Category: Hot Topics

01 Feb 2011
Hot Topics Tom Hinkel 1 Comment

Top 5 Compliance Trends for 2011 – Part 4

According to the FFIEC IT Examination Management Handbook, many institutions choose to delegate responsibility for monitoring IT activities to an IT Steering Committee.  I also addressed this here.  One of the most important roles of the IT Steering Committee is to ensure that the IT strategy is aligned with the overall business strategy.  And the best way to do that brings me to my next trend:

The IT Strategic Plan

Although the FFIEC Management Handbook came out in June 2004, we first saw this appear in FDIC examinations in 2009.  Since then it sort of faded away, but now it’s back, and at least one other primary federal regulator is asking for it…the OTS.  (Whether or not this makes the transition to the OCC remains to be seen.)

According to the FFIEC:

Strategic IT planning focuses on a three to five year horizon and helps ensure the institution’s technology plans are consistent or aligned with its business plans. If effective, strategic IT planning can ensure delivery of IT services that balance cost and efficiency while enabling the business units to meet the competitive demands of the marketplace.

Since IT is often the largest single investment (not to mention the largest concentration of risks) a financial institution has, regulators recognize that managing this process is vitally important.  The IT Strategic Plan can demonstrate that you are managing effectively.

There is no one single template for this, but in general the plan should contain the following elements:

  • A mission statement.  This should establish the basis for the plan, and the broad goals and objectives.
  • Coordination with the overall Strategic Plan
  • Organizational structure
  • Agenda
  • A list of IT initiatives

Many institutions choose to manage the plan in their IT Steering Committee…it simply become another agenda item.  As the FFIEC states:

The information technology steering committee’s cross-functional membership makes it well suited for balancing or aligning the organization’s IT investment with its strategic and operational objectives.

However you choose to do it, since the IT Strategic Plan is so critical operationally, you may not want to wait until the examiners ask for it (and they will).  And if you need to get senior management buy-in, mention this:

Well implemented technology plans provide the capability to deliver business value in terms of market share, earnings, and capital growth to the organization.

25 Jan 2011
Hot Topics Tom Hinkel 0 comment

Top 5 Compliance Trends for 2011 – Part 3

What do Social Media, Cloud Computing, Virtualization, Data Vaulting, Mobile Banking, and Core Services have in common?  For most community financial institutions, all these products or technologies involve outsourcing, either wholly or in part.

When it comes to offering the latest products and services, outsourcing allows even the smallest institution to compete with the largest.  And outsourcing makes sense, because it means that you don’t have to build and maintain the infrastructure yourself.  As the FFIEC stated in their 2004 guidance “In many situations, outsourcing offers the institution a cost effective alternative to inhouse capabilities.”  But the FFIEC also makes it clear that you are still responsible for the security of the data wherever it may reside.  So given the increased reliance of financial institutions on outside vendors, and the regulators’ expectations, my third regulatory compliance trend for 2011 is:

Vendor Management

This is based on the following criteria:

  • A recent interview with the head of regulatory compliance with the FFIEC made it clear that new technologies like social media require overwhelming reliance on third parties.
  • The FDIC changed Part 5 of their IT Examiners Questionnaire from GLBA to Vendor Management
  • The largest recent data breaches were with third-party vendors (i.e. Heartland), not the financial institution itself.
  • The Bank Service Company Act requires financial institutions to report all service provider relationships that directly support banking functions.  IT vendors are one of the dependency layers that supports the business process, and as such MAY qualify as a direct support component.  I addressed this here.

I had this as a trend for 2010, and I’m carrying it over for 2011 as well.  I believe that there are some very compelling reasons why the regulators will (and should) increase scrutiny in this area as asset quality issues abate.  In the meantime, don’t wait.  Update your vendor management program now.  Include an analysis in your vendor risk assessment to determine if the vendor should be considered “reportable” under the Bank Service Company Act.

And as you request their third-party reviews, bear in mind that the vendor management process will be a bit more challenging this year with the phase-out of the SAS 70 report.  There is some speculation that the new SSAE 16 will become the functional replacement, but be prepared to review and interpret whatever report the vendor provides you.

UPDATE:  For further guidance, refer to the Outsourcing and Supervision FFIEC IT Handbooks.

17 Jan 2011
Hot Topics Tom Hinkel 0 comment

Top 5 Compliance Trends for 2011 – Part 2

A recent survey of auditors and examiners asked:

During the past year, in which category would you say MOST of your IT audit/exam findings occurred?

The choices were:

  • Lacking or Insufficient Polices
  • Inadequate Procedures, or
  • Insufficient documentation of actual practices

2/3 of the respondents said that insufficient documentation of practices was the most common finding.  In other words, policies and procedures were fine, but the institution could not adequately demonstrate that they were actually following them.  This brings me to the second compliance trend for 2011 (and a carry-over from last year):

Documentation

The regulatory compliance process involves the coordination of 3 intersecting spheres:

  • Policies
  • Procedures, and
  • Practices

All 3 must be not only be in alignment with one another, but also in alignment with the current interpretation of regulatory guidance.  (Made especially challenging since the latter is a moving target.)  Policy defines what you will do to address regulatory mandates, procedures dictate how you’ll implement policy, but practices document what you actually do.  If polices are off target, but you can still demonstrate good practices, you’ll have a minor audit/exam finding.  But if you say you’re doing something and you either didn’t, or can’t prove you did, that is generally a more severe finding.

So what recent audit and examination experience last year has demonstrated, and what I believe we’ll continue to see in 2011, is increased scrutiny in the sphere of documented practices.  Simply put…if you didn’t document it, you didn’t do it.

