OCC Spring 2018 Semiannual Risk Perspective – Summary
The OCC’s National Risk Committee issues a Semiannual Risk Perspective, the most recent one highlighting financial data as of Spring 2018 (1). Below is a summary that highlights reporting which is pertinent to Commercial Loan Portfolio risk management.
Overall the economic environment is currently in a good place – Real GDP increased from 1.5% in 2016 to 2.3% in 2017, and loan growth and bank profitability were supported through 1Q2018. Bank financial performance improved from 2016 to 2017 through 1Q2018. Asset quality is sound (as indicated by current levels of delinquencies, nonperforming assets and losses). Earnings are improving, as capital and liquidity approach historic highs.
II) Bank Performance
Profitability on a pre-tax basis improved YoY through 2017. For the Federal Banking system, pre-tax income rose 4% in 2017, while net income declined 8.5% due to the effect of the Tax Cuts and Jobs Act (TCJA). For Banks with assets less than $1B, pre-tax income rose >7%., while net income was flat. Growth in net interest income increased by 6% for Banks with assets less than $1B through 2017, an improvement from the previous year. Higher net interest income was driven by increasing margins, higher loan volumes, and higher interest rates.
Credit quality improved at the largest OCC-supervised Banks, and notably, 4Q2017 was the seventh quarter of improvement. The 2017 weighted-average probability of default ended at 1.4%, a .2% decrease from the previous year. The ratio of classified commitments to total commitments ended at 2%, a .4% decrease YoY (please see figure below).
Special Topics in Emerging Risk
Rising interest rates introduced an increased uncertainty regarding deposits. Deposits fund a larger portion of bank balance sheets vs. pre-recession levels, and the mix has shifted to non-maturity deposits. Post-recession growth in deposits was fueled by customers seeking the safety of insured deposits, and due to the extended period of low interest rates.
For small and large banks, Banks Net Interest Margins (NIMs) have increased largely because of the ability to manage deposit costs effectively. Continued interest rate increase may lead to higher funding costs: economic growth fuels loan demand and competition for funding, while at the same time, customer expectations of higher returns pressure banks to raise deposit yields.
When interest rates rise, deposit costs typically increase as well; however, an increase in deposit costs during this tightening cycle have been modest. The bank loan-to-deposit ratio fell more than usual in the current cycle, leaving banks flush with liquidity. Banks use of more volatile and costly funding also remains low. Asset sensitivity had increased, and unlike deposit costs, yields on bank assets have risen along with interest rates.
III) Trends in Key Risk: Eased Underwriting, Elevated Operational Risk, Compliance Risk
A) Easing in Commercial Credit Underwriting Practices
The number of Matters Requiring Attention (MRAs) relating to commercial credit underwriting increased 24% from 1Q2017 to 1Q2018. Through 2017, there was a modest YoY shift away from conservative/moderate underwriting to moderate underwriting, with a slight uptick in moderate/liberal underwriting practices (please see figure below).
To elaborate, Banks continued to ease underwriting practices more than tightening; easing began to be observed in 2013 after a period of substantial post-recession tightening.
Eased underwriting was identified by familiar examples:
- Looser covenants
- Generous cash flow adjustments
- Limited or no guarantees
- Longer amortization periods
- Extended interest-only terms
- Higher LTV or advance rates
- Potential for increases in interest rates to impact “affordability of current debt service requirements or refinance ability, which has the potential to influence underwriting behavior and credit terms”
B) Operational Risk
The OCC examination results show that the following categories require continued diligence: cybersecurity controls, third party connections, third party service providers, resilience testing, and fraud and attempted fraud trends.
Cybersecurity controls: Malware and malicious links within emails help cyber criminals gather information or access networks. These methods are frequently a first step in perpetrating additional malicious crimes such as accessing confidential information, making unauthorized transactions, conducting espionage, or loading ransomware in order to elicit a ransom payment. To combat this, Banks should implement technical controls and conduct regular mandatory training for staff on their responsibilities and red flags to look for.
Third party connections: Third party network service providers are increasingly targets for cybercrime and espionage. If compromised, these systems may open up avenues to exploit Bank systems and operations. Understanding connections, system interfaces, and access entitlements is vital to assessing and implementing the appropriate controls to manage risk.
Third party service providers: Third party service providers are used for core systems and operations support, as well as more specialized services such as merchant-card processing, denial-of-service mitigations to prevent website shutdown or similar instances, asset management products and services, and so on. By outsourcing these services, banks can achieve greater economies of scale and streamline services offered. Use of third party service providers is increasing in order to provide consumers with these services which they’ve come to expect, and operations are increasingly concentrated in a few large service providers. However, regulators warn that continued increase in concentrated points of failure may ultimately result in systemic risk to the financial services sector.
