OCC Warns Federal Banking System of Crypto & Cybersecurity Risks

Richard Marley

December 15, 2022

The OCC has warned the federal banking associations, branches and agencies on crypto-asset and cybersecurity risks in its Semiannual Risk Perspective Report for Fall 2022

On the 8th of December, the OCC (Office of Comptroller of the Currency) released its Semiannual Risk Perspective for Fall 2022, highlighting significant security concerns arising from crypto assets. According to the report, the banks will remain well-capitalised and “have ample liquidity and sound credit quality, although macroeconomic headwinds are a concern.”

The report mentions the interest rate, operations, compliance and credit risks as key concerns.

The observations targeted the following risks:

The increasing rate of the environment has adversely impacted investment portfolios.
The evolving cyber risk that “threat actors continue to target the financial services industry with ransomware and other attacks.”
The compliance risks remain heightened as banks navigate prominent regulatory changes.
The credit risk for commercial and loan portfolios demonstrates resilience, “but signs of potential weakening in some segments warrant careful monitoring.”

Furthermore, the report discusses emerging threats related to innovation and the adoption of new products covering crypto-assets.

It also shed light on the risks arising from banks for digital offerings and heightened the threat of fraud risk associated with the P2P payment platforms.

The OCC highlighted that the banks should be “clearly communicating risks, educating customers on potential scams, and enhancing internal fraud monitoring capabilities.” to eliminate the threats to consumer protection.

The report further highlighted that “[b]anks may require additional or different controls to safeguard against fraud, financial crimes, violations of Bank Secrecy Act, anti-money laundering, and Office of Foreign Assets Control (BSA/AML/OFAC) requirements, and consumer protection or fair lending laws, or operational errors,” and should “maintain comprehensive operational resilience frameworks commensurate with the size and complexity of products, services, and operations being supported.”

The OCC reiterated the significance of a cautious approach towards banks’ engagement with crypto-related firms.

Also, the recent events in the market “revealed a high degree of interconnectedness between certain crypto participants through a variety of opaque lending and investing arrangements,” which has led to “a high risk of contagion among connected parties.”

The report mentioned that national banks and savings associations that engage in crypto transactions should discuss the activities with the supervisory office before engaging in the activities.

The report cited significant risks associated with fintech partner firms and cybersecurity. OCC said it is applying a “heightened supervisory focus” of its scrutiny for financial firms’ oversight to other third parties.

Partnering with fintechs or supplying new opportunities for consumers to enter the digital asset market leads to an “increase in the risk of unfair or deceptive acts or practices because of the coordination, communication, and disclosure challenges involved in these partnerships,” the report said.

Adding that “[u]nclear or arbitrary partnership agreements may result in implementation breakdowns, untimely resolution of issues, or failure to deliver products or services as intended, and may result in significant customer remediation.”

The OCC warned that banks must perform appropriate due diligence before partnering with any third-party association. “The scope and depth of due diligence, as well as ongoing monitoring and oversight of the third party’s performance, should be commensurate with the nature and criticality of the proposed activity.”

Lastly, the report also discussed forthcoming climate risk management and guidelines that apply to banks with more than $100 billion in total consolidation.