Deputy Comptroller Beth Dugan's purview expands with technology - both opportunities and risks
Friday, May 17, 2019
By Ted Knutson
From fintech to vendor risk, and from cloud computing to risk management talent, the issues on Beth Dugan's mind reflect a broad swath of emerging and evolving challenges for both regulators and the institutions they supervise.
That goes with the job description. Dugan has for four-and-a-half years been deputy comptroller for operational risk at the U.S. Office of the Comptroller of the Currency, the agency overseeing some 1,400 national banks, federal savings associations, and federal branches and agencies of foreign banks operating in the country. Information technology, cybersecurity, payments systems, and corporate and risk governance are prominent among the OCC's operational concerns.
Fintech - the innovation trend fueled in recent years by entrepreneurs and increasingly embraced by incumbent firms, often through partnership arrangements - has accordingly developed into a major OCC initiative. The agency is explicitly supportive of what it terms responsible innovation. It has established an Office of Innovation led by chief innovation officer and onetime bank chief risk officer Beth Knickerbocker.
“Companies that provide banking services in innovative ways deserve the opportunity to pursue that business on a national scale as a federally chartered, regulated bank,” Comptroller Joseph Otting said in May 15 testimony to the Senate Banking Committee. “We continue to have conversations with several such companies about the special‐purpose national bank charter.”
Dugan said that fintech firms that are new to the industry can benefit from relationships with established players that know how to navigate regulation and compliance and address consumer protection, data privacy and information security.
“Banks are finding ways to help fintech be a successful business model as part of the larger financial ecosystem,” the deputy comptroller said in a recent interview.
Flexible on Diligence
Amid the rapid proliferation and growing complexity of third-party risk exposure, Dugan advocated a proportional or risk‐based approach, saying that the degree of due diligence need not be the same for all service providers.
“More robust practices are [appropriate] for more critical third‐party relationships” she said. For example, a supplier of core back‐room services likely deserves stricter oversight than does a provider of a packaged data set.
One evolving set of third-party risks - relating to cloud computing services - are a learning challenge for the regulator and regulated alike, she added.
Cognizant of staff and talent shortages in risk management, Dugan mentioned some training strategies that can help to close the gap:
- Cross‐train workers in various bank departments with risk management skills.
- Re‐train workers whose positions have been eliminated or consolidated as a result of mergers.