On September 14, the OCC released its bank supervision operating plan for fiscal year 2017. The plan identifies the OCC’s priority objectives, which include: (i) commercial and retail loan underwriting; (ii) business model sustainability and viability; (iii) operational resiliency; (iv) BSA/AML compliance; and (v) processes to address regulatory changes. Moreover, the plan affirms that the OCC will look at each individual bank’s key risks, and will continue the process of stress testing, both for large banks and for midsize and community banks.
On October 17, the FFIEC published a Frequently Asked Questions guide related to the Cybersecurity Assessment Tool (Assessment) that was released in Summer 2015. Developed to assist financial institutions identify risks and to assess cybersecurity preparedness, use of the Assessment is voluntary. The FAQs guide explains that management may use the Assessment to determine an institution’s cybersecurity maturity level within five different domains: (i) Cybersecurity Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience. The FAQs guide clarifies that “the Assessment is not designed to identify an overall cybersecurity maturity level.” Regarding third-party oversight, FAQ number 10 explains that the Assessment may be used as a resource for management’s “oversight of third parties as part of the institution’s comprehensive third-party management program.” Additional topics addressed in the FAQs include, but are not limited to, the following: (i) how the Assessment aligns with the National Institute of Standards and Technology Cybersecurity Framework; (ii) whether an automated version of the Assessment will be released; (iii) the Assessment’s ability to determine an institution’s Inherent Risk Profile; and (iv) the expectations for Inherent Risk Profile levels to align with an institution’s Cybersecurity Maturity.
From September 19 through September 21, the OCC will host a “Building Blocks for Directors” workshop in St. Louis for directors of national community banks and federal savings associations supervised by the OCC. OCC supervision staff will lead the workshop, which will focus on directors’ duties and responsibilities, relevant laws and regulations, and increasing understanding of the examination process. The OCC is limiting the workshop’s capacity to the first 35 registrants.
On July 11, the OCC released its Semiannual Risk Perspective for Spring 2016, which generally provides an overview of supervisory concerns for the federal banking system and specifically presents data as of December 31, 2015 in the following areas: (i) operating environment; (ii) bank performance; (iii) key risk issues; and (iv) regulatory actions. Similar to the fall 2015 report, the current report identifies cybersecurity, third-party vendor management, business continuity planning, TRID, and BSA/AML compliance, among other things, as key areas of potential operational and compliance risk. Further, the report highlights the new Military Lending Act rule, effective October 3, 2016, as a new key potential risk. According to the report, the OCC’s supervisory priorities for the next twelve months will generally remain the same; moreover, the outlook for the OCC’s Large Bank Supervision and Midsize and Community Bank Supervision operating units will remain broadly similar.
On June 22, the OCC named Beverly Cole its Deputy Comptroller for Compliance Supervision. Effective July 2016, Cole will serve as the operational executive responsible for developing and promulgating compliance operational protocols, examination strategies, and schedules. Cole started at the OCC in 1979 as an Assistant National Bank Examiner. In 1984, she left the OCC to work in the banking industry, but she returned to the OCC three years later. Throughout her tenure with the OCC, Cole has served in various supervisory roles overseeing banks of all sizes.