In its semi-annual risk report, issued on Friday, the US Office of the Comptroller of the Currency has warned banks that cyber threats are increasing in speed and sophistication. It is also worried about emerging technology making it harder for firms to obey the Bank Secrecy Act.

The regulator warns that cybercriminals have become increasingly willing to expose people’s personal information or to deny them access to it. It exhorts bank boards and senior managers to understand the risks facing their banks and evolve strong cybersecurity risk cultures and risk management programmes to withstand and recover from cyber incidents.

Phishing (by which fraudsters deceive people into opening files or clicking links in messages such as e-mails, instant messages or social media posts) continues to be a massive threat to data systems. A related form of social engineering, known as “watering holes,” involves infecting websites frequently visited by targeted people. The malicious code on watering hole sites passes malware to them and helps the cyber-criminals gather information or access corporate networks. These methods are frequently the main entry mechanism that allows them to go on to the next step of loading ransomware onto bank computers, or accessing confidential information, or compromising internal systems to effect payments.

Cybercriminals’ tactics are evolving all the time. Ransomware variants are becoming ever-more sophisticated, as are denial-of-service techniques, intrusions into business e-mails and thefts of sensitive business and customer-related information in extortion schemes. The success of extortion campaigns has stepped up the (already impressive) increase in the quantity and sophistication of methods. This lucrative business model has even spawned ransomware as a service for cybercriminals with limited technical ability. Successful attacks disrupt banks’ operations and stop them from performing the services on which they rely for their income.

Criminals are spying on (and offending against) more and more companies that provide IT products and services or are otherwise part of the supply chain, including those that allow remote access and management. When exploited, these third parties provide back doors into banks’ operations. Millions of compromised credentials have been sold online to cyber-criminals who then use them to gain access to accounts.

The OCC’s report criticises banks that use unpatched or unsupported software and hardware. Out-of-date or unsupported software often makes them weak in the face of attacks. The regulator concludes: “A sound systems development life cycle including regular maintenance is essential to protecting against these weaknesses. Strong authentication and management of privileged and high value user access (e.g., system administrators, staff capable of moving funds, or board members and executives with access to sensitive corporate information) should be implemented as part of a layered security approach. Recent successful breaches were the result of poor authentication schemes that allowed for stolen customer data, large movements of funds, and increased reputation risk from exposing sensitive information.”

Consolidation in the service provider market

The OCC has some interesting things to say about “third-party service providers,” a phrase that suggests that the customers are the parties of the first part and the banks the parties of the second. The regulatory report says that banks’ reliance on such service providers is increasing and crucial operations are concentrated in the hands of fewer and fewer large service providers. Many banks have become dependent on them for crucial internal operations and large numbers of banks now rely on a small number of them. The report names no names, however.

OCC examiners (inspectors) have seen instances of concentration of third-party service providers in specialised services, such as merchant card processing, denial-of-service software and trust accounting systems. It is worried that these service providers might be creating “concentrated points of failure” for certain lines of business or operational functions for a large segments of the banking sector. Its cure for this is more stringent management scrutiny.

Technological advances and high BSA/AML compliance risk

The OCC thinks that Bank Secrecy Act/anti-money-laundering compliance risk continues to remain high – a phenomenon that it attributes to a mixture of new and existing IT. It is worried about “enhanced delivery platforms for bank products and access to financial services.” It believes that developments in electronic and alternative payment systems that result in less “transaction transparency” increase the risk of banks unwittingly being used to facilitate money laundering and terrorist financing.

Having said that, the OCC admits that traditional criminal methods such as trade-based money laundering, bulk cash smuggling using armoured cars and the use of funnel accounts (a way of facilitating trade-based money laundering) are still the US money launderer’s main techniques. Existing and emerging technologies that make it harder for banks to spot activity are making the risks that banks run more sophisticated. The regulator warns of enforcement actions (EAs) for banks that fail to do something about it.

The OCC, along with all its brethren in the Western regulatory community, has been harrying banks that conduct correspondent relationships with other banks outside the Western/First World. In this report it takes aim at these relationships once more, reiterating the need for banks to re-evaluate AML risks periodically for portfolios that contain foreign correspondent accounts. Those banks, it believes, ought to base decisions to end foreign correspondent account relationships on their analysis of the risks presented by individual foreign correspondent account relationships and whether they can manage those risks.

The latest guidance on the subject, which encapsulates much of what came before, is to be found in OCC Bulletin 2016-32, dated 5th October last year and entitled “Risk Management Guidance on Periodic Risk Re-evaluation of Foreign Correspondent Banking.”

Other observations

The regulator is aware that banks face competition from “non-financial firms” (a US term for firms that offer no financial products), including financial technology (fintech) companies entering the traditional banking industry and that such competition is changing the way in which customers and financial institutions approach banking. It offers no remedy except to say that banks ought to plan strategically as they take on innovative products, services, and processes in response to new competitors, such as out-of-market banks and something it calls “nonbanks.”

More generally, the regulator observes that compliance costs in the US are mounting and the resultant pressures on earnings, mergers, acquisitions, the provision of new products and services, and an increasing reliance on third-party relationships are placing more and more demands on already strained compliance risk management systems. It has no remedy for this either, saying merely that it is worried about banks “maintaining sufficient compliance expertise to manage the additional risks and complexities.”