OCC worried about how banks craft cyber defenses, resilience, migration of AML ‘de-risked’ entities

The regulator of the largest and most complex banks in the US has raised new concerns about how banks improve cyber resilience and defend against cyber attacks, as well as fears that large swaths of entities “de-risked” due to anti-money laundering concerns are migrating to smaller institutions unprepared to deal with them.

Those are some of the key takeaways in the US Treasury’s Office of the Comptroller of the Currency’s (OCC) Semiannual Risk Perspective released this week. The document also touched on the financial crime compliance risks of third-parties on both the anti-money laundering (AML) and cyber side, the rise of ransomware and banks being forced to pay criminals in virtual currency, and the importance of adequately responding to matters requiring attention (MRAs).

The 34-page document is an industrywide glimpse ahead to where examiners will give extra scrutiny due to worries that certain banks – particularly large, sophisticated operations that operate in multiple jurisdictions – don’t have adequate financial crime risk governance and control structures to keep out money launderers, fraudsters, corrupt politicians and more determined cyber attackers.

The document is also informed by high-profile criticism of the agency’s past enforcement practices. In the wake of the $1.9 billion penalty against HSBC, OCC representatives were called before congress in 2012 and quickly pledged changes, such as not allowing banks to hold as many rolling informal matters requiring attention (MRAs), making more informal actions formal, and making financial crime infractions a more vital pillar violation that could affect deposit insurance rates.

In this latest risk perspective, the OCC spent significant ink on AML and cyber threats, a clear nod to recent statements by Comptroller Thomas Curry that the risk management threats from AML and cyber “resemble” each other.

“Operational risk remains elevated as banks deal with changing threats to cybersecurity and increasing reliance on third-party relationships,” according to the report. “Bank Secrecy Act (BSA) and compliance risk management remain complex areas to manage and continue to pose challenges as banks implement systems to address changes in technology and comply with new rules.”

ON the cyber side, the OCC highlighted that new threats include:

  • Banks and their employees, customers, and third-party relationships remain vulnerable to cyber attacks. A common point of entry into internal systems involves a phishing attack aimed at an employee, customer, or third party. Such an attack may result in cyber criminals gaining access to infrastructure and applications through downloaded malware.
  • Recent cyber attacks against interbank networks and wholesale payment systems have demonstrated a range of capabilities, including:

− compromising a financial institution’s wholesale payment origination environment; obtaining and misusing valid operator credentials with the authority to create, approve, and submit fraudulent messages.

− employing sophisticated understanding of funds transfer operations and operational controls.

− using highly customized malware to disable security logging and reporting, as well as other operational controls to conceal and delay detection of fraudulent transactions.

− transferring stolen funds across multiple jurisdictions quickly to avoid recovery.

  • Banks and other businesses continue to receive extortion demands to be paid in virtual currency in exchange for preventing or stopping distributed denial of service attacks or for the decrypting or return of proprietary information. According to one recent industry report, ransomware samples rose 26 percent to almost 1 million from the third quarter of 2015 to the fourth quarter of 2015.
  • Cyber criminals increasingly target businesses, including banks and their customers, using social engineering attacks on bank employees that request expedited wire transfers to pay phony vendor invoices. This scheme, known as business e-mail compromise (BEC), resulted in more than $2.3 billion in losses across all businesses, from October 2013 through February 2016, according to the Federal Bureau of Investigation (FBI).

Dangers of de-risking

The OCC also touched on the broad trend of AML de-risking, where banks drop accounts tied to certain business lines, individuals and even entire regions due to actual or perceived financial crime compliance risk or related regulatory scrutiny.

“Some banks have reevaluated client BSA/AML risk profiles and limited activities or closed accounts of certain customers,” according to the document. But “displacement of customers from large banks may result in higher risk customers moving to smaller and less sophisticated banks—banks that potentially have less experience managing the associated BSA/AML risks.”

This displacement also “may result in the financial exclusion of some customers from banking services, and transactions that would have taken place subject to regulatory oversight may be undertaken with less scrutiny in a non-regulated context,” resulting in a loss on key intelligence to law enforcement.

As a general matter, the OCC “does not direct banks to open, close, or maintain individual accounts, nor does the agency encourage banks to engage in the termination of entire categories of customer accounts without regard to the risks presented by an individual customer or the bank’s ability to manage the risk.”

Rather, the OCC expects banks to assess the risks posed by individual customers on a case by-case basis and “implement controls to manage the relationships commensurate with these risks.”

Banks “must make their own choices about whether to enter into or maintain a business relationship based on their unique business objectives, their own evaluation of the risks associated with the particular products or services, and their own capacity to effectively manage those risks,” the OCC said.

By understanding the risks associated with their domestic and foreign customers and the jurisdictions in which they operate, banks “are better able to make determinations regarding how to address those risks,” and more decisions based on information and data analytics rather than regulatory fears.