A key US regulator has privately determined that half of the major banks it oversees lack a comprehensive understanding of various risks, including cyber threats and employee errors, according to sources familiar with the matter.
In confidential assessments, the Office of the Comptroller of the Currency (OCC) found that 11 of the 22 large banks it supervises have “insufficient” or “weak” management of operational risk. These assessments are based on a five-point scale, with about one-third of the banks scoring three or lower, indicating significant concerns over their risk management practices. This follows a series of failures last year that have heightened regulatory scrutiny on the nation’s largest banks.
Operational risk encompasses a broad range of threats beyond loan defaults or market fluctuations, including employee mistakes, legal issues, natural disasters, and technological failures. Banks are required to present plans to manage these risks and maintain capital reserves against them, a requirement that has been challenging to quantify compared to credit or market risks.
The OCC’s operational-risk assessment contributes to its CAMELS ratings, which evaluate banks on capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk. These ratings influence the level of regulatory scrutiny and capital requirements for each bank.
The OCC, while not commenting specifically on the confidential findings, noted that Acting Comptroller Michael Hsu has consistently highlighted the need for banks to avoid complacency and actively manage risks to maintain trust in the federal banking system.
In congressional testimony in May 2023, Hsu stressed the importance of “timely and forceful supervisory action” and reviewed the agency’s processes following last year’s bank failures, none of which were under OCC supervision. The OCC considers operational risk the “broadest component” of its supervisory framework, essential for managing the evolving and complex operational environment.
Last year, the OCC, along with the Federal Reserve and Federal Deposit Insurance Corporation, issued guidelines for banks on mitigating risks from third-party vendors, particularly those utilizing new technologies. These agencies have also emphasized the need for banks to monitor the risks associated with outside artificial intelligence tools.
