News reports this week revealed that a confidential assessment by the Comptroller of the Currency—the OCC—a key U.S. bank regulator, found that 11 of the 22 biggest banks it oversees lack a full understanding of major risks they face.
These 22 banks are a “Who’s Who” of major financial institutions serving the U.S. market and include:
- Bank of America
- Capital One
- Citibank
- HSBC
- JPMorgan Chase
- Morgan Stanley
- PNC
- U.S. Bank
- Wells Fargo
The report determined that half of the large banks the OCC supervises have “insufficient” or “weak” management of operational risks, assessments that indicate the OCC has significant concerns about these banks’ risk management practices. These concerns come in the wake of bank failures in 2023 that have caused regulators to intensify their reviews of the nation’s banks.
The “operational risks” the OCC scrutinized go beyond loan defaults or market fluctuations.
They include technological vulnerabilities, legal issues, employee mistakes, and natural disasters. Banks must have comprehensive plans for managing these risks and have capital reserves to protect against them.
The OCC’s assessments are included in the ratings of a bank’s capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk—factors that are crucial to maintaining trust in the U.S. banking system.
Last year, the OCC, along with two other federal banking regulators—the Federal Reserve and Federal Deposit Insurance Corporation—issued guidance related to risks from third-party vendors, in particular vendors using new technologies.
Operational risks were recently emphasized by the CrowdStrike outage.
An error in a CrowdStrike software update crashed computers around the world, halting business operations at banks, airlines, healthcare providers, and 911 centers. Ironically, CrowdStrike is a cybersecurity firm.
The warning contained in the OCC’s report is especially timely in view of the CrowdStrike event. It is a wakeup call for how vulnerable we are to failures in the complex web of vital technology that underpins our lives these days.
The CrowdStrike debacle was just a preview, maybe only a small dose, of what could happen.
Cyberattacks coming from Russia, China, or North Korea receive the most attention. But Mother Nature might have worse in store. In one particularly nasty scenario raised in the wake of the CrowdStrike outage, a solar storm could wipe out telecommunications, navigation systems, and internet access for weeks.
Some scientists say this scenario is, eventually, a virtual certainty. For now, it’s a low-likelihood, high-cost prospect. One day, the sun will send a massive magnetic field toward Earth that could take down global communication systems. If—or when—that day comes, I will own physical gold to ensure I have the means to wait out the mess that follows. You might think about doing the same.
