Another CrowdStrike in the making? Leaked document finds half of U.S. banks fall short in risk management
Half of major U.S. banks have "weak" or "insufficient" risk management, according to a confidential assessment by a key banking regulator.
The Office of the Comptroller of the Currency (OCC) found that 11 out of 22 banks fell short in managing operational risks like cyber threats, technological failures, and human errors.
About one-third of these banks received a subpar rating of 3 or worse on a 5-point scale for overall risk management.
This information isn’t available to the public, but Bloomberg broke the story this week, citing anonymous sources.
The timing is noteworthy—just days after a global computer systems outage affected just about every sector, including aviation, healthcare, shipping, and—you guessed it—finance.
The report raises serious questions about whether American banks are ready for the diverse set of threats they face today.
The OCC declined requests for comment. But in a statement, Acting Comptroller Michael Hsu said he had “consistently discussed the need for banks to guard against complacency and actively manage their risks..."
That is required to "build and maintain trust in the federal banking system.”
What is operational risk?
The OCC's oversight spans institutions from regional banks with $50 billion in assets to trillion-dollar mega-banks. The regulator considers operational risk to be the most wide-ranging aspect of its supervisory framework.
As banks increasingly rely on evolving technologies, this category has become a catch-all for a variety of potential threats, including cyber attacks, human errors, legal battles, and even natural disasters.
Banks are required to demonstrate that they can effectively manage these risks and maintain sufficient capital to handle potential operational failures.
While individual bank ratings remain confidential, the OCC uses aggregate data to identify and address areas of concern across the banking industry.
Banks aren't thrilled about operational risk assessments because they're dealing with a moving target. Unlike loans going bad or market swings, it's tough to put a number on the risk of a cyber-attack or an employee's mistake.
Nonetheless, when half of the assessed banks fall short in this area, as the OCC's findings suggest, it raises serious concerns about the sector's resilience.
These operational risk assessments contribute to a broader evaluation known as CAMELS ratings, which examine banks' capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk.
Banks under intense scrutiny
The OCC's findings come at a time when the banking sector is under intense regulatory scrutiny following a series of high-profile bank failures last year, including Silicon Valley Bank, Signature Bank, and First Republic Bank.
Last year, the OCC, Federal Reserve, and Federal Deposit Insurance Corp. released new guidance for banks on mitigating risks from third-party vendors.
This guidance is focused on the use of new technologies, which may present elevated risks to financial institutions.
Even before the recent OCC findings, regulators were signaling a need for stricter oversight. In May 2023, Hsu testified before Congress and emphasized the need for "timely and forceful supervisory action."