The Office of the Comptroller of the Currency’s Committee on Bank Supervision sets the agency’s supervision objectives and priorities. On October 1, the Committee released the OCC’s Bank Supervision Operating Plan (the “Plan”) for fiscal year 2025 (October 1, 2024 – September 30, 2025).
The Plan’s priorities and objectives will be familiar to management of national banks, as it continues the themes of recent years. Change-management and third-party risk management continue as topics of focus in many, if not most, examination categories. As has been the case for several years, examiners will focus on risk governance and control functions and use the banks’ audit, credit risk review, and risk management processes, provided the OCC has validated their reliability, including scope, timeliness, and competence. A new topic for 2025 will be a focus on bank credit risk transfer (“CRT”) transactions. Examiners are also instructed to assess the banks’ readiness for “impacts of volatile economic conditions,” noting especially recession possibilities, the path of interest rates, and deposit stability. Another 2025 feature is the direction to examiners to “consider geopolitical events that may have adverse financial, operational, and compliance implications.”
The Plan groups discrete areas of focus within three fundamental categories: financial, operational, and compliance.
Within the financial category, examiners will focus on credit, allowance for credit losses, asset and liability management, capital, and climate-related financial risks. Some points of interest in these areas include:
Credit: The effectiveness of management’s actions to identify, measure, monitor, and control credit risk given “significant changes in market conditions, interest rates, and geopolitical events.”
Allowance for Credit Losses: Whether the allowance for credit losses balance is appropriate and considers both the current economic environment and reasonable, supportable forecasts for future economic changes.
Asset and Liability Management: Funding and deposit stability, especially with respect to interest rate levels and volatility, funding composition and concentrations (including uninsured and brokered deposits), deposit repricing assumptions, and the potential for rapid changes, and a focus on model back-testing practices to assess whether models performed accurately relative to previous large swings in interest rates.
Capital: Examiners will monitor “capital optimization activities, including any new plans by banks to engage in credit risk transfer transactions.” Examiners will review whether banks have effective governance and risk management systems to identify, measure, monitor, and control risks posed by CRTs.
Climate-Related Financial Risks: For depository institutions, including federal branches and agencies of foreign banks with over $100 billion in assets, there will be examinations to assess banks’ ability to identify, measure, monitor, and control climate-related financial risks.
Within the operational category, areas of focus will include cybersecurity, third-party risks, payments, change-management and operations. Some points of emphasis in these areas include:
Cybersecurity: Examinations will review the effectiveness of information technology asset life cycle management, including end-of-life, end-of-support, and patch management processes, and assess new or changed internal controls and operational processes, including those designed to comply with regulatory incident reporting requirements.
Third-Party Risks: Examiners will assess the effectiveness of risk management throughout all stages of the third-party risk management life cycle, particularly the rigor of risk management practices for third-party relationships that support a bank’s critical activities. Notably, examiners will likely structure examinations to develop a view of enterprise-wide third-party risk management
Payments: Examiners will consider how varieties of payment risks (e.g., operational, compliance, financial, strategic, and reputation) are incorporated into enterprise-wide risk assessments.
Change-Management: Examiners will assess the suitability of governance processes, internal control considerations, organizational structures, and staffing in relation to significant changes at a bank, including changes relating to M&A, system conversions, new regulatory requirements, cost control measures, new products and services, and significant changes in strategy.
Within the compliance category, examiners will concentrate on BSA/AML/CFT, consumer compliance, CRA, and fair lending. Focal points will include:
BSA/AML/CFT: Examiners will focus on the adequacy of change management processes for rulemakings implementing the AML Act of 2020, including the Corporate Transparency Act.
Consumer Compliance: Examiners will review whether relevant aspects of products or services, including those offered through third-party relationships, are disclosed in a clear, consistent manner with accurate, complete information, as well as third-party risk management and disclosures, and related change-management processes.
CRA: Examiners will review the bank’s implementation of examination guidance issued in FY 2022 to address challenges posed by successive rule changes in June 2020 and December 2021.
Fair Lending: Examiners will address the full life cycle of credit products, including the potential for mortgage lending discrimination resulting from appraisal bias or discriminatory property valuations.