There are many ways to document your actual practices, but perhaps the best way is to take your procedures and convert them into a checklist.   The checklist is then discussed in committee (Tech or IT) as a regular agenda item.  For example, if your written procedures state that you will implement a patch management process to keep all devices fully patched, be able to produce a report showing device patch status, and present it to a committee assigned responsibility for validating the effectiveness of your procedures.

Remember, if you can’t document it, then for regulatory purposes, you aren’t doing it.

14 Jan 2011
Hot Topics Tom Hinkel 4 Comments

FFIEC to issue updated authentication guidance?

I’ve been hearing this rumor for a while now, but we may actually be seeing something new from the FFIEC soon.  Gartner is the latest to suggest that an update to the 2005 guidance on authentication is imminent.

In addition to updating it for technological advances since 2005, (Facebook and LinkedIn were in their infancy, and Twitter hadn’t even been launched), I hope it also addresses the increasing responsibility held by the customer, (both commercial and consumer) for data security.  I continue to believe that there should be shared responsibility, and liability, for establishing and maintaining a secure electronic banking environment.

Reg. E protects the consumer, and so far the courts have held overwhelmingly in favor of the commercial customer as well.  Will regulators extend Reg. E to commercial accounts, or place more responsibility on the customer?  Could the new guidance further define “commercially reasonable”?

My guess is that we may not see much clarification on these issues, but we are likely to see additional burdens placed on the financial institution.  For example, don’t be surprised to see customer education become more prescriptive, with the financial institution being responsible for it.

Stay tuned!

12 Jan 2011
Hot Topics Tom Hinkel 0 comment

Trust and Risk Online

In a recently released paper by the Brookings Institute, they address the issue of trust in an increasingly on-line business environment.  They focus on the difficulty of establishing, maintaining and verifying identity on-line, and how the trust relationship between on-line services and consumers is being threatened by weaknesses in this identity layer component.

Although the paper is not specifically geared for the banking industry, it does contain several items of interest to bankers.  Discussion of on-line identity attacks is relevant to the emerging interest in social media.  Social engineering is also a topic of interest to banks, and has been for some time.  There is also a mention of the Red Flags model, and how compliance with the regulation (which started 12/31/2010) requires a strong identity authentication component.  They do note that the existing FFIEC authentication guidance is a good model, but they recognize that the Red Flags, and other financial institution guidance, falls short because:

“…three of the top five targets for phishing attacks in 2010 (eBay, Facebook, and Google) are not financial services web sites (Gudkova, 2010), and are thus are not necessarily covered by extant rules. Many other online services, including webmail sites, web hosting sites and social network sites are frequent targets. Clearly they are attractive targets for malicious actors seeking identity information, even if those identities are not actually the paying customers of those firms. Access to credentials of these sites can expose highly sensitive information and serve as the jumping off point to serious and highly customized fraud attempts.”

In the end, financial institution risk managers must carefully consider the risks of this “identity layer” in the current environment, and weigh them against the potential benefits of social media.  The paper is definitely worth a read…highly recommended.

07 Jan 2011
Hot Topics Tom Hinkel 1 Comment

Top 5 Compliance Trends for 2011 – Part 1

I recently looked back at 2010, and the predictions I made a year ago.  This post begins a series of the top regulatory compliance trends for the current year.  I’m going to focus on the top 5, and my sources for these are the following:

  • Recent audit and examination experience from our customers
  • Recently released regulatory guidance
  • Discussions with my compliance advisory committee (consisting of a policy consultant, and 3 IT field auditors.)
  • A recent survey conducted  among  bank auditors and examiners.

For a topic to be included in this list, it had to have been validated in at least two of the four sources.  My first trend was validated in all four:

Enterprise-Wide Risk Assessments

If this one sounds familiar, it was on last years list as well.  And I would have left it out this year except for the fact that just last week an institution had a finding from a State examiner that moved it from off the list, to the top of the list.

My original motivation for this was an article that appeared in the FDIC Supervisory Insights newsletter in November, 2009.  The article was titled:  From the Examiner’s Desk:  Customer Information Risk Assessments: Moving Toward Enterprise-wide Assessments of Business Risk. (The article is excerpted here.)  As you can tell from the title, it’s pretty clear that enterprise-wide risk assessments are the future.  The only question was how quickly the new standard would be adopted by the regulators.  I thought it would have been in 2010, and apparently it just made it.

According to the State examiners finding:

“…the bank’s internal auditor, in conjunction with department heads and the Board, should develop an enterprise-wide risk assessment that identifies and assigns a risk grade to every major function of bank operations.”

I’m not surprised that this new standard found it’s way into examinations, but I am a bit surprised that we first saw it in a State exam.  Nevertheless, the fact that the guidance is out there, and that we are now seeing it reflected in examiner expectations, means this is trend #1.

And just to underscore the point, the survey (more on that in a future post) had the following responses when asked:  What is the current regulatory expectation and standard for documenting the assessment of risk?

Customer Information Risk Assessment     0.0%

Information Security Risk Assessment        30.0%

Enterprise-wide Assessment of Risk           70.0%

AND my advisory committee agrees, so a clean sweep of all sources.  So how do you document adherence to this enterprise-wide standard of risk assessment?  The full answer is too complicated to adequately address in this post (I promise to give it justice in a future post), but in short, make sure you include the following risk categories in your risk assessment:

  • Strategic Risk
  • Operational/Transactional Risk
  • Reputation Risk, and
  • Legal/Regulatory Risk

Also, make sure you document both the inherent risk (prior to the application of control measures), and the residual risk (after controls).

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy