A top U.S. regulator has privately found that half of the big banks it oversees have not fully understood a wide range of potential risks from cyberattacks to employee misconduct, according to people familiar with the matter.
In a private assessment, the Office of the Comptroller of the Currency said 11 of the 22 largest banks it oversees have “deficient” or “weak” management of so-called operational risk, said the people, who asked not to be identified because the information is private.
That helped contribute to roughly a third of banks receiving an overall rating of three or less on a five-point scale, according to people familiar with the matter, the latest sign that U.S. regulators are worried about the risk levels of the nation’s biggest banks after a string of failures last year.
Operational risk is one of the categories under which regulators assess the overall risk of the banks they supervise. While each bank’s individual ratings are closely monitored, regulators may also use aggregate data on bank ratings to highlight areas of concern in discussions with other agencies and the industry.
At the OCC, operational risk assessments are reflected in a report card called the CAMELS rating, which rates companies on a scale of 1 to 5 for each of the following factors: capital adequacy, asset quality, management, earnings, liquidity and susceptibility to market risk. These grades create an overall rating that determines the degree of scrutiny and latitude a company faces, including what activities it can engage in and how much capital it should hold.
The OCC did not comment specifically on the findings of its private investigation. In a statement, Acting Superintendent Michael Schuh said he has “consistently discussed the need for banks to remain vigilant and proactively manage risks in order to build and maintain confidence in the federal banking system.”
Operational risk is intended to cover a range of potential threats to banks beyond market fluctuations that result in loan defaults and losses. This could include everything from employee mistakes and legal troubles to natural disasters and technology problems. Banks must show regulators plans to manage these risks and must hold capital to cover such threats. This requirement has long been debated because operational risk is harder to measure than credit or market risk.
The tough ratings are the result of intense regulatory scrutiny following record bank failures last year, after which regulators vowed to do more to identify and address problems. The OCC’s major bank portfolios include everything from regional banks with at least $50 billion in assets to multi-trillion-dollar megabanks.
In congressional testimony in May 2023, Su said that while none of the failed banks were under the OCC’s supervision, she reviewed the OCC’s processes and stressed the need for “timely and robust supervisory action.”
agency Calls Operational risk is the “broadest component” of the supervisory framework, acting as a kind of catch-all as the technology on which banks rely evolves. report Last month, the OCC said that aspect is “elevated” as the industry responds to an “evolving and increasingly complex business environment.”
Last year, the OCC, the Federal Reserve Board and the Federal Deposit Insurance Corporation release The agency issued guidance to banks on how to mitigate risks from third-party vendors. “The use of third parties, particularly those using new technology, can increase risks,” it said, and instructed banks how to monitor such activity.
Authorities stepped up measures earlier this year, issuing warnings about the use of external artificial intelligence tools.
