A key U.S. regulator has privately found that half of the major banks it oversees are inadequately managing a wide range of potential risks, ranging from cyber attacks to employee mistakes.
The Office of the Comptroller of the Currency (OCC) found that 11 of the 22 large banks under its supervision have “insufficient” or “weak” operational risk management, according to Bloomberg, which first reported it.
This has contributed to about one-third of these banks receiving a rating of three or worse on a five-point scale for overall management.
The report follows a major global computer systems outage impacting services from airlines to healthcare, shipping and finance.
The findings highlight growing concerns among U.S. regulators about the risk levels at the country’s largest banks, following a series of bank failures last year.
Operational risk, one of the categories used by regulators to assess banks, covers threats beyond bad loans or market losses, including employee errors, legal issues, natural disasters, and technological failures.
Each bank’s individual ratings are confidential, but the OCC uses aggregate data to address areas of concern with other agencies and the banking industry.
The operational-risk assessment contributes to a broader report card known as CAMELS ratings, which evaluates banks on capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk.
These ratings determine the level of regulatory scrutiny and the activities banks can undertake, as well as their capital requirements.
Acting Comptroller Michael Hsu has previously stressed the need for banks to avoid complacency and manage their risks effectively.
The harsh grades are part of an intensified regulatory focus following last year’s record-setting bank failures.
The OCC’s oversight covers a range of institutions, from regional banks with at least $50 billion in assets to mega-banks with trillions.
In May 2023, Hsu testified before Congress, saying that although the OCC did not oversee the recently failed banks, he reviewed the agency’s processes and stressed the necessity for “timely and forceful supervisory action.”
Last year, the OCC, along with the Federal Reserve and the Federal Deposit Insurance Corp. (FDIC), released guidance on mitigating risks from third-party vendors, particularly those using new technologies.
The agencies highlighted that third-party usage could present elevated risks and provided instructions on monitoring such activities. This year, they issued further warnings regarding the use of external artificial intelligence tools.