MVA White Collar Defense, Investigations, and Regulatory Advice Blog

By Kristina Whittaker and Neil Bloomfield. In the aftermath of sales practices, the Office of the Comptroller of the Currency (OCC) recently published a bulletin on fraud risk management principles that are applicable to all federally chartered financial institutions. The bulletin supplements existing OCC and interagency guidance and provides a roadmap of OCC expectations.  

The OCC highlights certain risk management principles:

• A bank should have sound corporate governance practices that instill a corporate culture of ethical standards and promote employee accountability.
• A bank’s risk management system should include policies, processes, personnel, and control systems to effectively identify, measure, monitor, and control fraud risk consistent with the bank’s size, complexity, and risk profile.
• A bank’s risk management system and system of internal controls should be designed to (i) prevent and detect fraud and (ii) appropriately respond to fraud, suspected fraud, or allegations of fraud.
• Bank management should assess the likelihood and impact of potential fraud schemes and use the results of this assessment to inform the design of the bank’s risk management system.
• Senior management and the board of directors should measure, monitor, and understand fraud losses across the enterprise and employ tools that appropriately quantify and assess loss experience and exposure.
• Control reviews and audits should include fraud risk as part of their assessments.

An effective fraud risk management approach is one that focuses on the above objectives. The OCC expects board and senior management level to set the tone at the top and actively engage in the governance of fraud risk. In a likely reference to recent sales practice scandals, the OCC noted “A sound corporate culture should discourage imprudent risk-taking. Incentives or requirements for employees to meet sales goals, financial performance goals, and other business goals, particularly if such goals are aggressive, can result in heighted fraud risk.”

Fraud risk management principles should correspond with the bank’s size, complexity, and risk profile. Senior management should also frequently review the potential impact of fraud and modify their system accordingly. The OCC expects firms to utilize software and other technological tools as part of an effective fraud risk management program that can predict fraud and implement preventive and detective controls. The OCC provides a list of examples of controls and metrics that can be used to monitor and deter fraud.

The OCC will expect institutions to assess how efficient its risk management strategy is working and how its strategy fits within its current business plan. While conducting reviews and audits, the auditor must report findings of fraud to the board or management and has the duty to determine if the OCC also needs to be made aware. It is then management’s obligation to respond to any concerns in a timely and effective manner.