© 2024 Arizent. All rights reserved.
Regulation and compliance

OCC's Hsu says agencies eyeing new operational risk standards for banks

By   Ebrima Santos Sanneh
About Ebrima Santos
EbrimaSSanneh
ebrima.sanneh@arizent.com
ebrima-santos-sanneh-2734b3146
March 12, 2024, 10:56 a.m. EDT 2 Min Read
Michael Hsu
Michael Hsu, acting director of the Office of the Comptroller of the Currency, said in a speech Tuesday that regulators are looking at issuing a rule to govern operational risk at the largest banks to provide more certainty and enforceability around risks related to disruption of a bank's day-to-day operations.
Bloomberg News

WASHINGTON — Acting Comptroller of the Currency Michael Hsu said Tuesday regulators are working on baseline operational risk standards for large banks' "critical operations" and contingencies related to third-party service providers. 

Hsu's remarks — delivered to a crowd at the Institute of International Bankers' Annual Conference in Washington, D.C. — shed light on the increasing complexity of banking today and the associated operational risks. Hsu noted such a rule would be issued with input from interested parties including the banking industry though a notice-and-comment process under the Administrative Procedure Act.

"Such baseline requirements could include establishing clear definitions for identifying critical activities and core business lines; defining tolerances for disruption; requiring testing and validation of resilience capabilities; incorporating third-party risk management expectations; stipulating clear communication expectations among stakeholders and counterparties; and addressing expectations for critical service providers, with emphasis on governance and risk management expectations," Hsu said.

Operational resilience refers to the durability of a bank as it undergoes disruptions in the continuous functions of its business. Examples of operational disruptions vary from outside factors like extreme weather events to personnel errors like insufficient risk management or data breaches. Regulators — and the OCC in particular — have raised the issue as a priority over the last year, including fining City National bank last month for insufficient operational risk controls. One of the Biden administration's regulators' major efforts — an embattled capital reform proposal dubbed Basel III endgame — also requires banks to put up additional capital as a buffer against operational risk.

In October 2020, the banking agencies issued an interagency paper consolidating standing guidance for banks on operational risk. In 2023, the agencies issued interagency guidance on third-party risk management, a crucial component of operational risk mitigation. The OCC's December 2023 Semiannual Risk Perspective also prioritized tackling operational risk in the year ahead as a regulatory priority. 

federal-reserve
Federal Reserve
Fed finalizes risk management rule for 'financial market utilities'
March 8, 2024 1:01 PM

While the agencies have provided guidance on operational risk, Hsu suggested enforceable regulations could more sufficiently account for risks in banks' particularly "critical operations." A major issue to tackle in any proposal, he says, will be defining which systems are considered critical as well as how regulatory expectations will scale according to the kind of operational incident involved. 

"The provision of banking services increasingly resembles global manufacturing supply chains, with their efficiencies, complexities and vulnerabilities," Hsu noted. "The threat surface for disruptions expands, and as authorities in other jurisdictions begin implementing their rules to ensure operational resilience, we are assessing and working with our interagency peers to develop the right approach here in the U.S."

Ebrima Santos Sanneh
Reporter, American Banker
For reprint and licensing requests for this article, click here.
Regulation and compliance Politics and policy Risk management
MORE FROM AMERICAN BANKER