(NOTE: Guru Briefs are short takes on recently released regulatory activity. They are not a detailed analysis, but designed to draw attention to the Guru’s initial impressions.) In this edition: The OCC has been particularly active on the regulatory front lately, and even non-OCC institutions may want to pay attention, as the head of the OCC […]
Say What You Do…But Do What You Say
Feedback from recent regulatory examinations indicates a potentially troublesome trend; regulators are actually reading your policies. Traditionally, regulatory findings are concentrated in policy weaknesses. Either polices don’t exist (social media and mobile banking for example), or they do exist but need “expansion”. (“Expansion” is a vague and often used-term in examination findings to indicate a […]
Windows XP and Electronic Banking
The FFIEC has previously issued a statement on Windows XP and the regulatory expectations for both financial institutions and TSP’s beyond April 8th, but so far the regulators have not weighed in on the implications to e-banking and RDC customers. According to some estimates, as many as 30-40% of your business customers may still be […]
A Look Back at 2013…and a Look Ahead – Part 1 (charts edition)
One thing that’s clear from the examination feedback I’ve received from financial institutions in 2013 is that examiners are spending less time in their safety & soundness examinations on the CAMELS “C”, “A”, & “L” (capital, asset quality and liquidity) issues, and more time on the “M” & “E” (management and earnings) issues. (There was […]
Ask the Guru: The IT Audit “Scope”
Hey Guru Our examiner is asking about the “scope” of our IT audits. What is she referring to, and how do we define a reasonable scope? Audit results are one of the first things examiners want to see, and the “scope” of the audit is very important to examiners. In fact, the term is used […]
Ask the Guru: Vendor vs. Service Provider
Hey GuruI recently had an FDIC examiner tell me that we needed to make a better distinction between a vendor and a service provider. His point seemed to be that by lumping them together in our vendor management program we were “over-analyzing” them. He suggested that we should be focused instead only on those few […]
Ask the Guru: Fedline in the lobby
Hey Guru, I have a question about Fedline. Will regulators write us up for having Fedline on a PC in the lobby of the bank? Possibly, I have seen that. The issue is with the extreme sensitivity of data processed on that device, so if you want to leave it where it is, your response […]
The Problem with PEN Tests
This is a true story, the names have been changed to protect the guilty. Al Akazam (not his real name) is an IT consultant with a solid background in
Read the rest of the article
Examination Downgrades Correlated with Poor Vendor Management
According to Donald Saxinger (senior examination specialist in FDIC’s Technology Supervision Branch) in a telephone briefing given to the ABA in
Read the rest of the article
Implementing the CFPB-required Compliance Management System (Part 2)
CFPB compliance examinations have only just started and the agency has already identified deficiencies in some institutions: “The CFPB has found one or more situations in which an effective CMS was lacking across the financial institution’s entire consumer financial portfolio, or in which the financial institution failed to adopt and follow comprehensive internal policies and […]