Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, January 16, 2015

Cybersecurity, large institution standards, bank culture touted as OCC priorities

By Andrew A. Turner, J.D.

Comptroller Thomas Curry focused on improving the readiness of banks in the area of cybersecurity, heightened standards for large institutions, and the relationship between healthy organizational culture and sound risk management practices, in presenting the Office of the Comptroller of the Currency’s 2014 Annual Report.

Cybersecurity. Complexity and interdependence create opportunities for cyber attackers to gain access to the systems of financial institutions and the third-party vendors that provide services to the industry. Not only do financial institutions need to have good controls over their own systems, Curry warned, they also need to monitor carefully the ways in which they connect to third-party vendors, how those vendors manage their systems, and how they connect to still other third parties. Financial institutions need to be aware of ways in which even their own employees may create opportunities to compromise systems, by introducing personal (and possibly corrupted) devices into bank networks. In a highly interconnected environment, it can be very difficult to identify and address all of the potential vulnerabilities a bank might face.

Standards for large banks. Another point of emphasis pointed to by Curry is raising the bar for management and corporate governance in the largest and most systemically important banks and thrifts. Guidelines are aimed at ensuring that banks have the risk management framework and board oversight needed to address the whole range of risks that banks face, including cyber and other operational risks.

OCC guidelines, in Curry’s view, require each large institution to define its capacity and appetite for risk and to establish a framework to ensure that risk is being properly controlled within those approved appetite limits. Embedded in the guidelines is the expectation that the risk management and control functions at the large banks covered by the rules are sufficiently robust for each institution’s size, complexity, and risk profile. Each bank is expected to ensure that its risk profile is easily distinguished and separate from its parent company for risk management and supervisory reporting purposes and that the safety and soundness of the bank is not jeopardized by its parent company’s decisions. A bank’s board of directors is expected to hold management accountable for meeting these standards, and, when necessary, provide a credible challenge to management.

Risk culture. Next, Curry turned to the need for senior management to foster a strong and healthy risk culture that promotes responsible business practices, guards against excessive or improper risk taking, and encourages employees to act in the best interests of the whole organization and its customers.

Without a strong risk culture, a bank might enter new markets or introduce new products without proper due diligence. It might lose sight of the risks of pursuing earnings and growth at any cost. And the absence of a strong risk culture can lead employees to subordinate ethical considerations or the interests of the organization to their own compensation. The OCC is looking to boards of directors and the senior management of the large banks to set the tone at the top that leads to a healthy organizational culture that discourages improper practices and excessive risk taking.

Year in review. Overall, OCC-supervised banks and savings associations achieved noteworthy gains in 2014. In aggregate, these banks logged improvement in loan growth, net income, and asset quality, as the economy rebounded and unemployment trended downward. Significantly, community banks—generally defined as banks with total assets under $1 billion—saw better performance than in previous post-crisis years.

Changing complexion of risk. Operational risk has been viewed as one of the OCC’s foremost concerns since the financial crisis demonstrated how lapses in risk management, internal audit, and corporate governance erode safety and soundness. The report reviewed regulatory efforts addressing operational concern involving third-party relationships, cybersecurity, the Bank Secrecy Act, consumer protection, and the Community Reinvestment Act.

Changing regulatory environment. The report also discussed OCC progress in fulfilling Dodd–Frank Act requirements and completing other rules intended to achieve the law’s broad objective of promoting transparency, financial stability, and market integrity. Actions taken related to OCC-OTS integration, the Volcker Rule, swap margins, liquidity, capital, heightened standards for corporate governance and risk management, and diversity.

MainStory: TopStory BankingOperations DirectorsOfficersEmployers Privacy

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.