June 30, 2022

OCC Highlights Risks Associated with Compliance Staffing Concerns, Russia Sanctions, Environmental Crimes, Cyber Attacks and Digital Assets

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

Key Takeaways

  • The OCC also believes compliance risk is “heightened” for Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control compliance.
  • It cautions that environmental crimes “have a strong association with corruption and transnational criminal organizations.”

On June 23, 2022, the Office of the Comptroller of the Currency (OCC) released its Semiannual Risk Perspective (SRP) for spring 2022.  In the SRP, the OCC opines on its current safety and soundness concerns for banks under its regulatory umbrella, focusing on Russia sanctions, climate-related risk, and rising inflation.  Despite these challenges, the OCC believes that "[b]anks' financial condition remains strong and positioned to deal with the economic headwinds."

Of special note, the OCC also believes compliance risk is "heightened" for Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) compliance because of world events and compliance staffing concerns.  In addition, the OCC warns that banks face an "elevated" risk of cyber attacks and fraud or cybersecurity risks related to digital assets.

BSA/AML Compliance Risks

The OCC devotes a paragraph to discussion of BSA/AML and OFAC concerns related to "environmental crimes."  The OCC decries the climate risk and pollution caused by such crimes.  And, echoing the Financial Crimes Enforcement Network (FinCEN) recent notice on the same topic, the OCC cautions that environmental crimes "have a strong association with corruption and transnational criminal organizations."  We have blogged about this topic several times in several facets, noting how these crimes are estimated to create hundreds of billions in illicit funds each year.  Like FinCEN, it appears that the OCC has this near the top of their priority list.

The OCC then zeroes in on another perennial concern: fraud in government relief programs.  Citing the Covid-19 pandemic and "recent natural disasters," the OCC typifies fraud stemming from government relief programs as a "significant risk."  Predicting that natural disasters will become more, rather than less, common, the OCC predicts long-term increased risk of fraud and urges banks to include both environmental crimes and government relief fraud into long-term planning and risk assessments.  The OCC clearly thinks that BSA/AML and OFAC concerns will continue to haunt government relief programs.

In the first SRP since the Russian invasion of Ukraine, the OCC reminds banks that they must "assess the applicability" of the "complex and evolving" Russia sanctions "on their institutions and customers."  The OCC urges banks to consider both the impact on branches here and abroad as well as overseas offices and subsidiaries.  Hearkening back to two March FinCEN alerts (here and here) on which we blogged (here and here), the OCC warns banks to "be vigilant against potential efforts to evade" sanctions and reminds banks that suspicious transactions may involve "real estate, luxury goods, and other high-value assets of sanctioned Russian elites and their family members and associates."  The OCC urges banks to use this as a springboard to increase efforts to detect foreign public corruption and kleptocracy.

The SRP notes that these compliance risks are currently more difficult to respond to because "[b]ank compliance functions also are experiencing challenges retaining and replacing staff."  It is no surprise that banks, like many other employers, are finding it difficult to hire and retain talent.  The SRP warns that "lack of access to subject matter expertise," funding cutbacks, over-reliance on third parties to assist in these critical functions, and telework are exacerbating compliance risk.

Cybersecurity Risks

The OCC has long been concerned with operational risks posed to banks from cyber attacks.  The SRP now estimates that operational risks to banks remain "elevated" because cyber attacks continue to "evolve" and "become more sophisticated."  Specifically, the OCC notes an increase in distributed denial of service (DDoS) attacks and ransomware campaigns directed at the financial services sector, including banks.  We noted the increase in ransomware attacks and ransomware-related SARS discussed in FinCEN's October 15, 2021 financial trend analysis on ransomware. 

The OCC suggests "heightened threat monitoring" and "greater public-private sector information sharing" as two methods to combat DDoS and ransomware attacks.  The OCC states, as a practical matter, that banks should implement and regularly test backup systems to ensure operational resilience and require multifactor authentication and "timely patch management" to make it harder for cyber attackers to gain access.  These echo the suggestions of the Cybersecurity and Infrastructure Security Agency, a government agency within the Department of Homeland Security, in their recently announced Shields Up initiative.

