In a press release, issued on November 1, the OCC announced that Morris Morgan, a senior OCC official, will take on a new role as Senior Deputy Comptroller for Large Bank Supervision on December 24. Morgan, a 31-year veteran of the OCC, has served as Examiner-in-Charge of a major bank, and PNC and Deputy Comptroller for Large Bank Supervision. In his new role, Morgan will serve as a member of the OCC’s Executive Committee and the Committee on Bank Supervision. He also will oversee operations of the OCC’s International Banking Supervision group and its London Office.
Comptroller Curry Discusses Importance of Effective Supervision Before Clearing House Annual Conference
In prepared remarks delivered on November 30 before The Clearing House Annual Conference in New York City, Comptroller of the Currency Thomas J. Curry discussed lessons from the 2008 financial crisis. Curry noted that he was “often disappointed how quickly some forget the lessons of more recent events, particularly what brought the financial system to the cliff in 2008 and what has put our banks and our economy on much firmer ground since.” His remarks emphasized the value of strong capital, the need for ample liquidity, and the importance of effective supervision.
In discussing capital, Curry noted that since the beginning of 2009, there has been a $700 billion increase in common equity capital. Such levels would allow the 33 largest bank holding companies to be well capitalized and continue lending even under the most severe scenario used by the banking agencies’ stress tests. He cautioned, however, that “[w]eakening the ratio through special exclusions only undermines our original intent and weakens the protection against excessive leverage.” Comptroller Curry similarly noted that the Liquidity Coverage Ratio and the proposed Net Stable Funding Ratio complement each other to push covered banks to hold ready resources to meet short-term cash outflows and to shift to more stable, longer-term funding.
On the subject of supervision, Curry noted the importance of “holistic supervision based on the CAMELS rating system.” He also added that while a periodic reassessment of banking laws and regulations is appropriate, “we must never settle for ‘light-touch’ supervision.” And, in concluding, Curry stressed that community banks and their examiners, in order to “remain strong and healthy,” need to “focus on strategic risk, rising credit risk from stretching for yield while relaxing underwriting standards, expansion of new technologies, and compliance issues.”
On October 26, the CFPB published Bulletin 2016-02 on service providers to amend previously issued guidance covered in Bulletin 2012-03. Bulletin 2016-02 seeks to clarify that supervised banks and nonbanks have flexibility in managing the risks of service provider relationships. Specifically, the CFPB advises that “the depth and formality of the risk management program for service providers may vary depending upon the service being performed —its size, scope, complexity, importance and potential for consumer harm—and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations.” The CFPB plans to post Bulletin 2016-02 on its website on October 31, 2016.
On October 17, the FFIEC published a Frequently Asked Questions guide related to the Cybersecurity Assessment Tool (Assessment) that was released in Summer 2015. Developed to assist financial institutions identify risks and to assess cybersecurity preparedness, use of the Assessment is voluntary. The FAQs guide explains that management may use the Assessment to determine an institution’s cybersecurity maturity level within five different domains: (i) Cybersecurity Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience. The FAQs guide clarifies that “the Assessment is not designed to identify an overall cybersecurity maturity level.” Regarding third-party oversight, FAQ number 10 explains that the Assessment may be used as a resource for management’s “oversight of third parties as part of the institution’s comprehensive third-party management program.” Additional topics addressed in the FAQs include, but are not limited to, the following: (i) how the Assessment aligns with the National Institute of Standards and Technology Cybersecurity Framework; (ii) whether an automated version of the Assessment will be released; (iii) the Assessment’s ability to determine an institution’s Inherent Risk Profile; and (iv) the expectations for Inherent Risk Profile levels to align with an institution’s Cybersecurity Maturity.
On September 14, the OCC released its bank supervision operating plan for fiscal year 2017. The plan identifies the OCC’s priority objectives, which include: (i) commercial and retail loan underwriting; (ii) business model sustainability and viability; (iii) operational resiliency; (iv) BSA/AML compliance; and (v) processes to address regulatory changes. Moreover, the plan affirms that the OCC will look at each individual bank’s key risks, and will continue the process of stress testing, both for large banks and for midsize and community banks.