products, services, and technologies, and ongoing changes to banks’ staffing and the operating environment increase operational risk.

These attacks through third-party systems and software demonstrate the importance of banks assessing the risks emanating from their third parties, inclusive of the supply chain, and developing a comprehensive approach to operational resilience.

ESG focus, risks rising: Entirely new ‘climate-related’ financial risk exams coming

The OCC is committed to proactive and risk-based supervision of climate-related financial risks facing banks. The OCC views climate-related financial risks as raising significant risk management issues due to their impact on bank safety and soundness and financial stability

As reflected in the Fall 2021 Semiannual Risk Perspective, the OCC published for comment in December 2021 draft Principles designed to support climate-related financial risk identification and management by banks with more than $100 billion in total consolidated assets.

The comments received are currently being considered.

If adopted in final form, the Principles would provide a basis for the development of future supervisory expectations with respect to climate-related financial risk management.

The OCC will continue to monitor the development of climate-related financial risk management frameworks at large banks. Current information-gathering indicates that these banks are in the early stages of building out their frameworks.

OCC large bank examination teams will integrate the examination of climate-related financial risk into supervision strategies and continue to engage with bank management to better understand the challenges banks face in this effort, including identifying and collecting appropriate data and developing scenario analysis capabilities and techniques.

As banks’ climate-related financial risk management practices continue to evolve, bank management should continue to ensure that their public statements about their institutions’ climate risk management efforts are consistent with their institutions’ actions.

OCC supervisory activities at these large banks will focus on safety and soundness considerations and integration of climate-related financial risk into bank risk management frameworks.

Fraud Focus: Crypto, DLT, NFTs – examiners want to know what you know, virtually

Distributed ledger technologies and growing adoption of digital assets, such as crypto-assets and stablecoins, have broadened the universe of entities delivering banking and bank-like products and services and raised questions regarding the regulatory perimeter and financial stability.

As innovative products continue to evolve, additional regulatory guidance is anticipated. 

Banks should ensure that they fully understand their risks and compliance responsibilities, and that customers are provided with clear disclosures on the risks of the new transactions, products, and services when engaging in these activities.