Risks of Engaging with New Technologies, Including Distributed Ledger Technologies and Digital Assets

Finally, the OCC devotes significant time to cybersecurity and fraud risks related to digital assets.  While the OCC recognizes that new technologies, including distributed ledger technologies and digital assets, "can offer many benefits to both banks and their customers" the OCC believes new technologies are a common target for fraudsters.  Citing this risk of fraud and the possibility of cyber attacks, the OCC provides a number of suggestions for banks considering engaging with digital assets:

  • Banks should ensure that they have sufficient knowledge and expertise in the digital assets and the technology before engaging in new activity with digital assets;
  • Banks should pay special attention to distributed ledger or digital assets companies "delivering banking and bank-like products and services";
  • Banks should consider their size, complexity, and risk profile before engaging in new activity with digital assets;
  • Banks should engage in "appropriate due diligence, change management, and risk management processes" prior to engaging in new activity with digital assets;
  • Banks may need to consider whether "additional or different controls [are needed] to safeguard against fraud, financial crimes, violations of sanctions requirements and consumer protection and fair lending laws, and operational errors"; and
  • Finally, before engaging in certain activities with digital assets, banks supervised by the OCC should first obtain non-objection.

The SRP's bottom line: banks should be deliberate and do their due diligence when engaging with new technologies, including distributed ledger technologies and digital assets.

The OCC also promises greater clarity on regulation of digital assets to come in the future, likely a reference to the Sprint Initiative the OCC is engaged in with the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation, on which we previously blogged.  The OCC is currently working to "develop a common vocabulary of terms" and "use cases and risks" to create "policy and supervision considerations" for digital assets for banks.  With only another vague reference to coming regulations, it remains to be seen what shape they will take and when they will be unveiled.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Ballard Spahr

New York Restricts Automated Decision Making in Employment

By Timothy Dickens Ballard Spahr August 29 , 2022

Businesses operating in New York City should be aware of a local law addressing the use of automated employment screening and decision-making tools coming into effect on January 1, 2023.

Status Update: Federal Contractor Vaccine Mandate Injunction Narrowed

By Lila A. Sevener Ballard Spahr August 29 , 2022

On August 26, 2022, the United States Court of Appeals for the Eleventh Circuit narrowed the nationwide injunction of Executive Order 14042, which requires federal contractors and employees who work on or in connection with a covered federal contract, or share a workplace with another employee who works on or in connection with such contracts, to be fully vaccinated against COVID-19.

Unions Cannot Force OSHA to Issue Permanent COVID Standard

By Shannon D. Farmer Ballard Spahr August 26 , 2022

On August 26, 2022, the U.S. Court of Appeals for the District of Columbia Circuit turned back efforts by a group of unions seeking to force the Occupational Safety and Health Administration (OSHA) to quickly issue a permanent rule establishing protections for healthcare workers from COVID-19.

More From Banking & Finance

IRS Releases Memorandum on Deducting Cryptocurrency Losses

By Andrew M. Granek McDermott Will & Emery January 26 , 2023

On January 13, 2023, the Internal Revenue Service (IRS) released a Chief Counsel Advice Memorandum (CCA 202302011) concluding that taxpayers cannot claim a deduction for cryptocurrency losses that have, absent a sale or other taxable disposition, substantially declined in value if such cryptocurrency continues to trade on at least one cryptocurrency exchange and has a value that is greater than zero.

CFPB Says 'Show Me The (Consumer Unfriendly) Fine Print'

By Timothy A. Butler Greenberg Traurig January 25 , 2023

On Jan. 11, the Consumer Financial Protection Bureau (CFPB) released a proposed rule that would require certain nonbank financial companies subject to its supervisory jurisdiction to submit annual reports about their use of terms and conditions that attempt to waive or limit consumer rights and protections.

FINRA Files Amendments to Proposed Rule Change That Will Allow Remote Inspections

By William B. Mack Greenberg Traurig January 25 , 2023

Last summer, the Financial Regulatory Authority (FINRA) proposed a rule change to its supervision rule (FINRA Rule 3110) to allow member firms to conduct remote inspections of some or all branch offices and locations.

Featured Stories