In fiscal 2016, OCC to focus on how bank AML, cybersecurity programs ‘evolve’ to counter criminals

Over the next year, the federal regulator of the country’s largest banks will give added scrutiny to how adroitly financial crime teams can pivot to counter new anti-money laundering and cybersecurity threats, while managing current programs and bolstering identified gaps.

The updated regulatory agenda is laid out in the US Treasury’s Office of the Comptroller of the Currency’s (OCC), Committee on Bank Supervision Fiscal Year 2016 Operating Plan, released last week. At its heart, the regulator wants to see a clear “evolution” of programs to counter criminal threats, from money launders to hackers, rather than stagnation and looking backwards.

The operating plan details the “priority objectives” for OCC examiners for the next fiscal year – from October 1 to September 29 – and refreshes goals stated in prior strategic plans spanning from 2012 to 2019 released in June of this year, in September 2014 and September 2011. A copy of the plan can be found here.

The updates are clearly informed by recent high-profile financial crime compliance enforcement actions, that resulted in the OCC being called before Congress and being forced to retool the way penalties are calculated along with shrinking the regulatory leeway given to large institutions, and massive hacker attacks against large banks, retailers and even the US government.

This latest iteration gives significantly more attention and ink than prior strategic and operating plans to areas that form the foundation of financial crime compliance processes, a critical departure in tone and depth for the OCC, evincing that examiners will be spending more time digging into the more arcane aspects of anti-money laundering (AML) and cyber systems.

The regulator is also more intrinsically and inextricably linking together key divisions of a financial crime compliance program that have historically been in insular silos, including mentioning that models used in managing AML risks and the assessment of information security gaps are part of a more holistic exercise in calibrating operational risk.

For instance, the OCC states that examiners over the next year will be more rigorously gauging the methods, backend processes and validation standards for the mathematical models used in financial crime detection and prevention, such as those used in customer risk assessments, transaction monitoring and other risk scoring metrics.

Here are some of the key compliance takeaways from the OCC’s 2016 operating plan:

AML evolutions: The OCC will determine whether banks have effective AML programs and controls to address changing customer profiles, evolving money-laundering schemes, the rapid pace of technological change, and the overall risk that money laundering and terrorist financing activities create.

Formal, informal actions: Ensuring effective, timely, and consistent application of guidance for matters requiring attention (MRA) and enforcement actions. This includes assessing and validating that requirements for matters requiring attention and enforcement actions are met and that concerns are addressed and the action/MRA is closed or terminated in a timely manner. Examiners-in-charge will clearly communicate any additional actions needed to satisfy requirements.

Operational risk: Assessing information security and data protection, model risk management, and third-party risk management, including risks associated with third-party relationships. OCC supervisory staff members will evaluate bank management’s plans to respond to increasing operational risk resulting from the introduction of new or revised business products, processes, delivery channels, or third-party relationships.

Cyber threats: Reviewing banks’ programs for assessing the evolving cyber threat environment and banks’ cyber resilience. Examiners will use the new Cybersecurity Assessment Tool.

The Federal Financial Institutions Examination Council, the same group that created and has kept updated the interagency AML exam manual, in June released the Cybersecurity Assessment Tool so banks and exam staff can identify and strengthen data and systems against increasingly aggressive hacker incursions.

The assessment, according to the group, aids in determining a “bank’s inherent risk profile and level of cybersecurity preparedness. The results may be reviewed to determine whether the bank’s cybersecurity maturity levels align with the bank’s inherent risk profile.”

As part of the assessment, the FFIEC has also made available resources for institutions, including an executive overview, a user’s guide, an online presentation explaining the Assessment, and appendixes mapping the Assessment’s baseline items to the FFIEC Information Technology (IT) Examination Handbook and to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.

“Publishing the FY 2016 bank supervision operating plan provides greater transparency around our supervisory priorities, and helps bankers better understand our focus for the next year,” said Comptroller of the Currency Thomas J. Curry, in a statement.