An interview with U.S. Comptroller of the Currency Thomas J. Curry
Federal banking regulators are always alert to emerging safety and soundness issues. U.S. Comptroller of the Currency Thomas J. Curry offers a brief update about a few current regulatory issues on his mind, including his agency’s concerns about signs of growing credit risk throughout the banking industry.
IB: Why is the Office of the Comptroller of the Currency so concerned about credit risk today?
Curry: We’re at the point in the business cycle where it’s harder and harder to find creditworthy borrowers. As a result, banks that want to grow their loan portfolio typically begin to relax their underwriting standards and take on customers they would not have considered at an earlier point in the cycle. Our examiners report that they are finding weaker protective covenants, extended maturities and a layering of risks in loan portfolios. We are also seeing larger loan concentrations, without concurrent increases in reserves.
The OCC’s 2015 “Survey of Credit Underwriting Practices” found, for the third consecutive year, that more banks are easing underwriting standards for commercial and retail loan products, than tightening. We are encouraged by those institutions that are building loan-loss reserves or properly managing credit risk, but we’re not seeing this kind of prudent management across the board. So our examiners will be vigilant in evaluating credit risk, and banks of all sizes should be as well.
Having said that, I believe very strongly that community banks have a bright future, and they don’t need to ease or lower their standards to build market share. Consumers and business rely on local banks to meet their financial service needs. What’s important is that community institutions take steps now to ensure that they remain strong and vibrant, and capable of continuing to play this vital role.
IB: What steps should community bankers take to ensure their institutions are secure from cyberattacks?
Curry: Hackers, both criminals and terrorists, are demonstrating resourcefulness and sophistication in their attacks. They are finding ways to compromise bank employees, third-party vendors and system credentials, and operate inside bank systems without detection.
To combat this malicious activity, management has to analyze, understand and measure their institution’s risk and readiness as part of a solid risk-management culture. This is the premise behind the creation of the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool. The assessment tool provides a repeatable process to help banks determine their cybersecurity preparedness. I believe the tool is an important step toward keeping an institution’s IT environment secure.
Use of the assessment tool is optional for financial institutions. However, OCC examiners will use it to supplement exam work to gain a more complete understanding of an institution’s inherent risk, riskmanagement practices and controls related to cybersecurity.
We need to be vigilant and continuously enhance our ability to prevent, detect and recover from cyberincidents. Because community institutions are often very dependent on third parties for information technology support, it is essential they work together with their user groups to gain as complete a perspective as possible of their service providers. I would also recommend that you exercise your incident response protocols to ensure you have the ability to identity and respond effectively and efficiently to incidents, including your ability to inform your regulator, third parties, the [Financial Services Information Sharing and Analysis Center] and law enforcement.
IB: What is the OCC doing to help reduce excessive regulatory burdens on community banks?
Curry: Most of my regulatory career has been devoted to community bank supervision, and I know that unnecessary regulation saps the strength of community banks. To help community banks and thrifts remain a vibrant part of their communities, we need to do everything we can to reduce unnecessary regulatory burden.
We have shared three proposals with Congress that I believe will help.
First, we proposed a measure that would allow a greater number of community banks to qualify for the 18-month examination cycle. I’m pleased that legislation to do just that was approved by Congress and signed into law by the president.
Second, we recommended that most community banks should be exempted from the Volcker Rule.
And finally, we proposed that thrifts be given the flexibility to expand their business model without going through the time and expense of changing their governance structure or charter.
It’s important to recognize that all regulation, by its nature, carries burden. My concern is with needless burden that doesn’t achieve significant public policy objectives. At the OCC, we have worked to reduce burden where we have the discretion by making rules and guidance more transparent and easier to understand. We have also clarified up front whether a rule applies to community banks so that smaller institutions don’t even need to look at regulations that apply only to large institutions. When creating rules, we consider transition periods for implementation, postponements and staggered implementation to make it easier for community banks to meet new requirements.
In December, financial regulators completed outreach meetings that we held under the Economic Growth and Regulatory Paperwork Reduction Act as part of our review of existing rules and regulations. While we are carefully reviewing all of the comments received over the last year, we will not necessarily wait to complete the entire review before acting on ideas that make the most sense. I can tell you that all of us here are committed to doing everything possible to eliminate unnecessary regulatory burden, acting on issues within our control and working closely with the other agencies where joint action is required.
IB: What are the OCC’s expectations for Bank Secrecy Act compliance?
Curry: We know that monitoring for Bank Secrecy Act and anti-money laundering laws is difficult and requires significant resources. However, we cannot allow criminals and terrorists to misuse our federal banking system, so compliance with these laws serves a vital national interest. BSA compliance will remain among the OCC’s top priorities this year.
BSA risk is migrating from large internationally active banks to banks of all size. Bankers need to focus on their internal activities and ensure they devote sufficient resources and expertise to incorporate appropriate controls as products and services have evolved.
At the same time, the OCC expects banks to assess the risks posed by individual customers on a case-by-case basis and implement controls to manage the relationships commensurate with these risks. As a general matter, the OCC does not direct banks to open, close or maintain individual accounts, nor does the agency encourage banks to engage in the termination of entire categories of customer accounts without regard to the risks presented by an individual customer or the bank’s ability to manage the risk.