WASHINGTON — Acting Comptroller of the Currency Michael Hsu said Tuesday regulators are working on baseline operational risk standards for large banks’ “critical operations” and contingencies related to third-party service providers.
Hsu’s remarks — delivered to a crowd at the Institute of International Bankers’ Annual Conference in Washington, D.C. — shed light on the increasing complexity of banking today and the associated operational risks. Hsu noted such a rule would be issued with input from interested parties including the banking industry though a notice-and-comment process under the Administrative Procedure Act.
“Such baseline requirements could include establishing clear definitions for identifying critical activities and core business lines; defining tolerances for disruption; requiring testing and validation of resilience capabilities; incorporating third-party risk management expectations; stipulating clear communication expectations among stakeholders and counterparties; and addressing expectations for critical service providers, with emphasis on governance and risk management expectations,” Hsu said.
Operational resilience refers to the durability of a bank as it undergoes disruptions in the continuous functions of its business. Examples of operational disruptions vary from outside factors like extreme weather events to personnel errors like insufficient risk management or data breaches. Regulators — and the OCC in particular — have raised the issue as a priority over the last year, including
In October 2020, the banking agencies
While the agencies have provided guidance on operational risk, Hsu suggested enforceable regulations could more sufficiently account for risks in banks’ particularly “critical operations.” A major issue to tackle in any proposal, he says, will be defining which systems are considered critical as well as how regulatory expectations will scale according to the kind of operational incident involved.
“The provision of banking services increasingly resembles global manufacturing supply chains, with their efficiencies, complexities and vulnerabilities,” Hsu noted. “The threat surface for disruptions expands, and as authorities in other jurisdictions begin implementing their rules to ensure operational resilience, we are assessing and working with our interagency peers to develop the right approach here in the U.S.”