Author: Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.
07 Jan 2011
Hot Topics Tom Hinkel 1 Comment

Top 5 Compliance Trends for 2011 – Part 1

I recently looked back at 2010, and the predictions I made a year ago.  This post begins a series of the top regulatory compliance trends for the current year.  I’m going to focus on the top 5, and my sources for these are the following:

  • Recent audit and examination experience from our customers
  • Recently released regulatory guidance
  • Discussions with my compliance advisory committee (consisting of a policy consultant, and 3 IT field auditors.)
  • A recent survey conducted  among  bank auditors and examiners.

For a topic to be included in this list, it had to have been validated in at least two of the four sources.  My first trend was validated in all four:

Enterprise-Wide Risk Assessments

If this one sounds familiar, it was on last years list as well.  And I would have left it out this year except for the fact that just last week an institution had a finding from a State examiner that moved it from off the list, to the top of the list.

My original motivation for this was an article that appeared in the FDIC Supervisory Insights newsletter in November, 2009.  The article was titled:  From the Examiner’s Desk:  Customer Information Risk Assessments: Moving Toward Enterprise-wide Assessments of Business Risk. (The article is excerpted here.)  As you can tell from the title, it’s pretty clear that enterprise-wide risk assessments are the future.  The only question was how quickly the new standard would be adopted by the regulators.  I thought it would have been in 2010, and apparently it just made it.

According to the State examiners finding:

“…the bank’s internal auditor, in conjunction with department heads and the Board, should develop an enterprise-wide risk assessment that identifies and assigns a risk grade to every major function of bank operations.”

I’m not surprised that this new standard found it’s way into examinations, but I am a bit surprised that we first saw it in a State exam.  Nevertheless, the fact that the guidance is out there, and that we are now seeing it reflected in examiner expectations, means this is trend #1.

And just to underscore the point, the survey (more on that in a future post) had the following responses when asked:  What is the current regulatory expectation and standard for documenting the assessment of risk?

Customer Information Risk Assessment     0.0%

Information Security Risk Assessment        30.0%

Enterprise-wide Assessment of Risk           70.0%

AND my advisory committee agrees, so a clean sweep of all sources.  So how do you document adherence to this enterprise-wide standard of risk assessment?  The full answer is too complicated to adequately address in this post (I promise to give it justice in a future post), but in short, make sure you include the following risk categories in your risk assessment:

  • Strategic Risk
  • Operational/Transactional Risk
  • Reputation Risk, and
  • Legal/Regulatory Risk

Also, make sure you document both the inherent risk (prior to the application of control measures), and the residual risk (after controls).

28 Dec 2010
From the Field Tom Hinkel 3 Comments

Looking back – 2010 compliance hits & misses

Every year about this time, I’m asked to look ahead to the upcoming year and prognosticate on regulatory compliance trends.  I  intend to do just that in a future post, but today I wanted to do something very few other prognosticators do…look back at last years’ predictions and see which ones hit and which missed (and why).

Here was the list of 2010 trends as I saw them early last year:

  • Risk Assessments –New standards and expectations
  • Documentation–Who, What, How and Why
  • Disaster Recovery –Compliant and Recoverable
  • Vendor Management –Trust but Verify

Overall I scored 2 hits and 2 misses, although to be fair the misses are more along the line of “not yet hits”.  Here is how 2010 actually shaped up:

  • Risk Assessments – miss.  This prediction was taken from the Winter 2009 FDIC Supervisory Insights Newsletter article entitled “Customer Information Risk Assessments: Moving Toward Enterprise-wide Assessments of Business Risk”.  It described how examiners should start to evaluate risk on an enterprise-wide basis instead of simply focusing on information security risks.  I predicted that examiners would start to adjust their examination procedures for the new criteria in 2010, but it hasn’t manifested itself in examination work papers yet.  However, some of the enterprise-wide risk criteria has made its way into various risk assessment best practices.  Criteria such as strategic risk, operational/transactional risk, reputation risk and legal/regulatory risk are now part of the vernacular for disaster recovery, retail payment systems and new technology risk assessments.  We’ll call this a miss…for now.
  • Documentation – hit.  The vast majority of audit and examination findings I’ve seen this year we’re not related to missing or insufficient policies or procedures, they were due to the institutions inability to document (prove) that they were following their own procedures.  Expect this trend to continue in 2011.
  • Disaster Recovery – hit.  Both auditors and examiners are finding fault with DR plans that do not strictly conform to the FFIEC guidance.  Specifically, they must contain a business impact analysis, risk assessment, risk management and testing sections, and in that order.  A non-compliant plan that may even be able to demonstrate (through testing) recoverability will still be written up.  (More here.)
  • Vendor Management – miss.  With the increasing reliance of financial institutions on third-party vendors, I predicted that 2010 would be the year that the examiners started scrutinizing vendor management programs more closely.  It hasn’t happened…yet.  It may be because of the continued overwhelming emphasis on asset quality during the safety and soundness examination, but I’m leaving this on the list for 2011.  Asset quality will undoubtedly still dominate in 2011, but there are indications that the pendulum is starting to swing back around.  (More on that later.)

My next post will be my predictions for 2011.  I’m also collecting survey responses from auditors and examiners on where they think the areas of focus will be, and I’ll report that in early 2011 as well.

All the best for a Happy and Compliant New Year!!