Resilience testing: To defend against a cyberattack, which is a breach in a system’s security policy, banks must have a well-established and tested response plan as a defense. Banks’ focus on third-party risk management has resulted in fewer open concerns and Matters Requiring Attention (MRAs). Continued due diligence, change management, and ongoing monitoring is essential in continued mitigation of risk in this area. To assist Banks, the Financial and Banking Information Infrastructure Committee (FBIIC) put together a “Financial Sector Cyber Exercise Template”, which can be found here.
Fraud and attempted fraud: Fraud, or any attempt (successful or otherwise) to deceive another for financial gain, is on the rise according to multiple industry trends. This is due to the rapidly changing business environment and a rise in faster payments, mobile payment solutions, and emerging technologies and delivery channels, robust internal controls are essential in avoiding losses. Leading industry practices include a comprehensive risk assessment, proper internal controls, layered protective solutions, along with communication and coordination with peers and law enforcement can serve to mitigate this risk.
C) Compliance Risk
New Technology Offerings
New technology offerings and evolving criminal methods result in high Bank Secrecy Act (BSA), Anti-Money Laundering (AML), and Office of Foreign Assets Control (OFAC) compliance risk. Banks face challenges in complying with BSA requirements because of complex and dynamic money-laundering and terrorism-financing methods. New technological platforms within the financial services industry increase customer convenience and increase access, but also present vulnerabilities that criminals can exploit for money laundering.
The OCC continues to find instances where banks have not adjusted or realigned BSA/AML/OFAC risk assessments to reflect changes in risk profiles resulting from multifaceted factors. Regulators consider a sound risk assessment the bedrock of an effective BSA/AML program, as a basis to identify coverage management processes, such as excluding the Bank’s compliance function from decisions involving changes in product or service offerings.
Amendments to Regulations
Amendments to regulations continue to challenge compliance management systems. Changes to the Home Mortgage Disclosure Act (HMDA) have required banks to significantly enhance their data collection and reporting systems in 2017 and 2018 to meet regulatory obligations. For all covered applications in which banks take action on or after January 1, 2018, covered banks must collect information related to 110 data fields, as compared with the 39 fields required for applications before 2018.
The amended Military Lending Act (MLA) expands protections provided to service members and their families covers a wide range of credit products. The types of charges that must be counted toward the military annual percentage rate limit are more inclusive than the finance charges counted toward the annual percentage rate under the Truth In Lending Act (TILA). The amendments have the potential for significant compliance, credit, and reputational risk exposure, including violations of the MLA and potential for voiding the credit agreement if the military annual percentage rate exceeds 36%. Rising interest rates could present challenges to Banks focused on providing loan products to service members and their families.
Most OCC-supervised Banks have mortgage products subject to the integrated disclosure requirements under TILA and Real Estate Settlement Procedures Act (RESPA). Common concerns among regulators relate to accuracy of loan estimates, closing disclosures, and inaccurate timing and tolerance violations, which can result in reimbursements and rescissions. Noncompliance could result in statutory damages, civil liability and reputational risks.
Compliance Management Systems
Some compliance management systems are not evolving at the pace of risks. Two primary concerns are (1) Bank internal quality assurance and risk assessment processes that support these systems, and (2) the ability to maintain sufficient compliance expertise to manage additional risks and complexities. Many large and midsize Banks (and to a lesser degree community Banks) are affected by the evolving and complex nature of consumer compliance risks.
While the pace and intensity of regulatory changes has slowed, compliance management systems still experience challenges related to heightened attention to consumer protection, complex regulatory structures and uncertainty, M&A activities, new products and services, increased reliance on third parties, and compliance aptitude challenges.
IV) Supervisory Actions
A) Number of Banks Rated 4 or 5 is Declining
The number of OCC-supervised banks classified (2) as “seriously deficient” or “critically deficient” has declined 14% YoY through the end of 2017, but the number remains slightly above pre-recession levels (please see chart below). Many factors contribute to the decline, but especially M&A activity, failures or liquidations, and rating upgrades due to recapitalizations and improved risk management.
B) Outstanding MRA Concerns Are Declining
The OCC communicates supervisory concerns in the form of Matters Requiring Attention (MRAs) or to a more serious exent, Enforcement Actions (EAs). Supervisory concerns include practices that deviate from sound governance, internal control, or risk management principles. As of 1Q2018, top three MRAs were Operational, Credit, and Compliance. This was true for community, midsize, and large Banks, but in higher percentages of each classification for large banks. The number of outstanding MRA concerns peaked in 2012 and declined steadily through 4Q2017, to the lowest level since 2006, as shown in the chart below.
Outstanding Enforcement Actions Have Declined Since 2010
The OCC uses EAs to address more severe deficiencies requiring corrective action. Most recently, Compliance or Operational failures have resulted in a number of EAs; these address a lack of appropriate governance, oversight, and risk management systems and controls.
Generally, action is taken as a result of:
- Violations of laws or regulations
- Deficient practices which are unsafe or unsound
- Violations of final orders, conditions imposed in writing, or written agreements entered into with the OCC
- Posted by Justin Hill
- On Thursday June 21st, 2018
- 0 Comments