A key U.S. regulator has privately found half of the major banks it oversees have an inadequate grasp of a broad swath of potential risks from cyber attacks to employee blunders, according to people familiar with the matter.
In the confidential assessments, the Office of the Comptroller of the Currency said 11 of the 22 large banks it supervises have “insufficient” or “weak” management of so-called operational risk, said the people, who asked not to be identified because the information isn’t public.
That contributed to about one-third of the banks rating three or worse on a five-point scale for their overall management, the people said. The scores are the latest sign that U.S. regulators are concerned about the level of risk at the country’s largest banks in wake of a series of failures last year.
Operational risk is one of the categories by which regulators evaluate overall risk at the banks they oversee. Each bank’s individual ratings are closely held, but regulators sometimes use aggregate data on banks’ grades to highlight areas of concern in discussions with other agencies and the industry.
At the OCC, the operational-risk assessment feeds into a report card known as CAMELS ratings, grading firms on a one-to-five scale for each component — capital adequacy, asset quality, management, earnings, liquidity and sensitivity to market risk. Those grades create an overall rating that determines the degree of scrutiny or leeway a firm faces, including the activities it can engage in and how much capital it has to hold.
The OCC didn’t comment specifically on the nonpublic findings. In a statement, the regulator said that Acting Comptroller Michael Hsu has “consistently discussed the need for banks to guard against complacency and actively manage their risks in order to build and maintain trust in the federal banking system.”
Operational risk is meant to cover a range of potential threats to banks beyond loans going bad or market swings causing losses. That can include anything from employee mistakes and legal troubles to natural disasters and technology snafus. Banks have to show regulators plans for managing such risks, and they have to hold capital against those threats, a requirement that’s long been debated because they’re harder to measure than credit or market risks.
The harsh grades are part of sweeping regulatory scrutiny in the wake of the record-setting bank failures last year, after which regulators vowed to do more to identify and act on problems. The OCC’s large bank portfolio ranges from regional lenders with at least $50 billion in assets to the megabanks with trillions.
Hsu said in a congressional testimony in May 2023 that, while none of the banks that had just failed were overseen by the OCC, he reviewed his agency’s processes and emphasized the need for “timely and forceful supervisory action.”
The agency calls operational risk the “broadest component” of its supervisory framework, and it functions as something of a catch-all as the technology banks rely on develops. In a report last month, the OCC said that aspect is “elevated” as the industry responds to “an evolving and increasingly complex operating environment.”
Last year, the OCC, Federal Reserve and Federal Deposit Insurance Corp. released guidance for banks on how to mitigate risks from third-party vendors. The agencies said that “the use of third parties, especially those using new technologies, may present elevated risks” and instructed firms on how to monitor such activities.
The agencies doubled down earlier this year, issuing a warning on the use of outside artificial intelligence tools.