Fraud As An Operational Risk For Banks
Operational risk is a continuing and increasing focus of the Office of the Comptroller of the Currency, and, as a result, it needs to be a greater priority of the institutions it regulates. The OCC publishes a "Semiannual Risk Perspective" that addresses key issues facing banks and other federally chartered institutions.
In recent years, the OCC has categorized operational risks as elevated as banks respond to an evolving and increasingly complex environment. The OCC defines operational risk as the risk to current or projected financial conditions and resilience arising from inadequate or failed internal processes or systems, human errors or misconduct, or adverse external events.
Much of the attention regarding operational risk understandably has been focused on cybersecurity risk and third-party relationships. However, the OCC has also identified increases in fraud and fraud attempts as drivers in increased operational risk since at least early 2018.
Semiannual Risk Perspectives
In the spring 2018 "Semiannual Risk Perspective," the OCC noted that multiple industry reports revealed rising trends in attempted fraud and successful fraudulent transactions. Consequently, the OCC encouraged banks to take note of and implement leading industry practices to address these fraud risks, e.g., comprehensive risk assessments, effective internal controls and layering multiple protective solutions to prevent and deter fraud. Fraud detection and response programs are important fraud risk-management considerations.
Moreover, the agency noted that effective third-party risk management is especially important when banks rely on third parties for fraud prevention and detection solutions. More recent semiannual reports reinforce the agency’s concerns about fraud and have noted that lapses in risk governance can increase a bank’s risk profile and elevate the risk of fraud and operational losses.
OCC Bulletin – Fraud Risk Management Principles
In light of the rising concern about operational risk and coming out of certain high profile matters, the OCC published "OCC Bulletin 2019-37 — Fraud Risk Management Principles." The bulletin is directed at all OCC-regulated banks and provides a road map of the agency’s expectations regarding risk management, fraud risk measurement and monitoring, fraud response and reviews and audits. It supplements existing OCC guidance, including the Comptroller’s "Handbook on Corporate and Risk Governance," and interagency guidance.
The bulletin highlights key risk-management principles:
- A bank should have sound corporate governance practices that instill a corporate culture of ethical standards and promote employee accountability;
- A bank’s risk management system should include policies, processes, personnel and control systems to effectively identify, measure, monitor and control fraud risk consistent with the bank’s size, complexity and risk profile;
- A bank’s risk management system and system of internal controls should be designed to (1) prevent and detect fraud and (2) appropriately respond to fraud, suspected fraud or allegations of fraud;
- Bank management should assess the likelihood and impact of potential fraud schemes and use the results of this assessment to inform the design of the bank’s risk management system;
- Senior management and the board of directors should measure, monitor and understand fraud losses across the enterprise and employ tools that appropriately quantify and assess loss experience and exposure; and
- Control reviews and audits should include fraud risk as part of their assessments.
An effective fraud risk-management approach is one that focuses on the above objectives and is appropriately integrated into the bank’s risk management system. The OCC expects a bank’s board to oversee management’s establishment and maintenance of the bank’s risk management system through its risk governance framework. Fraud risk management framework should correspond with the bank’s size, complexity and risk profile.
The OCC expects boards and senior management to set the tone at the top and actively engage in the governance of fraud risk. The OCC expects institutions to assess how effective its risk management strategy is working and how its strategy fits within its current business plan.
In a likely reference to recent sales-practice scandals, the OCC noted “A sound corporate culture should discourage imprudent risk-taking. Incentives or requirements for employees to meet sales goals, financial performance goals, and other business goals, particularly if such goals are aggressive, can result in heighted fraud risk.”
As set forth in the Comptroller’s "Handbook on Governance," boards should adopt a written code of ethics to foster a culture of integrity and accountability. In addition, the code should set forth the board and management’s expectation of timely and confidential communication of suspected fraud, misconduct or abuse to a higher level within the bank.
In addition to the code of ethics, the bank’s policies, processes and controls should prompt appropriate and timely investigations into, response to and reporting of suspected fraud. Reporting mechanisms should ensure that relevant, accurate and timely fraud-related information from all lines of business to appropriate oversight channels within the bank, other financial institutions as appropriate and to law enforcement as required by the law.
Senior management should frequently review the potential impact for fraud and modify their systems, processes and policies accordingly. The OCC expects firms to utilize software and other technological tools as part of an effective fraud risk management program that can predict fraud and implement preventive and detective controls. The bulletin provides examples of controls and metrics that can be used to monitor and deter fraud.
As noted in the bulletin, audit also plays a key role in a bank’s fraud risk management. Reviews and audits should typically include:
- Quality-assurance and quality-control reviews;
- Independent risk-management reviews;
- Internal and external audits;
- Retrospective reviews after fraud is identified; and
- Third-party relationship audits (consistent with contractual provisions).
While conducting reviews and audits, auditors and others conducting such reviews must report significant issues, including findings of fraud, to the board or senior management. The OCC will expect the board and senior management to respond to any concerns raised in a timely and effective manner.
Auditors must also determine if there is a duty to report fraud, including suspected fraud to the OCC. As a general matter, the OCC expects banks to notify the agency of significant incidents that could affect the bank’s condition, operations or reputation as well as any incidents that could affect the financial system.
In addition to reviews and audits, the OCC expects that internal audit ensures that management (and the board as appropriate) conducts a “post mortem” and that remediation actions are identified and implemented. In certain situations, internal audit should conduct its own “lessons learned” analysis and determine what remediation measures are necessary to detect, correct or prevent future internal control breakdowns.
Key Takeaways
In sum, the OCC’s recent publications did not establish new requirements, but rather highlighted the agency’s increasing expectations about fraud risk management, i.e. governance, policies and procedures, internal controls, and the necessity of identifying, measuring, monitoring and reporting risks.
With this increased attention, it is imperative that boards and management remain proactive and ensure that fraud risk management is recognized as a holistic business issue and establish appropriate controls. Preventing, detecting and resolving fraud is the responsibility of all levels of a bank.
Accountability to implement these controls is integral to effective corporate governance. Failure to establish these controls expose a bank to reputation and strategic risk as well as financial losses. And it is clear that the OCC (and other regulators) will continue to monitor and evaluate banks’ fraud risk-management programs to ensure that they are appropriate for the size and complexity of the bank and that they are effective.
The original Law360 publication can be found here.