At the OCC, Operational Risks Are Broadly Defined

From fintech to vendor risk, and from cloud computing to risk management talent, the issues on Beth Dugan's mind reflect a broad swath of emerging and evolving challenges for both regulators and the institutions they supervise.

That goes with the job description. Dugan has for four-and-a-half years been deputy comptroller for operational risk at the U.S. Office of the Comptroller of the Currency, the agency overseeing some 1,400 national banks, federal savings associations, and federal branches and agencies of foreign banks operating in the country. Information technology, cybersecurity, payments systems, and corporate and risk governance are prominent among the OCC's operational concerns.

Fintech - the innovation trend fueled in recent years by entrepreneurs and increasingly embraced by incumbent firms, often through partnership arrangements - has accordingly developed into a major OCC initiative. The agency is explicitly supportive of what it terms responsible innovation. It has established an Office of Innovation led by chief innovation officer and onetime bank chief risk officer Beth Knickerbocker.

Charter and Pilot

In July 2018, the OCC announced that it would accept applications for special‐purpose fintech national bank charters (which have been challenged in the courts by the New York Department of Financial Services and other state regulators). On April 30, the Comptroller's office opened a 45‐day public comment period on a proposed “proactive” innovation pilot program.

“Companies that provide banking services in innovative ways deserve the opportunity to pursue that business on a national scale as a federally chartered, regulated bank,” Comptroller Joseph Otting said in May 15 testimony to the Senate Banking Committee. “We continue to have conversations with several such companies about the special‐purpose national bank charter.”

Dugan said that fintech firms that are new to the industry can benefit from relationships with established players that know how to navigate regulation and compliance and address consumer protection, data privacy and information security.

“Banks are finding ways to help fintech be a successful business model as part of the larger financial ecosystem,” the deputy comptroller said in a recent interview.

Flexible on Diligence

Amid the rapid proliferation and growing complexity of third-party risk exposure, Dugan advocated a proportional or risk‐based approach, saying that the degree of due diligence need not be the same for all service providers.

“More robust practices are [appropriate] for more critical third‐party relationships” she said. For example, a supplier of core back‐room services likely deserves stricter oversight than does a provider of a packaged data set.

One evolving set of third-party risks - relating to cloud computing services - are a learning challenge for the regulator and regulated alike, she added.

Cognizant of staff and talent shortages in risk management, Dugan mentioned some training strategies that can help to close the gap:

- Cross‐train workers in various bank departments with risk management skills.

- Re‐train workers whose positions have been eliminated or consolidated as a result of mergers.

- Apprenticeships and internships.

- “Science camps.”