The International Organization of Securities Commissions (IOSCO) and the U.S. Office of the Comptroller of the Currency (OCC) represent different sectors of financial industry oversight — securities and banking, respectively. But recent pronouncements by both indicate that current risk concerns are anything but compartmentalized.

As noted in the IOSCO Research Department’s staff working paper on securities market trends, published in December, “Banking vulnerabilities, exit strategies, housing markets and capital inflow still rate as major sources of risk,” according to the researchers’ annual survey of regulators and market experts. “While these risk areas are not generally within the remit of securities regulators, there are spillover impacts on securities markets.”

“Search for yield” and “corporate governance” ranked third and fourth, behind only regulation and cybersecurity, as most-cited areas of risk and concern for financial stability.

Frequency of responses to areas of risk/concern to financial stability

Source: IOSCO Research

The IOSCO trend paper and the OCC’s semi-annual risk perspective for fall 2015,which made prominent mention of banks’ “reach for yield” and was released on December 16, were among a flurry of year-end and early 2016 regulatory outlooks.

The Securities and Exchange Commission and the Financial Industry Regulatory Authority (FINRA), the brokerage self-regulator, covered cybersecurity, liquidity and various compliance issues in their respective supervisory priority lists for the year.

In a cover letter with the FINRA examination priority document, chairman and CEO Richard Ketchum reiterated a 2015 concern about interest-rate-sensitive products and went on to underscore “culture, ethics and conflicts of interest.”

Growing Credit Risk

Bank risk-taking in pursuit of higher yields after a long period of low interest rates was flagged in the OCC report. The U.S. national bank and federal savings association regulator said credit underwriting standards and practices were being eased particularly in such high-growth loan segments as indirect auto, C&I (commercial and industrial) and multi-family commercial real estate.

“The ongoing low interest rate environment poses additional concerns as banks reach for yield by extending asset duration trend,” the OCC noted in its executive summary. “Deposit stability, a significant component of IRR [interest rate risk] modeling, is difficult to assess because of recent deposit inflows and the potential for increased competition for retail deposits. The low interest rate environment continues to pressure net interest margins as asset yields decline and the cost of funds has stabilized at historic lows. “

Comptroller Thomas Curry said in a statement, “This is the third consecutive year in which we’ve seen underwriting standards slip. Generally, we are seeing banks continue to make concessions on pricing, weaker or non-existent loan covenants, and maturities lengthening. We have also seen increases in underwriting exceptions and risk layering.

“All of which combine to introduce risk at origination. Bankers with long memories will remember the worst loans are made in the best of times, and the growing credit risk in their banks should be managed very closely.”

Also highlighted by the OCC: “Cyber threats, reliance on service providers, and resiliency planning remain concerns particularly in light of heightened global threats”; and “regulatory amendments and reliance on third parties continue to create challenges for bank consumer compliance functions.“

“Bank Secrecy Act risk also continues to increase as criminal behaviors evolve and criminals leverage technology innovations.”

The report noted apartment vacancy rates are expected to increase following a boom in construction of new units.

“Some banks are building concentrations in areas that were excessive and detrimental in the past cycle,” the agency warned.

The regulator said banks may not understand all the risks in new financial products they’re marketing and the risks that can accompany cutting back staff and in outsourcing to entities unfamiliar with the bank regulatory environment.

Potentially Systemic

“Strategic, underwriting, cybersecurity, compliance and interest rate risks remain the OCC’s top supervisory concerns,” the agency concluded. “Risks associated with underwriting and cybersecurity are increasing, while strategic, compliance, and IRR remain stable.”

It added, “Banks and their employees, customers, and third-party relationships remain vulnerable to cyber attacks, including attacks that involve extortion and those that can compromise, disrupt or destroy data and systems.”

The OCC delineated these areas of concern for its National Risk Committee, with potential systemic consequences:

• Exposure to oil- and gas-related sectors (e.g., service, office, and hotel sectors) as well as direct exposure to exploration and production firms.
• Loan concentrations in multifamily CRE and nondepository financial institution sectors.
• The appropriateness of allowance for loan and lease loss (ALLL) levels and methods given loan growth, easing in underwriting, and layering of credit risk.
• Banks’ ability to exit balance-sheet positions as liquidity becomes imperiled.
• Implementation of new mortgage disclosure requirements.

