Risk Areas to Consider Ahead of Your Next Regulatory Exam

October 17, 2024Articles
Bank Director

The Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. each periodically publish a report that describes their views on the current risk areas threatening the banking industry. The OCC calls its report the “Semiannual Risk Perspective,” while the FDIC’s report is called the “Risk Review.” These reports telegraph the risks regulators will be particularly interested in during the next examination cycle. These are the key risk areas your bank should be ready to discuss and defend at your next exam and actions you can take to be prepared.

Credit Risk
Commercial credit risk remains moderate, but it is increasing in certain sectors of the commercial real estate (CRE) lending space. Borrowers in the multifamily and office sectors face ongoing stress from inflation-related expense increases and an inability to increase rents to offset them. Many CRE loans scheduled to mature over the next few years were written during the low interest rate cycle and borrowers now face significantly higher refinancing rates. This, coupled with potential cash equity injections related to depressed valuations, will further strain the ability to refinance.

While mortgage and consumer credit risk remains moderate; the threat of recession remains. If inflation persists and interest rates stay higher for longer, the consumer could begin to crack, exposing banks to greater credit risk in their retail portfolios.

To prepare banks can:

  • Assess the effectiveness of internal commercial loan risk grading and problem loan identification.
  • Identify types of CRE loans and sectors exposing the bank to specific risks.
  • Redouble loan review efforts, especially in risky industry sectors.
  • Assess staffing, experience and training of the bank’s workout teams.
  • Revisit allowance for credit loss models, capturing forward-looking risks and making adjustments for the current risk environment.
  • Stress test commercial and retail portfolios.

Market Risk
Increased competition for deposits continues to compress margins and cause previously sticky deposits to migrate to other bank and non-bank depositories, resulting in banks using higher-cost wholesale funding to support growth and further eroding margins. While the Fed lowered rates in September, the timing and extent of future cuts is unknown. Uncertainty with respect to interest rates, combined with depositor behavior makes it difficult for banks to model deposit rates, balances and mix. This poses increased market, interest rate and liquidity risk to banks.

Banks can prepare by:

  • Revisiting deposit model assumptions.
  • Assessing the effectiveness of current deposit pricing processes.
  • Revisiting interest rate risk and liquidity stress-testing scenarios.
  • Assessing liquidity contingency plans.
  • Assessing staffing and training of the bank’s treasury and finance team.

Operational Risk
Regulators find cybersecurity risk management increasingly important. The regulators identified weak or poorly configured authentication controls and practices as a continuing high-risk area in the industry.

While banks have always been exposed to a range of potential disruptive events, including system failures, cyberattacks, natural disasters, financial market disruptions and geopolitical crisis, increased interconnectedness and interdependence across the financial sector has elevated the risk. A third-party event could cause widespread disruption. Strong operational resilience at your bank includes identifying critical operations and core business lines and knowing how an internal disruption in one area or with a third party might affect other areas of your institution — and how you will respond.

Traditional payment channels — checks and wire transfers — remain fraud risks. The digitalization of financial services and the speed of processing transactions heightens the risk of fraud. Regarding consumer compliance, increased incidents of fraud and the bank’s response can increase the bank’s risk of Unfair or Deceptive Acts or Practices (UDAP) charges.

Third-party risk management has been an important risk area for the agencies for well over a decade now and continues to top the list. Effectively managing third-party relationships remains critical.

Ways to prepare include:

  • Assess cyber threat and vulnerability monitoring processes.
  • Revisit online and mobile access authentication controls.
  • Revisit operational contingency plans, focusing on resilience of critical operations and core business lines.
  • Assess the impact of various disruption scenarios, including severe and simultaneous multiple disruptions.
  • Assess internal fraud monitoring systems and controls.
  • Assess third-party relationship risk management processes in light of the OCC’s guidance.
  • Revisit consumer education processes and programs.

We are not suggesting that your next examination will be less than a full review of capital adequacy, asset quality, management, earnings, liquidity and sensitivity to market risk (CAMELS), but we believe it is likely that the regulators will pay particular attention to the described above. Forewarned is forearmed.