Through the lens of the COVID-19 pandemic, federal and state regulators on June 23 jointly issued guidance that outlines supervisory principles for financial-institution examiners.
Some areas of examination, including Asset Quality and Income & Liquidity, reflect special considerations to help banks navigate this unprecedented event. As evidence, the direction to examiners shows leniency from normal standards — “examiners will not criticize” and “institutions may allow borrowers affected by the pandemic to defer payment. …”
Bankers should note that there is no such leniency in the direction on Operational Risk, which regulators tag as heightened because of the pandemic. And, Operational Risk continues to be a component of the Management rating in the CAMELS rating system.
“Rapid changes in operational processes [including extensive work-at-home rollouts] and increasing fraud and cyber threats may result in a heightened operational risk environment,” the interagency guidance document reads.
The report notes that these modifications stress banks’ change-management processes and may require internal controls to evolve in response.
The guidance lays out these areas of operational risk where banks can expect more examiner focus on how management is assessing and implementing effective controls:
Vendor controls and service-delivery capabilities;
- Fraud and cyber threats;
- Remote work and teleconferencing;
- Cost-cutting, staffing and delayed updates.
Here’s a breakdown:
“Examiners will also review how management has assessed institutions’ third parties’ controls and service delivery capabilities post-crisis.”
“Examiners will assess actions management has taken to adapt fraud and cybersecurity controls to manage heightened risks related to the adjusted operating environment.”
Remote Work and Teleconferencing
“Examiners should review the use of remote work technologies and teleconferencing systems for work-at-home arrangements, along with elimination of physical controls present in many office environments.”
“Examiners will consider the impacts on the control environment from instances of imprudent cost cutting, insufficient staffing, or delays in implementing needed updates in their assessment of the institution.”
Collectively, the Operational Risk guidance confirms that regulators will be focusing on cybersecurity, pandemic planning and vendor management — all with a focus on assessing an institution’s ability to continue delivering financial services to customers.