Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations

OCC warns of crypto-asset and cybersecurity risks facing the federal banking system

Bank Regulatory Federal Issues Digital Assets Privacy, Cyber Risk & Data Security OCC Risk Management Cryptocurrency Supervision Third-Party Risk Management Fintech Financial Crimes Climate-Related Financial Risks

On December 8, the OCC released its Semiannual Risk Perspective for Fall 2022, which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The OCC reported that, in the aggregate, banks “remain well capitalized” and have “ample liquidity and sound credit quality, although macroeconomic headwinds are a concern.” The OCC highlighted interest rate, operational, compliance, and credit risks as key risk themes. Observations include: (i) the rising rate environment has adversely impacted bank investment portfolios; (ii) operational risk, including evolving cyber risk, is elevated, with “threat actors continuing to target the financial services industry with ransomware and other attacks”; (iii) compliance risk remains heightened as banks navigate significant regulatory changes; and (iv) credit risk in commercial and retail loan portfolios remains moderate and demonstrates resiliency, “but signs of potential weakening in some segments warrant careful monitoring.”

The report discussed emerging risks related to innovation and the adoption of new products and services, including crypto-assets. Highlighting risks arising from banks’ expansion into digital offerings and the “heightened” threat of fraud risk associated with innovative peer-to-peer payment platforms, the OCC noted that banks should be “clearly communicating risks, educating customers on potential scams, and enhancing internal fraud monitoring capabilities” to mitigate threats and protect consumers. The report noted that “[b]anks may require additional or different controls to safeguard against fraud, financial crimes, violations of Bank Secrecy Act, anti-money laundering, and Office of Foreign Assets Control (BSA/AML/OFAC) requirements, and consumer protection or fair lending laws, or operational errors,” and should “maintain comprehensive operational resilience frameworks commensurate with the size and complexity of products, services, and operations being supported.”

The OCC reiterated the importance of taking a “careful and cautious approach” toward banks’ engagement with the crypto-related firms. Recent events in the crypto market have also “revealed a high degree of interconnectedness between certain crypto participants through a variety of opaque lending and investing arrangements,” which has led to “a high risk of contagion among connected parties.” The report noted that national banks and federal savings associations interested in engaging in crypto-asset activities should discuss the activities with their supervisory office before engaging the activities. Some activities may require a supervisory non-objection under OCC Interpretive Letter #1179.

The report cited risks related to cybersecurity and partnerships with fintech and other third parties. The OCC said it is applying a “heightened supervisory focus” to its scrutiny of banks’ oversight of third-party relationships and flagged an upward trend in ransomware attacks targeting banks’ service providers and other third parties. Partnering with fintechs to support operations or provide opportunities for customers to enter the digital asset market can “increase the risk of unfair or deceptive acts or practices because of the coordination, communication, and disclosure challenges involved in these partnerships,” the report said, adding that “[u]nclear or arbitrary partnership agreements may result in implementation breakdowns, untimely resolution of issues, or failure to deliver products or services as intended, and may result in significant customer remediation.” The OCC cautioned that banks must “conduct appropriate due diligence” before entering a partnership with a third party. “The scope and depth of due diligence, as well as ongoing monitoring and oversight of the third party’s performance, should be commensurate with the nature and criticality of the proposed activity.”

The report also discussed forthcoming climate risk management guidelines applicable to banks with more than $100 billion in total consolidated assets. As previously covered by InfoBytes, the OCC, Federal Reserve Board, and the FDIC announced they intend to issue final interagency guidance to promote consistency.