On September 28, 2017, the Office of the Comptroller of the Currency (OCC) released Bank Fiscal Year 2018 Bank Supervision Operating Plan, aka, NR 2017-113. Thanks for the acronym fun… but what does that really mean? That means if you are a compliance officer, risk manager or third party risk manager, you should be paying very close attention.
Areas of Focus for 2018
In the advisory, the OCC identifies several areas of focus – none of which should come as a surprise, if you’ve followed the events of 2017 closely. Among these priorities are:
- Cybersecurity and operational resiliency
- Commercial and retail credit loan underwriting
- Business model sustainability
- BSA/AML compliance management
- Change management to address new regulatory requirements
You can find the entire bulletin as well as the supporting documentation here.
Vendor Management Expectations for 2018
Wait! Did we hear a yawn and see a shrug from the folks in third party risk management? Wait a second – you have lots to read yourselves. In fact, there’s an entire section devoted to Service Providers and specific expectations.
In total, Service Providers and third parties are referenced over 60 times in the document. That’s right – 60 – as in approximately the same leap in heart rate that we experienced when we read that.
Now, we shouldn’t find that surprising – after all, we could have seen it coming – numerous UDAAP (Unfair, Deceptive or Abusive Acts and Practices) enforcement actions throughout the year – many with third party implications, updated OCC guidance in bulletins 2017-7 and 2017-21 on third party risk management and the alarming Equifax data breach.
On top of that, as we noted in a special advisory a few months ago, both the FDIC and OCC internal reports have been highly critical of lapses in third party oversight activities during examinations.
Next Steps to Prepare
Now is the time to start preparing for 2018 – a few key steps we’d strongly recommend:
- Review your policy and program document for any items that need to be updated
- Review your last internal audit and examination reports for any deficiencies that need to be addressed
- Review recent enforcement actions and use that as a lens to examine your own practices
- Read carefully Bulletins 2017-7 and 2017-21 – they are practically the playbook for the upcoming examinations. In fact, one is the supplemental examination guide for third party risk management – do
- .1esn’t get much more plain English than that as to what they’ll be expecting
- Consider the adequacy and training of your staffing
- Make sure your processes are thoroughly documented and can be evidenced in actual work products
- Read the Bank Supervision Operating Plan in detail – it’s only 8 pages long but much of it will be very instructive in terms of particular things you may wish to consider unique to your own institution
We have published lots of material on all of these topics throughout the year and the OCC, to its credit, is telling us precisely the things they’ll be looking for. Each institution is different, each one has its unique strengths and weaknesses, so it’s important that you develop detailed plans around the OCC guidance, particularly the supplemental examination guide.
Finally, lest you think we’re warning you far too soon – remember, the government fiscal year 2018 actually started October 1, 2017, and while your exam may be months away, it’s never too soon to think in terms of 2018 priorities.