Ramifications in Securities Markets

According to the IOSCO paper, “Most respondents see financial stability risks to the system either being transmitted or amplified by securities markets. In other words, very few ‘risks’ are reported as originating or being sourced from securities markets themselves.

“When asked about the impact on the economy of these risks,” the summary continued, “respondents note that banking vulnerabilities and capital flow volatility would have considerable impact. Concerns around risks emanating from the housing market also continue to increase.”

The IOSCO report noted that increased flows of funds from advanced nations seeking greater returns can cause volatility spikes in the securities markets of small emerging countries.

The report, authored by senior economist Shane Worner, called for coordination among securities regulators worldwide to identify, manage and react to cyber threats.

“The ever increasing reliance of the securities markets, in particular, and the broader financial system, in general, on computerized systems and interconnections with the Internet gives rise to increased concerns that a cybersecurity event could have systemic repercussions,” the report said. Regulators have to be “more technologically savvy in order to effectively and efficiently monitor these areas. Consequently, there is a need for better cross-border coordinated strategies to identify, manage and react to potential cybersecurity issues.”

FINRA

“A firm’s culture contributes to, and is also a product of, a firm’s supervision and its approaches to identifying and managing conflicts of interest and the ethical treatment of customers,” FINRA chief executive Ketchum wrote. He said the agency “will formalize our assessment of firm culture to better understand how culture affects a firm’s compliance and risk management practices.

“Our emphasis on culture is also closely aligned with supervision, another area of focus for 2016. We plan to consider supervision generally and supervision specifically related to conflicts of interest. We urge you to review your supervisory, risk management and control systems — as well as the other issues we raise in the letter — as part of your overall programs.”

Among those other issues was technology, both the management and security thereof, extending to platforms and algorithms.

“FINRA has observed shortcomings in firms' management of their technology systems,” the examination priority letter asserted. “The implications of these shortcomings can be significant, as erroneous system and application changes to a firm's production environment may have widespread impacts, including causing market disrupting orders, system outages and adverse customer effects. Recent technology governance reviews have focused on firms' change management practices for algorithms, including both proprietary and customer order-routing algorithms.”

In the cybersecurity context, “Firms face risks from unauthorized internal and external access to customer accounts, online trading systems and asset transfer systems, as well as in the management of their vendor relationships. FINRA will review firms' approaches to cybersecurity risk management, and depending on a firm's business and risk profile, we will examine one or more of the following topics: governance, risk assessment, technical controls, incident response, vendor management, data-loss prevention and staff training.”

Looking over past exams, FINRA said it found deficient supervision of back-office and vendor changes through a lack of written procedures and evidence of supervision, and insufficient segregation of duties for personnel involved in the development and deployment of technology changes.

SEC

In its 2016 examination priorities, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) included cybersecurity and microcap fraud among “ongoing risk areas.” Liquidity controls, public pension advisers, product promotion, exchange-traded funds and variable annuities were characterized as “new areas of focus.”

OCIE pointed out that its second cybersecurity compliance and controls initiative for broker-dealers and investment advisers was launched in September 2015, and “in 2016, we will advance these efforts, which include testing and assessments of firms’ implementation of procedures and controls.”

Regulation SCI (Systems Compliance and Integrity) oversight “will include, among other things, assessing the resiliency of their primary and back-up data centers, evaluating whether computing infrastructure components are geographically diverse, and assessing whether security operations are tailored to the risks each entity faces.”

OCIE emphasized its reliance on data and analytics across a wide range of oversight activities, such as anti-money-laundering, excessive trading and promotion of complex and high-risk products. It said that through collaboration with the SEC’s Division of Economic and Risk Analysis, “we will continuously enhance our analytic approach and capabilities in these areas through the use of new technologies and risk-based initiatives.”

GARP editor-in-chief Jeffrey Kutler contributed to this article.