23 Dec 2010
Hot Topics Tom Hinkel 0 comment

New FDIC Survey Results and Third-Party Providers

The new FDIC Supervisory Insights Winter 2010 newsletter addresses several issues of interest to bankers, including Trust Preferred Securities, Managing Agricultural Credit, and Senior Life Settlements.  But there was also a section that analyzed the results of a survey that was conducted by FDIC examiners over the past year.   The more than 2,100 responses are producing some interesting results, especially when correlated with other financial reports like call reports, but of particular interest to me were the findings examining how financial institutions are “responding to the recent period of economic and competitive challenges”. One of the trends identified in the survey results was how financial institutions are increasingly “…making use of third-party providers to offer new and innovative products”, and particularly, “how effectively bank safety-and-soundness and compliance risk management systems are keeping pace with these changes.”

Community financial institutions are no strangers to vendor management, particularly the importance of addressing privacy and security issues, but the article makes reference to the risk of Unfair or Deceptive Acts and Practices (UDAP).  This is not a traditional risk category in and of itself, and may not be a consideration in your current vendor management program, but based on recent enforcement cases, maybe it should be.  The article makes reference to FDIC guidance here, and the FFIEC provides additional guidance here and here, but none of the existing guidance specifically mentions the significant financial liabilities and increased reputation risk that can result from a lawsuit based on UDAP.

The conclusion states:

Overall, Survey results show that banks are responding to ongoing economic and competitive challenges in a variety of ways, for example, by tightening underwriting standards and making use of third-party service providers to offer new and innovative products. These operational changes can affect an individual institution’s risk profile and its ability to effectively manage the resulting consumer compliance risks. The analysis of data gathered through this Survey will continue to help the FDIC understand how effectively bank safety-and-soundness and compliance risk management systems are keeping pace with these changes.

I suggest you incorporate UDAP risk into your existing vendor management risk assessment by assuring that it is identified as one of the potential contributors to reputation risk (along with privacy and security breaches), and that the  legal risks are assessed along with standard regulatory/compliance risks.

21 Dec 2010
Hot Topics Tom Hinkel 0 comment

Red Flag enforcement to start 12/31

With the signing of legislation on 12/18 exempting certain health care  practitioners and other businesses from complying with the Red Flags Rules, it would seem to clear the way for enforcement to begin at the end of this month.  Financial institutions have had to comply with the guidelines since 1/1/2008, but regulatory enforcement has been delayed several times as organizations representing attorneys and physicians lobbied to exempt these professionals from complying.

A Red Flag is defined by the FTC as “…a pattern, practice, or specific activity that indicates the possible existence of identity theft.”  Financial institutions are expected to already have established a formal Identity Theft Prevention Program that contains reasonable policies and procedures to:

  • Identify
  • Detect, and
  • Respond…

…to any Red Flags that might indicate the presence of ID theft.  You must also have a process in place for administering the program, which includes involving the Board and senior management, training your staff, and the appropriate oversight of service providers.

Expect examiners to ask to review your ID Theft Program in your next examination, and request that your next audit include a review as well.

16 Dec 2010
From the Field Tom Hinkel 4 Comments

The IT Steering Committee – Should or Must?

At a recent user group meeting of one of the major core vendors for community banks, I asked the question ‘how many of you use an IT or Tech Steering Committee?’.  I was expecting a vast majority of hands to go up, but only about half did.  This was surprising to me, given that:

  • The FFIEC all but mandates this committee,
  • The FDIC strongly encourages it,
  • Auditors recommend it, and
  • It provides a mechanism to address many of the most difficult examination questions

First, the FFIEC mandate.  On page 5 of the Management Handbook, it states:

Many boards of directors choose to delegate the responsibility for monitoring IT activities to a senior management committee or IT steering committee…The committee should consist of representatives from senior management, the IT department, and major end-user departments.

Some institutions may call it a Tech Steering Committee, or have another name for it, but in “FFIEC-speak”, if “many” choose to do this, you better have a pretty good reason if you decide not to do it.  In fact in Objectives 3, 4 and 5 of the Examination Procedures, the examiner is instructed to review;

  • …the membership list of board, IT steering, or relevant management
    committees established to review IT related matters.
  • …the minutes of the board of directors and relevant committee meetings
  • …IT oversight program, to determine if the Board…established a steering committee, and
  • …the effectiveness of the reports used by senior management or
    relevant management committees.

The FDIC strongly encourages the use of an IT management committee in their IT Officers Questionnaire.  Part 1 (b) asks for “the names and titles of individuals, committees, departments or others participating in the risk assessment process”. And as I addressed in my series of the trickiest questions on the questionnaire, this committee, and the documentation it produces, can help you document adherence with many aspects of your IT risk management process.

Finally, most of the recent findings in IT audits are due to institutions’ inability to document that they are following their own policies.  The policies themselves are sufficient, and the institution may indeed be complying with them, but because of non-existent or inadequate documentation they can’t prove that they are.  And in today’s compliance environment, if you can’t prove you’re doing it, you aren’t doing it.

Given it’s overall importance, consider the IT Steering Committee a “must”.  If you don’t have one, make a New Years resolution to establish one.  Give it a mission to assist the board in overseeing IT-related activities.  Make sure it consists of members from all departments, and work from a standardized meeting agenda.  Lastly, document each and every meeting, and periodically report to the Board.  Better audits and examinations in 2011 will be the fruits of your labor.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy